Connect with us

Hi, what are you looking for?


Network Security

For Defenders, Automation isn’t Automatic

I’ve written previously about how time to detection (TTD) is a key indicator in the measure of security effectiveness.

I’ve written previously about how time to detection (TTD) is a key indicator in the measure of security effectiveness. As we improve our ability to quickly find and stop adversaries that have infiltrated our infrastructure in order to mitigate damage, adversaries are under pressure to accelerate their “time to evolve” (TTE). This is the time it takes for them to change their tactics, let alone adjust any malware they may be intending to utilize. 

Using automation, bad actors work nonstop to keep their tactics fresh, move with even more speed, and find ways to evade detection so that they can continue compromising users and systems for as long as possible. For example they use fast flux to rapidly change their IP addresses to quickly and easily mask their means of executing their attacks. They also use polymorphism to combine tried and true mechanisms with frequently changing file extensions and file content types to evolve how they deliver and hide malware. Automation is integral to their ability to shift tactics constantly.

Unfortunately, when it comes to automation, most defenders are operating at a deficit. Automation isn’t a new concept in the cybersecurity industry. We’ve been talking about it for years. So what’s holding so many enterprises back from incorporating automation in their security programs? There are three main factors.

1. Complexity: Most organizations face a daunting amount of complexity stemming from multiple, disparate point solutions that don’t, and often can’t, interoperate effectively. Because they aren’t integrated they can’t automatically share and correlate information and activity across networks and systems. Each solution issues its own alerts and security teams can only investigate a fraction of them. Such a complex web of technology, and the overwhelming number of security alerts, is a recipe for less, not more, protection. As more security tools are added, traditional solutions designed to harness these alerts often don’t have the scale to ingest and store all the security telemetry that a company may have in their network. 

2. Talent Shortage: Limited budgets and a lack of talent make hiring sprees unlikely. Various reports put the global cybersecurity talent shortage at one million climbing to one and half million in two years. Automation isn’t a matter of pushing a button and walking away – it is a continuous activity. It must change with your environment and the threat landscape, and this requires humans and technology working in combination to ensure it adapts and remains relevant.

3. Lack of Trust: Even though various groups within the organization are on the same team with the same end goal – to defend the organization – they often have competing priorities. For example, the threat intelligence team finds an indicator and throws it over the fence to put it into production. But the network security team may not trust the intelligence nor have the tools or personnel to implement it quickly and follow-up on the new alerts that will result.

Automation is essential to defeating cybercriminals who change their tactics frequently to keep their malware strong and profitable. It helps you understand what normal activity is in the network environment faster and more easily, so you can focus scarce resources on investigating and resolving true threats. So how can you overcome these barriers that stand in the way of automation? 

Advertisement. Scroll to continue reading.

Work with suppliers: To begin with, work with your suppliers and hold them accountable for compatibility, integration, and simplification. Some suppliers will embrace the challenge and work together. Consider replacing those that don’t, or simply can’t due to their own technology limitations and the way their tools are architected. An integrated security architecture with security tools working together in an automated way streamlines the process of detecting and mitigating threats. You will then have time to address more complex and persistent issues. And if you’re still finding you have a lack of bench strength, consider outsourced talent in the form of managed detection and response services that can add muscle to your security teams while also conserving budget. 

Align metrics: Use a common agreed set of metrics for internal teams and move away from traditional ways of measuring IT success. The ROI for IT is often measured in two- or three-year periods, whereas security ROI is shorter and evolves quickly. Aligning metrics and time frames will encourage communication, collaboration, and the use of automation as everyone works jointly towards shared measures of success. Involve your suppliers in these metrics too. Allow them to have input and hold them jointly responsible.

Engender trust: Establishing trust takes time and open communication. Individuals, technology, and processes need to build a reputation for reliability. By demonstrating success at points along the way and measuring the efficacy of automation over time, teams will begin to trust each other – and the automation.

In this complex landscape of rapid evolution, where bad actors have embraced automation to accelerate their TTE, human expertise and point solutions are not enough to identify and respond quickly to threats. Operationalizing people, process, and technology in an integrated way that allows for automation is essential for improving TTD and ensuring swift detection and remediation when infections occur.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...