In the past year, research indicates that nearly a third of organizations have accelerated their plans to automate key security and IR processes, whilst another 85 percent plan on automating them in the next 12 months.
Despite the positivity of these statistics, many organizations struggle to change to a more automated process. This was highlighted at a recent webinar we held with a panel of senior cybersecurity experts from a multitude of sectors. The discussion revealed that, while most organizations are exploring automation, few have made significant progress and they attributed this to a combination of factors including needing an improved understanding of automation, increased help from vendors and a lack of good IT foundations.
The current experience of cybersecurity automation
All attendees agreed that automation is the future of cybersecurity and that it was in their interest to explore the process. Interestingly, most speakers said they used automated intrusion detection systems (IDS) but had found that there is resistance to adding an intrusion prevention system (IPS) in case false positives cause systems to shut down unnecessarily, as one delegate said, “They are afraid that automating blocking will break their world”.
During the event, the current experience of automation was described as frustrating. While an automated engine can successfully detect a problem, it fails to outline what the problem is.
In this case, the detection system can feel like a problem rather than a solution: “The noisy child in the corner”, as one attendee put it. One delegate mentioned that his platform raises six billion data points every month. Of those, 1,000 need to be manually investigated and from those only two are likely genuine threats, but someone still needs to be tasked with investigating those 1000 threats regardless. The human component still exists despite automated intrusion detection processes.
How do companies measure successful automation?
Attendees agreed on some of the main ways that they measured successful automation with time and expense viewed as vital success measures. Some “measure success by finding out the attack has happened and how soon they can prevent that attack, as well as ensuring that it doesn’t spread”. Automated responses to threats have saved money and, just as importantly, time. Consequently, a quicker reaction response than the attacker was established as an essential measure of success.
Others pointed out that success is simply based on whether the company’s system was still working in the morning. This is not about defeating every challenge, but ensuring that the threat to the business was greatly reduced. One indication of this is a lack of false positives, which was viewed as another success measure.
However, as Leon Ward of ThreatQuotient outlined, automating cybersecurity is particularly challenging due to the widely varying measures of success. Automating an industrial process can be simpler because it can be measured by an improvement in speed, output, or some other metric. Overall, in his opinion, the ultimate measure of success must be seen as when nothing bad occurs.
What foundations do businesses need to have to successfully build an environment for automation?
Research from ThreatQuotient found that 41 percent of businesses say a lack of trust in the outcomes of automation is preventing its deployment. Numerous attendees noted that further education within businesses was necessary to understand that to defend themselves there may have to be some impact on the day to day running of the business.
Speakers agreed that there is a belief that automation can add a bigger target to security teams’ backs as automation is viewed as an overhead. Unfortunately, as part of the nature of cybersecurity, problems are always noticeable when they arrive, which perhaps adds to the wariness around the automation offering, despite problem-spotting being a good thing.
Additionally, it was highlighted that many companies do not have the IT infrastructure to make a smooth automation transition; disjointed systems and legacy tools can lead to automation challenges. Some noted that their company’s systems cannot even automate password resets yet. Others indicated more of a cultural issue, with people often suspicious of new systems and, in some businesses, people get annoyed if security tools impede their workflow.
What needs to happen to improve automation efforts within the industry?
The metrics that are commonly used in cybersecurity were predominantly discussed. Mean time to detect (MTTD) and mean time to response (MTTR) metrics were viewed as not very helpful with there being no useful difference between the two. “If we’ve detected it, we’ve responded,” was the common opinion. Additionally, measuring either is difficult because it can be hard to know when to start measuring.
There was general agreement that poor quality metrics prompt the board to ask, “So what?” Attendees said they would favor a metric that tracks the extent of coverage and success, though they acknowledged that it is hard to know what data points could be used to measure those things.
The need for more help from vendors was raised as an action point, with the delegates agreeing it would be useful to know where vendors struggled with automation rather than finding this out for themselves. This kind of honesty and openness can help to build new fruitful partnerships between vendors and businesses.
The next step:
Overall, there is a lot of work that still needs to be done to improve the journey towards automation in cybersecurity. Despite ThreatQuotient’s research indicating positive steps, the roundtable event showed that a cultural change is needed for mass adoption to occur. Further education is required on the subject as well as a general understanding of what constitutes success.
Vendors can make strides to ensure that this happens and to help build the trust that enterprises need to make this journey as smooth as possible. Attendees were ultimately realistic, as one spokesperson said, “we’re not looking for a silver bullet”. Vendors must take this viewpoint into account and strive to build the necessary partnerships to learn, improve and seek demonstrated measures to help with automation.
Cyrille Badeau is Vice President of International Sales, ThreatQuotient