In the past year, research indicates that nearly a third of organisations have accelerated their plans to automate key security and IR processes, whilst another 85% plan on automating them in the next 12 months. Despite the positivity of these statistics, many organisations struggle to change to a more automated process. This was highlighted at a recent webinar we held with a panel of senior cybersecurity experts from a multitude of sectors.
What were the findings of the inquiry?
The discussion revealed that, while most firms are exploring automation, few have made progress and they attributed this to a combination of factors including needing understanding of automation, increased help from vendors and a lack of good IT foundations.
The current experience of cybersecurity automation
All attendees agreed that automation is the future of cybersecurity and that it was in their interest to explore the process. Most speakers said they used automated intrusion detection systems (IDS) but had found that there is resistance to adding an intrusion prevention system (IPS) in case false positives cause systems to shut down unnecessarily, as one delegate said, “They are afraid that automating blocking will break their world”.
During the event, the current experience of automation was described as frustrating. While an automated engine can successfully detect a problem, it fails to outline what the problem is.
The detection system can feel like a problem: “The noisy child in the corner”, as one attendee put it. One delegate mentioned that his platform raises six billion data points every month.
1,000 need to be manually investigated and from those only two are likely genuine threats, but someone still needs to be tasked with investigating those 1000 threats regardless. The human component still exists despite automated intrusion detection processes.
How do companies measure successful automation?
Attendees agreed on some of the main ways that they measured successful automation with time and expense viewed as vital success measures. Some “measure success by finding out the attack has happened and how they can prevent it, and ensuring that it doesn’t spread”.
Automated responses to threats have saved money and time. Consequently, a quicker reaction response than the attacker was established as an essential measure of success.
Others pointed out that success is simply based on whether the firm’s system was still working in the morning. This is about ensuring that the threat to the business was reduced. One indication of this is a lack of false positives, which was viewed as a success measure.
However, as Leon Ward of ThreatQuotient outlined, automating cybersecurity is challenging due to the varying measures of success. Automating an industrial process can be simpler because it can be measured by an improvement in speed, output, or other metric. Overall, in his opinion, the ultimate measure of success must be seen as when nothing bad occurs.
Foundations needed to build an environment for automation
Research from ThreatQuotient found that 41% of businesses say a lack of trust in the outcomes of automation is preventing its deployment. Numerous attendees noted that further education within businesses was necessary to understand that to defend themselves there may have to be some impact on the day to day running of the business.
Speakers agreed that there is a belief that automation can add a bigger target to security teams’ backs as automation is viewed as an overhead. Unfortunately, as part of the nature of cybersecurity, problems are always noticeable when they arrive, which perhaps adds to the wariness around the automation offering, despite problem-spotting being a good thing.
It was highlighted that many firms do not have the IT infrastructure to make a smooth automation transition; disjointed systems and legacy tools can lead to automation challenges. Some noted that their firm’s systems cannot even automate password resets yet. Others indicated more of a cultural issue, with people often suspicious of new systems and, in some businesses, people get annoyed if security tools impede their workflow.
How can automation efforts be improved in the industry?
The metrics commonly used in cybersecurity were discussed. Mean time to detect (MTTD) and mean time to response (MTTR) metrics were viewed as not very helpful with there being no useful difference between the two. “If we’ve detected it, we’ve responded,” was common. Measuring either is difficult because it can be hard to know when to start measuring.
Poor quality metrics prompt the board to ask, “So what?” Attendees said they would favour a metric that tracks the extent of coverage and success, though they acknowledged that it is hard to know what data points could be used to measure those things.
The need for more help from vendors was an action point, it would be useful to know where vendors struggled with automation rather than finding this out for themselves. This kind of openness can help to build new fruitful partnerships between vendors and businesses.
What is the way forward?
Overall, there is a lot of work that still needs to be done to improve the journey towards automation in cybersecurity. Despite ThreatQuotient’s research indicating positive steps, the roundtable event showed that a cultural change is needed for mass adoption to occur.
Further education is required on the subject as well as a general understanding of what constitutes success. Vendors can make strides to ensure that this happens and to help build the trust that enterprises need to make this journey as smooth as possible.
Attendees were ultimately realistic, as one spokesperson said, “we’re not looking for a silver bullet”. Vendors must take this viewpoint into account and strive to build the necessary partnerships to learn, improve and seek demonstrated measures to help with automation.
Cyrille Badeau is the Vice President of International Sales at ThreatQuotient.