The Best and Worst Tasks for Security Automation
As with all new tech, there are good times and and bad times to use it. Security experts share which tasks to prioritize for automation.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltb239b64953487d1c/64f0d6e156940954e984927f/Automation_intro.jpg?width=700&auto=webp&quality=80&disable=upscale)
Automation may change the nature of security jobs, but it won't be taking them away anytime soon. While great for some tasks as more of a supplementary tool, other tasks are still best left fully for people.
Where you decide to automate depends on where the benefits outweigh the risks, says Rob Boyce, managing director at Accenture Security. And the level of risk you encounter depends on how you approach the process and which tasks you choose to automate.
While automation tools have come a long way, there's still room for improvement, he adds. Decisions remain about how it should evolve and where it fits in the business. In its current form, the tech works well for simple tasks but hasn't advanced to address complex ones.
In addition, the machine-learning algorithms powering automation are still imperfect. "Machine learning isn't always a yes or a no," says Corey Nachreiner, CTO at WatchGuard Technologies. Oftentimes people still need to analyze results to determine what they mean.
Automation, Boyce says, requires a thoughtful approach. Here, Boyce and Nachreiner weigh in on which security tasks can be prioritized for automation, and those where it doesn't quite work. Where have you implemented automation so far, and where have you found it most effective? Feel free to share your story in the comments.
Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.
Boyce says he's seeing a lot of success in the automation of important but nondisruptive tasks like patching, which is a key part of security but doesn't require a lot of human interaction. Patching normally requires a person, but it's not something the security team has to analyze, he explains.
"It's still hard to get organizations to patch on a monthly basis," Nachreiner says. "It's one of the first and easiest things even the smallest organizations can consider automating."
That said, new patches can bring new problems, and sometimes fixes come with bugs that need to be addressed by a human analyst. Some businesses have a testing structure for rolling out new patches, Boyce adds, and automating that process is very achievable. He estimates you can patch about 80% of an environment with automation if the right process is in place.
There is opportunity for advancement, Boyce says. For example, right now it's tougher to automate application-level patches compared with system-level fixes. It's still unclear how app-level patches will react to automation.
Most forms of modern malware detection are automated, says Boyce, but it's getting harder to detect increasingly advanced threats. For generations, malware detection was signature-based, flagging malware based on repeating patterns. Now attackers have caught on, slightly altering malware so signature-based systems don't pick up on it, Nachreiner explains.
"Every time [they] send it to a new victim, [they] make it look different on a digital level," he says. These simple, subtle changes have driven the rise of millions of malware variants, many of which slip past signature-based defenses. So, again, defensive technology has had to adapt with behavioral analysis, catching malware based on how it acts on a target system.
"Security has done a good job of automated behavioral analysis," he points out. "For nonsophisticated malware, they're pretty good at automating detection and blocking that."
Boyce adds that while automation has made progress in malware detection, there's additional room for success when it comes to automating the response. It's one thing to acknowledge malware is on a system, but it's another step to automatically quarantine it. The ability to automatically respond to events on the network will be a common use case for automation, he says. Seeing the fabric of threat operations is top-of-mind for many clients and will only grow more prominent as they collect and store more data from more devices.
"The volume of data getting collected is very significant," Boyce continues. Businesses typically don't have the skills in-house to process and analyze all the information; as a result, they're turning to machines to handle the excess.
In security, we often talk about data confidentiality and integrity, but less so about availability. However, automation can be leveraged to protect the availability of data in the cloud as part of a disaster recovery plan following a security incident, Nachreiner explains. If a core server is attacked, for example, you can spin it back up in minutes or seconds to prevent loss to the business.
Loss of business continuity and disaster recovery is something you can automate if you virtualize a system and put it into a hybrid cloud, he says. If someone attacks the server or you have a problem, with the proper virtualization automation you can automatically bring a copy of the server back up in minutes or seconds.
Automation has come a long way in the past few years, but it still isn't advanced enough to detect the most subtle and complicated cyberattacks.
"Once you start getting to more human-based threats or complex threats, that's where automation doesn't work or it's not comprehensive enough," Nachreiner says.
A prime example is in social engineering attacks like business email compromise, which typically arrives as specially crafted emails tailored to specific recipients. Because they're designed to mirror a target's normal correspondence, they're tougher for automated systems to filter.
Pen testing can be automated to a certain degree but cannot be fully trusted, Nachreiner says. Automated pen-testing services typically search for and identify flaws by comparing them with a standard list of known problems. Many tend to flag false-positives and miss key indicators that may otherwise be found by a person.
"Most security analysts would agree that automated pen-testing services aren't enough on their own," Nachreiner explains.
While automated pen-testing systems can help companies find real flaws, and they certainly offer value, he doesn't advise solely relying on these services to find bugs. Pen testing will require human interaction for the foreseeable future, he says.
Pen testing can be automated to a certain degree but cannot be fully trusted, Nachreiner says. Automated pen-testing services typically search for and identify flaws by comparing them with a standard list of known problems. Many tend to flag false-positives and miss key indicators that may otherwise be found by a person.
"Most security analysts would agree that automated pen-testing services aren't enough on their own," Nachreiner explains.
While automated pen-testing systems can help companies find real flaws, and they certainly offer value, he doesn't advise solely relying on these services to find bugs. Pen testing will require human interaction for the foreseeable future, he says.
Automation may change the nature of security jobs, but it won't be taking them away anytime soon. While great for some tasks as more of a supplementary tool, other tasks are still best left fully for people.
Where you decide to automate depends on where the benefits outweigh the risks, says Rob Boyce, managing director at Accenture Security. And the level of risk you encounter depends on how you approach the process and which tasks you choose to automate.
While automation tools have come a long way, there's still room for improvement, he adds. Decisions remain about how it should evolve and where it fits in the business. In its current form, the tech works well for simple tasks but hasn't advanced to address complex ones.
In addition, the machine-learning algorithms powering automation are still imperfect. "Machine learning isn't always a yes or a no," says Corey Nachreiner, CTO at WatchGuard Technologies. Oftentimes people still need to analyze results to determine what they mean.
Automation, Boyce says, requires a thoughtful approach. Here, Boyce and Nachreiner weigh in on which security tasks can be prioritized for automation, and those where it doesn't quite work. Where have you implemented automation so far, and where have you found it most effective? Feel free to share your story in the comments.
Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024