CIO OPINION
A base level of human agency will always be required for threat identification , triage and response . But automation can be of utility where processes are well-defined and the effect of automating them is well understood . A CMM can be used to create the right mix and balance to constantly evolve and continuously improve the mix as operational requirements change .
Down the wrong path
Several risks arise when organizations use automation to try to stretch the existing resourcing of security operations . For organizations that have already started down this path , some or all of these may already be familiar .
The first tell-tale sign automation has been pursued too early is that processes are not well-defined , leading to unexpected complexity or outcomes . Automation that results in delegating decision-making around mission-critical issues to an algorithm is inadvisable and will come unstuck the minute the computer makes a ‘ wrong ’ decision , for example locking down an executive ’ s workstation at a critical time due to false detection of malicious activity . It ’ s not just that a human needs to remain in the loop for decision-making – it ’ s that people need to be making these critical calls , not algorithms .
A second sign is cost and complexity hurdles . If you want to automate anything you need to have systems that interoperate . If the systems in the security operations environment use different ontologies and data formats , that poses a huge integration challenge . Also , the setup of automation itself isn ’ t automated . Organizations need to find skilled people to work with internal domain experts to configure automated systems . Labour costs may rise with an automation program of work .
Thirdly , if the automation creates as many , or more , risks than it solves . Automation inevitably requires a high level of authorization so it can take administrativelevel action . That action needs to be tailored ; if attackers suspect predictable machine-generated responses to what they ’ re doing , they could find a way to exploit the automation . For example , spoofing malicious data to cause resources to be blocked or locked as a denial of service . Automated systems with high levels of authorization , enabled by stored credentials , are risks themselves . If they ’ re ever compromised , an attacker will use the authorization against the organization to effect lateral movement or actions on the objective .
Organizations need to find skilled people to work with internal domain experts to configure automated systems .
www . intelligentcio . com INTELLIGENTCIO APAC 45