Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Roy Katmor
Roy Katmor
Connect Directly
E-Mail vvv

Why Automation Will Free Security Pros to Do What They Do Best

There are three reasons today's security talent pool is neither scalable nor effective in addressing the rapid evolution of cyberattacks.

People are and will always be the most critical cybersecurity resource. Right now, the talent pool with the unique skills and training to respond to cyber threats is unfortunately all too limited, and the way we are making use of this scarce resource is neither scalable nor effective in addressing the rapid evolution of cyberattacks.

The lack of analysts dedicated to advanced malware forensics and the high cost to recruit and retain such human resources, force organizations to build security operations centers (SOCs) and incident response teams in a tiered analyst structure. The further you go up the tiers, the more advanced the security analyst, and the fewer resources available to staff that position. As a result, it's critical within this structure to filter out as many false alarms as possible. This leaves only the more limited, high-tier human resources available to analyze the most extreme forensic cases. It's common that the pressure faced by these top-tier security professionals to respond quickly to alerts and filter as many false positives as possible drives many cases of missed infiltrated attacks.

To limit the negative impacts of a breach and avoid incident overload within incident response teams, many organizations rely on prevention technologies as their first line of cyber defense. Current prevention technologies are designed to log or, in obvious cases, filter out known anomalies and indicators, but they lack the ability to stop the unknown or prevent the implications of a successful attack. As a result, more sophisticated cyberattacks can remain undetected for longer periods of time by bypassing these established countermeasures.

This situation is often beyond the control of hard-working security pros. Consider the 2017 Equifax breach. Equifax had a well-qualified security team in place, but an advanced cyberattack evaded its detection systems and remained stealthy while stealing corporate data. As in this and most other breach scenarios, by the time the SOC analyst responds, his or her threat-hunting efforts are largely focused on investigative steps to determine the causes and assess the impact. There are three reasons why this approach is problematic:

Reason 1: Human-driven analysis consumes precious time. It's a manual process of painstakingly reviewing atypical compromise indicators and determining an appropriate response. For example, how many indicators do you have? How many do you need to warrant investigation? How do they even come to be an indicator? Threats are simply moving too quickly to tolerate the delays inherent in manual response.

Reason 2: Skilled security analysts are hard to find. Today's most-coveted SOC skill involves human eyes darting between screens and deciding what to do first when attempting to make sense of statistical indicators and anomalies. Aside from that being essentially a reactive exercise after the damage is done, the labor shortage of people with these skills makes them costly to hire and retain. And because it's nearly impossible to predict the number of analysts needed to analyze the increasing volume of cyberattacks and the corresponding indicators, operational expenditures (OpEx) related to salary costs are continual wild cards.

Reason 3: It's too late. Once a breach and potentially a theft have occurred, the damage is done and your data is gone. Your valuable SOC resources are focused on cleanup and damage control rather than on preventing the cyberattack and breach.

Given these problems, the current approach is unsustainable. Fortunately, automation technology offers a compelling solution that augments rather than replaces the human component in the equation. In particular, automation can help increase security efficacy and the speed of operations. While preventing all attacks is not possible, automated, real-time containment of an attack reinforces a protective posture, preventing or limiting the consequences of a breach. Once attacks are contained, automated responses can be customized and applied to remediation, but in a predictable way and more manageable time frame. That makes for efficient use of limited security resources, accelerates the time to address new threats, and improves OpEx.

Another benefit of automation is how it will increase the value of security analysts by enabling them to get even better at the more consequential aspects of their jobs. As adoption of automation inevitably increases, security analysts will need to focus beyond the art and science of manually correlating data based on memory and instinct, and more on strategic analysis, planning, and remediation, such as understanding the businesses drivers for how the organization uses, transmits, and stores data. Better understanding of the business context will empower analysts to develop predetermined automation outcomes designed to minimize disruption of critical business services and functions. For example, a decision may be made to automate containment or remediation of infections on call center endpoints that are critical for sustaining customer support operations.

Once preventative countermeasures are adopted that can ensure effective prevention and protection in real time, security analysts will then be able to focus on identifying the next potential weak link and remediating it. That will not only provide better security posture but will also guarantee security scalability and analysts' greater satisfaction in their jobs.

In summary, automation will help organizations contain breach impacts while controlling the costs of scarce staff resources struggling to keep up. But ultimately, security will still come down to people. Security analysts will create the solutions that keep their organizations safe. Automation will empower them to succeed in an environment where incident response time pressures have been minimized, freeing them to employ their best talents and skills and realize the full potential of threat hunting to discover and eliminate future risks.


Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Related Content:


Roy is a 15-year seasoned product manager and security market strategist, combining strong technical knowledge with proven sales and marketing skills. Prior to enSilo, Roy led Akamai's security strategy. Before that, he managed Imperva's data security products and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/10/2018 | 6:02:37 PM
Automation can be great, but it's no quick fix...
Nice article, Roy. Automation and orchestration are indeed 'hot' topics at the moment and are helping many organizations address issues faster and more consistently than they were before. The topics are perhaps also premier candidates for leading the latest round of fads in industry marketing.

Some caveats worth mentioning: new buyers of security automation products may find themselves experiencing sticker shock or falling victim to a still-maturing product space. Many vendor products are prohibitively expensive to the organizations that might benefit most (i.e., the long tail) and too often lock-in users with proprietary workflow formats. That said, automation is worth exploring—and perhaps adopting—for many organizations. My organization has realized numerous benefits to date.

An additional note of caution: I see many organizations rushing to automate workflows without first running the numbers; and, while automation has many benefits, it is first and foremost a matter of economics. Deciding what could, should, and will be slated for automation is an issue of resource management and optimization, whether those resources are people hours, pay-by-use cloud services, or particular team members with in-demand skills and limited availability.

Finally, organizations new to automation need to recognize that deploying new automation workflows is, in many ways, similar to deploying a new "product"—in that the workflows may (in more ways than expected) require additional support resources and know-how for testing, monitoring, and maintenance.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-11
FusionSphere OpenStack 8.0.0 have a protection mechanism failure vulnerability. The product incorrectly uses a protection mechanism. An attacker has to find a way to exploit the vulnerability to conduct directed attacks against the affected product.
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Credential Manager component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Assets component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Analytics component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Permissions component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.