Why Hasn’t Cybersecurity Been Automated?

Cybersecurity is moving rapidly toward an automated state. This in part is due to simple necessity. The need for automation is driven by an array of forces, including the proliferation of devices, interconnected environments, multiplying applications, blurred perimeters, record-shattering CVE volumes and increasing threats in the wild. A quickly expanding attack surface leads to more vulnerabilities and alerts than any single team can possibly manage, regardless of size or resources. In fact, most remediation teams can only address about 15% of the vulnerabilities discovered in their environment.

Given the constraints of human ability in the face of this reality, automation is both necessary and inevitable.

This isn’t a new phenomenon. It’s been almost a decade since Microsoft introduced Patch Tuesdays to reduce the cost and complexity of distributing patches and to help lighten the load for vuln-swamped Security and IT teams. For enterprises everywhere, Patch Tuesdays have become an anchor of their ongoing security programs, defining much of the activity leading up to and following the second Tuesday of each month. Not only is this a boon for teams looking to simplify and automate a portion of their patch deployment efforts, but it’s helped Microsoft gain a significant lead in patching times for their vulnerabilities (36 days on average). 

All signs point to a more streamlined, simplified, and automated state of cybersecurity–so why aren’t we seeing this realized in more day-to-day security operations activities? Ed Bellis, CTO and Co-founder of Kenna Security (now part of Cisco), and Dan Mellinger, host of the Security Science podcast, recently sat down to unpack this question. 

Cybersecurity automation is here–what’s the holdup? 

An overburdened, resource-strapped remediation team has a couple of different forces they can call upon to help them manage their cyber risk, explains Bellis. “There’s really these two levers that an organization has at their disposal. One is prioritization, being able to relentlessly prioritize what I have down to something that is manageable. The other lever is automation, doing more with less human interaction.” And Bellis notes that more mature organizations are using both levers at once.

For many though, pulling the automation lever is a bridge far. “The big thing that holds people back often is the fear of automating the wrong thing,” explains Bellis. And it’s a reasonable concern. The implications of automating inappropriate processes or workflows could be dire, even for something as benign as ticket creation. If a workflow with faulty parameters is automated, thousands of tickets could be generated that shouldn’t be, resulting in an angry operations team too overwhelmed to take action. “Good luck with your 120 million tickets,” jokes Bellis. 

Less innocuous scenarios can carry even more risk. Out-of-hand, haphazard automation could mean business-critical systems are taken down or blocked. 

The other contributing factor to automation hesitancy is a lack of data confidence. Automation is easy–a little too easy, stresses Bellis. “It is easy to automate and that’s part of the problem, right? Bad data in, bad data out. If you automate the wrong things or you start to automate based on incorrect data, that’s where it can go sideways really quickly.” Without that data confidence, teams will continue drowning in vulns and putting resources towards the wrong priorities.

But there aren’t many other alternatives. Ultimately, Bellis says, “The biggest problem that we have in security is we don’t have the resources to do everything that needs to get done, but you have to be mature enough and you have to have the confidence in that data.”

Ready to automate your security operations? Consider these first. 

Like any new security or technology endeavor, planning for automation demands careful consideration. We’ve gathered a handful of key factors to shape your automation strategy.

Security risk vs. business risk. In a recent CSO Online piece, Bellis explores what should be top of mind when weighing automation initiatives: “It’s important to consider both the security risk of an event as well as the business risk of the decisions you make to avoid or remediate that event. Automation is most helpful at the point at which security risk outweighs business risk.” 

Questions to explore include: 

• What is the organization’s appetite for risk? 
• What’s the security risk you’re avoiding? 
• Does this security risk outweigh that business risk?
• Do you have the necessary, quantifiable data that supports both the likelihood and impact of that decision? 

These are multi-faceted, nuanced pieces that must be thoroughly fleshed out. Read more of what Bellis has to say on weighing these risks in Why Data Confidence is the Key to Unlocking Security Automation.

Making sense of messy data. Regardless of how sophisticated security technology becomes, data hygiene proves to be a never-ending battle. And with massive volumes of data come massive hygiene challenges. Sifting through false positives, false negatives, and general noise detracts from the ability to make informed, data-driven decisions. 

To remedy this, Bellis suggests establishing a baseline of truth to measure yourself against. A real-world use case is Kenna Security. “For us, it was all about successful exploitation events in the wild. That was ultimately what I’m trying to prevent so if I can use that as ground truth data, I can compare and contrast to figure out the features of the model. And I’m weeding out false positives along with the different sensors that will sometimes pull out false positives.”

Without a true north, messy data can lead to critical issues. “Sometimes people jump the gun and go straight to automation and that leads to a whole lot of problems. If you can’t trust that data set that you’re relying on in order to use or promote automation, then it’s going to end up being a disaster.”

The people factor. Anyone who’s seen virtually any futuristic drama or cult classic television series knows that when people hand over the operational reins to a machine, they risk some severe repercussions (looking at you, HAL). Ultimately, skilled people are integral to the development and success of workflow automation. “There’s a lot of work that has to be done manually so that you can automate. The irony is you need people to manually do work in order to automate that work downstream.”

The same goes for vulnerability management, Bellis points out. “We have a supervised learning process because you need that sort of expertise to understand and make sure that the robots aren’t going off the rails and that you are properly prioritizing.”

Bellis argues this point for the attacker side of the equation. “Attackers are just as lazy as the rest of us. If they find something that works, they keep using it until it doesn’t work anymore,” he says, arguing that this makes the case for automation all the more compelling. Automate the obvious and the expected to free up highly skilled and technical expertise to focus their energy elsewhere. 

The promise of XDR. XDR isn’t just a hot new buzzword. It’s a very real and very potent capability to help manage and minimize organizational and security risk. XDR (extended detection and response) culls diverse environmental data sources to understand the organizational context and determine the biggest real-time risks posed to that specific environment. And when XDR is designed properly, it does this automatically. XDR is the culmination of endpoint detection response, endpoint telemetry, threat management, and for Cisco Secure customers, risk-based technology. It’s threat and vulnerability management nirvana. 

Leading the charge, Cisco is integrating Kenna Security platform capabilities into their XDR solution to provide customers with the organizational context needed to help teams focus their finite resources on the most important threats. And as Mellinger points out, successful XDR automation allows systems to “decide what most of the high-risk stuff would be, the things that have limited business risk and then allow you to cut some remediation pathways right out of that.”

Bellis argues that XDR has all the right the building blocks. “Pushing [Kenna] into XDR is going to give you that much more context. So if an exploitation event occurred, I can piece together the entire event and figure out what’s happening and what do I need to do about it.”

Like everything else in security, it takes baby steps

Bellis urges teams ready to reap the benefits of automation to start small–and manually. “Honestly, do this manually, many times until we’re comfortable with it. And now this piece is working, so let’s automate a piece of this, supervise it, and see how that goes. Then let’s automate the next step in the process, and so forth. And then when it’s working, we’re going to feel comfortable and continue taking baby steps.”

To hear more of Bellis’ thoughts on cybersecurity automation, including how the future of automation will impact vulnerability management, listen to this episode of Security Science: Why Hasn’t Cybersecurity Been Automated?