teiss – Security Threats – An Expert’s View: Automating IT Security
According to research by ThreatQuotient, more than three-quarters of cybersecurity decision makers believe automation is important. However, many organizations are struggling to move forward with automation, and that was certainly the case with attendees at a recent virtual teiss event.
The attendees — all seasoned cybersecurity experts from a variety of industries — said they were exploring automation, but few had made significant progress. They attributed this to a combination of factors, including a lack of good IT fundamentals, and said they needed more help from vendors to achieve their goals.
False positives are a risk
Participants were unanimous in saying that automation is the future of cybersecurity. Many used automated intrusion detection systems (IDS), but are reluctant to add an intrusion prevention system (IPS) in case false positives cause systems to be unnecessarily down or crash.
As one delegate put it, cybersecurity already has a “target on its back” when something breaks in IT, so no one wants to be responsible for further failures. And this despite the fact that taking something offline or shutting it down is often the most mature response to a threat.
Even detection systems can seem like a problem rather than a solution. They are “the noisy kid in the corner”, constantly asking for attention, said one participant – and someone has to provide it. A delegate said his platform lifts six billion data points each month. Of these, 1,000 require investigation, but only two are real threats.
IT and cultural issues
An automated response to these alerts would save money and, just as importantly, time. Several participants highlighted the importance of a reliable and rapid response, especially when attackers can automate their efforts. However, there are other obstacles to this besides reliability.
One is the IT foundation. Several participants noted that fragmented systems and legacy tools make any kind of automation a challenge. One participant said his company’s systems couldn’t even automate password resets. Others pointed to a cultural issue, noting that people are often suspicious of new systems and that in some organizations people get upset if security tools get in the way of their workflow.
As ThreatQuotient’s Leon Ward pointed out, automating cybersecurity is particularly challenging because it’s hard to measure success. Automation of an industrial process can be simpler because it can be measured by an improvement in speed, efficiency, or some other metric.
What security experts need
Cybersecurity commonly uses mean time to detection (MTTD) and mean time to respond (MTTR) as metrics, but participants said it wasn’t very useful. First, there is no useful difference between the two because, as one participant put it, “If we detected it, we responded.” Second, measuring either is difficult because it can be difficult to know when to start measuring.
There was broad consensus that poor quality metrics simply make the board ask, “So what?” Instead, participants said they would prefer a measure that tracks the extent of coverage and success, but admitted that it’s unclear what data points could be used to measure these things.
Overall, participants said they would like more help from providers. In addition to knowing where a tool is succeeding, they said they’d like to know where it struggles rather than figure it out on their own. That kind of honesty and candor, they said, would help build a successful partnership.
There’s a lot of work to be done to reap the benefits of automation, but attendees were realistic. “We are not looking for a quick fix,” said one. “We know there is none.”