In recent years, huge strides have been made in the field of security automation. There are now numerous solutions that use automation for streamlining incident response and orchestrating across security products, allowing analysts to be more productive and effective.
Automation of processes that involve routine, repetitive work can help organizations detect, block or remediate cyber attacks. However, there is still a certain amount of confusion over the difference between automation and automatic. Although often used interchangeably, the terms are not synonymous.
Automatic Or Automated?
An automatic activity takes humans out of the loop and gives a machine complete control over the incident. Without human oversight, the possibility exists that the results could be incorrect, increasing the potential for the organization to suffer major damage.
Automation is the process of expediting actions by allowing the machine to handle certain tasks, typically the routine, repetitive chores that can consume an inordinate amount of the analyst's time. As part of security orchestration, automation can reduce reaction times without forcing humans to relinquish control. Humans can exercise their own judgment when making decisions or when intervention is deemed necessary.
Despite the strides that have been made in security automation, it is still a relatively new technology. As such, there are still shortcomings that must be addressed before an organization can trust its cybersecurity completely to machines. Skilled, experienced cybersecurity professionals are still very much needed and will be needed for the foreseeable future. There are times when the judgment, knowledge and experience of a human will be essential for incident response orchestration. Although no one doubts that incident response will become increasingly automated, it is not yet possible to put cybersecurity on autopilot and allow the machines to have full control.
The Human Element Is Still Needed
The human element is often needed to ensure compliance with existing and future statutes. Even with AI, machines are not yet a substitute for human input when it comes to evaluating the impact of a breach. There are breaches that require that the appropriate authorities and/or affected parties be notified within a specific time. However, until an organization has assessed the severity and scope of the breach, it is impossible to determine which notification laws apply.
Ensuring compliance requires trained cybersecurity professionals who have knowledge of the regulations, the ability to assess the impact of a breach and an intimate understanding of how the organization must react. Currently, incident response systems are not sufficiently sophisticated to handle the assessment or offer an automatic response.
Human input is also invaluable for controlling critical aspects of an incident response process. For example, when creating an incident response plan, humans should be the ones to decide which aspects can be automated and which aspects need to be routed to a human for a decision. Human input is needed for an effective postmortem if the incident is to provide meaningful, actionable insights.
In addition, humans are needed to evaluate the potential for inadvertent internal risks, including program development for increasing security awareness among employees. Furthermore, experienced cybersecurity professionals possess irreplaceable knowledge through intuition and gut feelings -- knowledge that may be impossible to fully translate into a language that a machine can understand.
Although judicious automation offers a great deal of potential for increasing the efficiency of incident response, the decisions about what and how much to automate remain in the hands of humans. It will be up to each chief information security officer (CISO) to decide how to use automation to provide tangible benefits without increasing the organization's security risks. Perhaps the day will come when all cybersecurity tasks can be truly automatic — but that day has not yet arrived.
