Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Security Automation Challenges to Adoption: Overcoming Preliminary Obstacles

For Most Organizations, the Full Capabilities of Security Automation Are Still Untapped

For Most Organizations, the Full Capabilities of Security Automation Are Still Untapped

Modern security threats come in many different forms, which is part of the reason why addressing them is so challenging and there is a dire need for security automation. But despite recent advancements, the barriers to adoption for automation software remain high, particularly within the security industry. 

Cyberattacks have long used automation. It makes things simple for the attacker to create, test, fire and forget. Code can be reused with little modification and enhancements added with minimal work. This is the way it has been since the very beginning of malware development. There are brute-force attacks that use a variety of credentials to gain access, port-scan attacks that prod network ports to find one unprotected and lateral propagation where software installed on a computer spreads automatically to vulnerable devices. Each of these uses packaged tools to automate one or more steps in the process.

A past and future threat

Automated attacks are evolving fast. For example, there is growth in malicious tweets and chatbots that harvest personal information to use in phishing campaigns. The information can also be utilized for pre-infection tactics where malware is sent onto a network in advance to ensure it is ‘clean’ before executing an attack.

Automation Fact: In 2018, IBM research developed an automated malware named DeepLocker, which used automation and AI to hide in plain sight and only detonate when the correct target was detected. This code was developed to prove what is possible and gather data that will help defend against this type of attack in the future.

Attackers already have a head start on us, which leaves one to wonder why there are still barriers for the adoption of automation in security? Why are organizations not making more use of this technology to help address the challenge in staying ahead of threats?

To be successful in preventing attacks, we need to reconsider how they take place. Today’s malware is not a blunt instrument, aiming to bludgeon entry, steal what it needs and leave. Attacks are highly sophisticated, often laying low and building a picture of the target environment before executing. They will use automation for hiding, while carrying out reconnaissance, and then to speed up effectiveness as the attack takes place. 

Advertisement. Scroll to continue reading.

Automation Fact: The fastest spreading malware is called MyDoom. The code uses automation and is estimated to have caused $38 billion of damage – and is still spreading. The surprising part is MyDoom is not new. It was released in 2004 and could still be seen in one percent of emails, as of 2019. 

With attackers developing automated attacks which are better at concealment, we must realize that some threats will get through and prevention is no longer enough. To minimize the effect of an attack, an automated response is vital, as this can reduce the amount of time between infection and resolution. It is not practical, however, to think that we can jump from mostly manual security to a fully automated infrastructure. It is important to consider what automation’s strengths are and where the human element is still a crucial component.

Robotic automation vs. cognitive automation

Security automation splits into two broad areas:

1. Robotic automation – where repetitive and routine tasks, such as alert monitoring, are offloaded from the security team, providing them more time to focus on threat response and security improvements.

2. Cognitive automation – where the security platform learns about the behavior of the network, hosts and applications to provide informed responses on threats or ways to improve security posture.

Most tasks that we automate today fall into the robotic category – regular activities, such as patching, scheduled scans and access management requests, for example. These give time back to the security team but are protection and prevention activities, not responses. 

An engineer works well with unstructured datasets. Therefore, when investigating a threat, they are comfortable with switching between software code of the exploit, researching online forums, understanding related patches that exist or reading documentation. The human brain is good at working to form connections from seemingly unconnected information.

Computers, by contrast, work with structured data. They prefer information lists, which may include port numbers, protocols or detected exploit details. Artificial Intelligence (AI) is not yet at the point where it can follow the same thinking patterns as an engineer, when analyzing a threat or formulating a response.

Moving from attack prevention to threat response

Machine learning can be trained to work with data and process it in a more unstructured way like the human brain does. When a threat is detected, there is immediately more contextual information available to the engineer about how the threat is spreading, what protocols are in use and how many devices are infected. This means the time required for response development reduces, which speeds up the resolution.

Traditional cybersecurity models use data from solutions to create a strong posture. Extending this model to leverage not only security data, but also data from other non-security devices like switches or routers, means posture can be improved even further. 

With the use of machine learning to understand where a threat may start an attack and automation to create dynamic policy actions based across both solution and platform data, technology can be trained to act on behavioral indicators across different vectors throughout the network. This process significantly reduces the risk of a successful attack, as well as provides crucial information the security engineer needs for successful overall mitigation. 

For most organizations, the full capabilities of automation are still untapped. Now is the time to start taking a more serious look at how they can be used to make the security team more productive, meanwhile, improving your security posture.

RelatedIs Malware Heading Towards a WarGames-style AI vs AI Scenario?

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.