Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
10:00 AM
Steve Durbin
Steve Durbin
Connect Directly
E-Mail vvv

The Trouble With Automated Cybersecurity Defenses

While there's enormous promise in AI-powered tools and machine learning, they are very much a double-edged sword.

Speed and accuracy in identifying and responding to threats are the alluring promises of automated cybersecurity defenses. The average cost of a data breach is $3.86 million, with the average time to detect and contain pegged at 280 days, according to Ponemon Institute research. Any system that can reduce those figures is welcome, so it's no surprise that artificial intelligence (AI) and other automated defenses are seeing rapid and wide adoption.

Related Content:

Cyber Is the New Cold War & AI Is the Arms Race

Special Report: Building the SOC of the Future

New From The Edge: 5 Mistakes That Impact a Security Team's Success

While there's enormous promise in AI-powered tools and machine learning, they are very much a double-edged sword. Cybercriminals and other threat actors can engage the same techniques or manipulate the automated systems businesses employ. Because these technologies are not mature or well understood by the average IT department, there's also scope for misconfiguration and disruptive clashes between overlapping systems.

Unrealistic Expectations
Hype accompanies every new cybersecurity trend. A wave of automated defense technology is being hailed as the answer to skills shortages and increasing levels of attack. Security orchestration automation and response (SOAR), extended detection and response (XDR), and user and entity behavior analytics (UEBA) are leading the charge. The trouble is that their capabilities are sometimes oversold, and the problems they introduce can outweigh the benefits.

The scope and complexity of most organizations make adoption challenging. To reap the rewards of an automated system requires proper planning and compatible infrastructure. There's also a dangerous temptation, especially after making a large investment, to push these new technologies to handle things they were not designed to handle.

While they may enable cost-cutting in the longer term, proper integration and management of automated systems can increase costs in the short term. Unrealistic expectations and complacency can lead to disaster.

Lack of Understanding
Automated cybersecurity is a competitive space. The SOAR market is growing fast and expected to reach $1.3 billion by 2026, up from $721 million this year, according to 360 Research Reports. The leaders are naturally determined to protect their intellectual property. Many machine learning systems also rely on a black-box model, so there is very little, if any, insight into these products' inner workings.

If the vendors don't understand why decisions are being made, how can their customers?

Placing this level of trust in an unproven autonomous system is very risky. To make matters worse, there's a knock-on effect in terms of diminishing skills throughout your workforce. As automated systems take over with the expectation they will plug the skills gap, there will be fewer hires and less incentive for training.

Poisoning Datasets
One of the biggest dangers of placing trust in an automated system is that it can be manipulated by threat actors. The organization under attack has no way of knowing if the system has been tampered with. It can be alarmingly easy to poison automated systems with tainted datasets. This could dangerously skew machine learning algorithms over time or cause innocent traffic to be flagged as anomalous in the short term. Attackers don't necessarily have to fool the system; they can just overload it, prompting shutdowns of services or networks that could leave everyone locked out.

Even without malicious actors at work, some automated defenses may clash with other tools and systems on your network. Take the analogy of infection causing fever in the human body. The immune system is turning up the heat to try and kill the bacteria invading your body, but the fever can incapacitate or even kill you in extreme circumstances.

How to Approach Adoption
While there are risks, automated cybersecurity defenses also represent a real opportunity. But they must be handled carefully. Adoption should be fully planned, set a reasonable expectation level, and ensure that you have the internal skills to properly configure and interpret the automated system.

It's crucial to assess the level of autonomy these systems have and limit their ability to shut down services without some human oversight. Build trust slowly. Closely examine the sources that automated defenses rely upon, and find a way to continuously monitor the data sets to guard against poisoning attempts.

Mitigate risk by drafting incident response plans to cater to different automated system failure scenarios. Rehearse these response plans and tweak them as necessary to ensure they are effective. It's also wise to implement strict testing and change management to curtail overreliance on any automated system.

There's little doubt that automated cybersecurity defenses will have an increasingly important role to play, but we must resist the temptation to move too rapidly. Choose a considered strategy over blind trust and temper your expectations to get the most from this burgeoning technology.

Steve Durbin is CEO of the Information Security Forum, an independent, not-for-profit dedicated to investigating, clarifying and resolving key issues in information security and risk management. He is a frequent speaker on the Board's role in cybersecurity and ... View Full Bio
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...