Story image

Effective security needs a balance of both humans and robots

30 May 18

IT security professionals face an uphill battle these days. Tasked with protecting their organisations from myriad cyber threats, they find themselves fighting more battles with constrained resources.

As a result, many are turning to security automation tools to provide a first line of defence. These robotic tools offer the ability to stop threats in their tracks while also shielding security staff from endless alarms and letting them focus on more value-adding tasks.

They also assist in overcoming the ongoing skills shortage in the cybersecurity space. More work can be completed with fewer humans, without compromising security levels.

The power of automation

Robotic automation can play a key role within any IT department. The tools can quickly contain thousands of potential threats while human analysts examine the details of significant incidents, work out how to tackle them, and determine how they can best prevent a similar threat occurring in the future. Additionally, automation tools can create comprehensive incident reports that can, in turn, be used to improve future responses.

The tools also free staff from many mundane monitoring tasks. Because they are no longer under pressure to respond to each and every alarm, they can instead investigate threats more thoroughly. Staff can also develop ways to test the effectiveness of their organisation’s security capabilities, through stress testing and simulation exercises.

The robots also give security analysts more time to get up to speed on the latest threats and improve their technical skills. This, in turn, improves the overall security expertise within the organisation and helps it move from a reactive to proactive stance. They also let security staff deal with genuine threats more quickly and reduce the opportunity for problems to intensify.

Humans still required

However, the threat environment is extremely complex and constantly evolving. While robotic automation is incredibly sophisticated and getting better, it's not foolproof.

One big issue is false negatives. While these can be largely eliminated through effective fine-tuning of automation software and workflows, it demonstrates that solely relying on algorithms would be a big error.

Instead, robotic automation should be treated as a tool that can help security staff operate more efficiently and make the most of available resources. They should, however, never become a substitute for human expertise and experience.

To be effective, security teams need to perform a robot-and-human balancing act to ensure that human intervention remains a major part of the threat detection and resolution equation.

Automating too much of the workload will quickly cause problems. It will mean that threats that are outside the experience of the machine learning software could go undetected or aren't investigated properly. Over automation could also mean unusual but legitimate user activity that isn't a threat could be blocked, creating more work for security teams and frustration for users.

At the same time, automating too little of the workload will cause issues as well. It will lead to security teams continuing to feel the strain and being unable to do their jobs properly. Again, this could result in threats being missed or a security team that isn't as up to speed on security developments as it needs to be.

It must be remembered that the security skills humans bring to the equation remain a vital commodity, and the security skills shortage being experienced in many areas is widely acknowledged as a problem that automation alone can't fix.

According to recent research by the Enterprise Strategy Group, the security skills shortage is most acute in the area of security investigations/analysis (nominated by 31% of respondents), application security (31%) and cloud security (29%). These areas can't be taken care of by automation tools, and the expertise and adaptability that humans bring remains vital.

While robotic automation delivers the ability to flag and contain threats and prioritise them for further investigation, the tools can't investigate threats to the extent that human analysts can, or take the action needed to remove them from the network and repair the damage that has been caused.

Also, when it comes to security for specific applications (both on premises and in the cloud), specialist skills are required to ensure systems are set up correctly and that the activity that takes place within them is appropriately managed.

The role of automation in security operations is certain to continue to grow, however organisations need to ensure the correct elements are automated and that human intervention remains a key part of keeping the organisation safe.

While the abilities of automation tools will evolve and expand, it remains important that all organisations get the balance right between robots and humans. Working together, they can provide the best possible IT security protection.

Article by LogRhythm senior regional marketing manager Asia Pacific and Japan, Joanne Wong.

Symantec releases neural network-integrated USB scanning station
Symantec Industrial Control System Protection Neural helps defend against USB-borne cyber attacks on operational technology.
SingleSource scores R&D grant to explore digital identity over blockchain
Callaghan Innovation has awarded a $318,000 R&D grant to Auckland-based firm SingleSource, a company that applies risk scoring to digital identity.
Ramping up security with next-gen firewalls
The classic firewall lacked the ability to distinguish between different kinds of web traffic.
Spark Lab launches free cybersecurity tool for SMBs
Spark Lab has launched a new tool that it hopes will help New Zealand’s small businesses understand their cybersecurity risks.
Gartner names LogRhythm leader in SIEM solutions
Security teams increasingly need end-to-end SIEM solutions with native options for host- and network-level monitoring.
Cylance makes APIs available in endpoint detection offering
Extensive APIs enable security teams to more efficiently view, enrich, and contextualise real-time intelligence collected at the endpoint to keep systems secure.
SolarWinds adds SDN monitoring support to network management portfolio
SolarWinds announced a broad refresh to its network management portfolio, as well as key enhancements to the Orion Platform. 
JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t.