IT security professionals face an uphill battle these days. Tasked with protecting their organisations from myriad cyber threats, they find themselves fighting more battles with constrained resources.
As a result, many are turning to security automation tools to provide a first line of defence. These robotic tools offer the ability to stop threats in their tracks while also shielding security staff from endless alarms and letting them focus on more value-adding tasks.
They also assist in overcoming the ongoing skills shortage in the cybersecurity space. More work can be completed with fewer humans, without compromising security levels.
The power of automation
Robotic automation can play a key role within any IT department. The tools can quickly contain thousands of potential threats while human analysts examine the details of significant incidents, work out how to tackle them, and determine how they can best prevent a similar threat occurring in the future. Additionally, automation tools can create comprehensive incident reports that can, in turn, be used to improve future responses.
The tools also free staff from many mundane monitoring tasks. Because they are no longer under pressure to respond to each and every alarm, they can instead investigate threats more thoroughly. Staff can also develop ways to test the effectiveness of their organisation’s security capabilities, through stress testing and simulation exercises.
The robots also give security analysts more time to get up to speed on the latest threats and improve their technical skills. This, in turn, improves the overall security expertise within the organisation and helps it move from a reactive to proactive stance. They also let security staff deal with genuine threats more quickly and reduce the opportunity for problems to intensify.
Humans still required
However, the threat environment is extremely complex and constantly evolving. While robotic automation is incredibly sophisticated and getting better, it's not foolproof.
One big issue is false negatives. While these can be largely eliminated through effective fine-tuning of automation software and workflows, it demonstrates that solely relying on algorithms would be a big error.
Instead, robotic automation should be treated as a tool that can help security staff operate more efficiently and make the most of available resources. They should, however, never become a substitute for human expertise and experience.
To be effective, security teams need to perform a robot-and-human balancing act to ensure that human intervention remains a major part of the threat detection and resolution equation.
Automating too much of the workload will quickly cause problems. It will mean that threats that are outside the experience of the machine learning software could go undetected or aren't investigated properly. Over automation could also mean unusual but legitimate user activity that isn't a threat could be blocked, creating more work for security teams and frustration for users.
At the same time, automating too little of the workload will cause issues as well. It will lead to security teams continuing to feel the strain and being unable to do their jobs properly. Again, this could result in threats being missed or a security team that isn't as up to speed on security developments as it needs to be.
It must be remembered that the security skills humans bring to the equation remain a vital commodity, and the security skills shortage being experienced in many areas is widely acknowledged as a problem that automation alone can't fix.
According to recent research by the Enterprise Strategy Group, the security skills shortage is most acute in the area of security investigations/analysis (nominated by 31% of respondents), application security (31%) and cloud security (29%). These areas can't be taken care of by automation tools, and the expertise and adaptability that humans bring remains vital.
While robotic automation delivers the ability to flag and contain threats and prioritise them for further investigation, the tools can't investigate threats to the extent that human analysts can, or take the action needed to remove them from the network and repair the damage that has been caused.
Also, when it comes to security for specific applications (both on premises and in the cloud), specialist skills are required to ensure systems are set up correctly and that the activity that takes place within them is appropriately managed.
The role of automation in security operations is certain to continue to grow, however organisations need to ensure the correct elements are automated and that human intervention remains a key part of keeping the organisation safe.
While the abilities of automation tools will evolve and expand, it remains important that all organisations get the balance right between robots and humans. Working together, they can provide the best possible IT security protection.
Article by LogRhythm senior regional marketing manager Asia Pacific and Japan, Joanne Wong.