Cybersecurity Automation Is Coming to the Rescue


Posted on by Robert Ackerman

Every now and then, it may seem as though the explosive growth of increasingly sophisticated, novel and successful cyberattacks is overwhelming. Who can keep up and fend off the attacks? Certainly not the federal government, and certainly not most major corporations.

Further undermining a strong defensive posture is the swelling shortage of cybersecurity specialists– more than 1 million globally today, according to multiple cyber experts, and a number expected to nearly double by 2021.

Is there any light at all at the end of the tunnel?

Fortunately, there is. Organizations are turning to automation and analytics to aid cyber specialists and, increasingly, to “force multiply” the effective size of cyber staffs. Automation can help spot attacks before they begin and save time for IT staffers, enabling them to focus on other tasks. Already, automation is accomplishing faster detection and remediation of cyber threats, courtesy of emerging providers that leverage advanced technologies, including user behavioral analytics, machine learning and real-time, automated remediation.

Cybersecurity automation was predictable

This development should come as no surprise. Look around and you see automation everywhere – in, among other areas, manufacturing, finance, marketing, transportation and in social networking. Even cars – i.e., autonomous vehicles – are becoming automated.

All forms of successful automation substantially improve efficiency. How this is accomplished depends on the specifics of different industries. In the case of cybersecurity, the role of automation boils down to better and far faster management of complexity. Bigger networks, mobile devices and multiple cloud services are making the workload for IT teams unmanageable. This becomes a crisis during a cyberattacks, when time is of the essence.

When a data breach occurs, organizations must respond immediately. Credentials are compromised in minutes, and typically most of an organization’s critical data or intellectual property is lost within the first day. Verizon’s 2016 Data Breach Investigation Report highlights this sad realty. It found that 82% of organizations surveyed said that a compromise took only minutes to infiltrate company systems, and 68% said associated data was breached within days.

Threat detection must be rapid

The obvious upshot is that a threat detection solution that cannot detect and remediate threats in near real-time is of little use. This is where cybersecurity automation enters the picture. It doesn’t replace cyber specialists. Rather, it  massively extends their reach.

A good automated cybersecurity system detects an alert immediately and assesses it for legitimacy and severity. Real threats are prioritized and steps are taken to address the problem. If the incident can be resolved automatically, without the need for human input, it will be.

Typically, customizable and scalable automated incident response “playbooks” are built and deployed.  Their development is usually based on real-life scenarios and actual incidents, enhancing their effectiveness in detecting and resolving legitimate incidents quickly. Automated incident response helps substantially reduce the time it takes to resolve an issue from weeks and sometimes months to hours and sometimes even minutes.

As such, a cyber breach that slips through the cracks can often be isolated and nullified before it has time to wreak havoc. This is a rarity for an IT staff without the aid of automation, which all too often finds itself weeding through scores of potential threats while the one truly dangerous incident busts through the defensive perimeter. In addition, automated incident response can also be used for protection 24/7.

Not all players in cybersecurity automation are young companies. Microsoft, for example, recently bought U.S.-Israeli artificial intelligence cybersecurity firm Hematite, reportedly for $100 million. More common, however, is activity among startups and in academia.

Carnegie Mellon and cyber automation

Carnegie Mellon University, for instance, has employed the attributes of web servers, such as the software they use, as variables to predict how likely a server is to be hacked. A model developed by researchers there successfully predicted 66% of future attacks.

In addition, software vendors are stepping into the breach and employing software and modeling approaches applicable to cyberattack behavior, stemming from efforts to identify credit card fraud. Both are a form of anomaly detection and can be unusually speedy and highly effective.

None of this should suggest that cybersecurity automation is a panacea. It still produces too many false positives and false negatives and misses some intrusions altogether. And some cyber pros are uncomfortable with it, fearing it could cost them their jobs. The latter, at least, is an unfounded concern. Humans are still best at identifying previously unknown threats. Cybersecurity automation must be woven into the fabric of a team; it is not a stand-alone solution and probably never will be.

Cybersecurity automation inevitable

In any case, there is really no alternative but to embrace automation. Statista, a statistics portal, estimates there were 23 billion connected devices in 2016 – a number that it adds will grow to 50 billion by 2020, reflecting an avalanche of Internet of Things (IoT) devices. In addition, there is an urgent need to reduce the time it takes to spot and contain organizational breaches – commonly 200 days-plus to spot them and another 69 days to contain them, according to Ponemon Institute. The longer the timeframe, typically the worse the financial consequences.

Not far away will be the application of artificial intelligence to automation. Human analysts, however, will go nowhere. They know their own environment, and they have intuition about how their system operates, making it relatively easy to distinguish between what is normal and what is questionable. Humans are also good at quickly adapting to rapidly changing conditions and, unlike software, are usually good communicators.

What humans cannot do, of course, is scale, and they often make mistakes. They are relatively slow, too. This is why they need to team up with cutting-edge software. The best cybersecurity systems are a union of analyst and machine.


Contributors
Robert Ackerman

Founder/Managing Director, AllegisCyber Capital

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs