The expert view: Automating IT security

More than three-quarters of cyber security decision-makers believe that automation is important, according to research from ThreatQuotient. However, many organisations are struggling to move ahead with automation, and this was certainly the case with attendees at a recent virtual teiss event.

Attendees – all senior cybersecurity experts from a range of sectors – said they are exploring automation but few had made significant progress. They attributed this to a combination of factors, including a lack of good IT foundations, and said they need more help from vendors to reach their goals.

False positives are a risk

Attendees were unanimous in their agreement that automation is the future of cybersecurity. Many were using automated intrusion detection systems (IDS) but are reluctant to add an intrusion prevention system (IPS) in case false positives cause systems to be shut down unnecessarily or break.

As one delegate put it, cybersecurity already has a “target on its back” when something breaks in IT, so nobody wants to be responsible for further outages. That’s despite the fact that taking something offline or shutting it down is often the mature response to a threat.

Even detection systems can feel like a problem rather than a solution. They are “the noisy child in the corner”, which constantly demands attention, said one attendee – and someone has to provide it. One delegate said that his platform raises six billion data points every month. Of those, 1,000 need investigation but only two are genuine threats.

IT and culture issues

An automated response to those alerts would save money and, just as importantly, time. Several attendees emphasised the importance of a reliable, fast response, particularly when attackers can automate their efforts. However, there are other obstacles to this besides reliability.

One is the IT foundation. Several attendees noted that fragmented systems and legacy tools make any kind of automation a challenge. One attendee said that his company’s systems cannot even automate password resets. Others pointed to a cultural issue, noting that people are often suspicious of new systems and that in some organisations people get annoyed if security tools impede their workflow.

As Leon Ward of ThreatQuotient pointed out, automating cybersecurity is particularly challenging because it is hard to measure success. Automating an industrial process can be simpler, because it can be measured by an improvement in speed, output or some other metric.

What security experts need

Cybersecurity commonly uses mean time to detect (MTTD) and mean time to response (MTTR) as metrics, but attendees said that these were not very helpful. Firstly, there’s no useful difference between the two because, as one attendee put it, “If we’ve detected it, we’ve responded.” Secondly, measuring either is difficult because it can be hard to know when to start measuring.

There was broad agreement that poor quality metrics simply prompt the board to ask, “So what?” Instead, attendees said, they would prefer a metric that tracks the breadth of coverage and success, but they admitted that it is hard to know what data points could be used to measure those things.

Overall, attendees said they would like more help from vendors. As well as knowing where a tool succeeds, they said they would like to know where it struggles rather than finding this out for themselves. This kind of honesty and candidness, they said, would help to build a fruitful partnership.

There is a lot of work to be done to reap the benefits of automation, but attendees were realistic. “We’re not looking for a silver bullet,” said one. “We know there isn’t one.”