As more companies invest in digital automation to manage everything from customer support operations to processing fraud claims, IT leaders are considering some tricky questions: Will algorithms eventually put their teams out of work, or shift them into different roles?
One cohort within IT, however, is embracing automation with open arms: significantly understaffed and overburdened cybersecurity teams. For more than a decade, the supply of security analysts has lagged far behind demand. In 2021, more than 3.5 million cybersecurity jobs will go unfilled, according to Cybersecurity Ventures.
Meanwhile, the number of threats these teams face is skyrocketing. Ransomware attacks in 2020 have jumped seven-fold over their 2019 level, according to research by Bitdefender. A Ponemon survey, meanwhile, revealed that 60% of security operation center (SOC) personnel say they are considering leaving their jobs or even changing careers.
For security pros willing to stick it out a bit longer, help is on the way. A growing number of security-automation tools, designed to handle repetitive low-level tasks, can eliminate much of the tedium required of most cybersecurity jobs, as well as a growing number of higher-level functions.
“SOC burnout is not just a catchphrase, it’s a reality,” says Neal Dennis, a threat intelligence specialist for Cyware, a New York–based cybersecurity firm. “Implementing automation would alleviate a large majority of issues faced by SOC analysts.”
Automation brings more than relief to cybersecurity teams. It reduces cybercrime costs and accelerates resolution times. A July 2020 study by IBM and Ponemon found that automation tools are a key factor in lowering the cost of data breaches. Deploying software that automates the process of identifying and mitigating threats is saving organizations an average of nearly $3.6 million per breach (against an average total cost per breach of just over $6 million) and reducing resolution windows by roughly 25% (from an average of 308 days to 234).
Not surprisingly, the number of organizations deploying some form of security automation has increased from 49% to 59% since 2018. The biggest question, then, is obvious: Why aren’t more organizations doing it?
The nonhuman factor
One reason is that many security response teams aren’t sophisticated enough to take full advantage of automation, says Richard Stiennon, chief research analyst at IT-Harvest.
“Automating password resets is easy,” says Stiennon. “But threat hunting and automatically shunning network connections is a more sophisticated use case. Fewer companies are in a position to do this.”
In past years, SOCs required human operators to respond to alerts, analyze threats, and write or code rules in response. Today, machines and algorithms handle many necessary but repetitive security tasks, such as managing access privileges, analyzing logs, or responding to low-level threats.
The surge in people working remotely during the early days of the pandemic accelerated the need to automate one aspect of any security team: access management. Manual ticketing systems that validate and authorize employees could not keep up with demand, according to Manav Mital, CEO of data cloud security firm Cyral, slowing the process and introducing errors.
“At Cyral we are heavily invested in security automation,” Mital says. “Our core operating principle is ‘security as code.’”
By replacing manual provisioning with scripts and configuration files managed by machines, SOC managers can minimize human error and ensure that only the appropriate people have access to the right resources, Mital adds.
Automating password resets is easy. But threat hunting and automatically shunning network connections is a more sophisticated use case.
Automation tools are also improving incident response by consolidating threat information from multiple sources, says Joe Partlow, CTO for ReliaQuest, a SaaS platform that enables visibility across the security stack. They can even provide scripted responses to low-level threats, such as blocking suspicious IP addresses or issuing automatic password resets.
“We’re never going to be able to automate everything,” says Partlow. “But if we can reduce the amount of time analysts spend logging into different tools and responding to noisy or low-impact alerts, they can spend more time on actual analysis of important events.”
Time to SOAR
Organizations looking to scale the benefits of automation are starting to use a wider set of tools, called Security Orchestration, Automation, and Response (SOAR) platforms. These allow SOCs to integrate resources that otherwise might not work together, such as firewalls or endpoint detection and response (EDR) tools from competing vendors, says Cyware’s Dennis.
Using SOAR, operations center analysts can generate a ticket based on a security alert, enrich it with material from other intelligence feeds, pass it through a risk analysis engine to generate a threat score, then either flag the threat as a false positive or pass it on to a human analyst for further study.
“What might take a tier-1 SOC analyst 10 or 15 minutes could take an orchestration platform a few seconds,” Dennis adds. “This frees up analysts to do real research on more critical incidents.”
The ROI can be significant. Federal agencies like the Department of Homeland Security and the U.S. military have been using SOAR platforms as a force multiplier, enabling understaffed SOCs to slash the time required for threat analysis. According to a case study by Swimlane, a SOAR solution provider, one government agency that was manually processing more than 10,000 security alerts each day reduced the time required to analyze and remediate threats by more than 75%, while maintaining headcount and boosting staff morale.
But there are limits to the types of security tasks any organization can automate, of course. As threats rise in sophistication and scope, security teams will always lean on human judgment to make difficult calls.
“You don’t want to isolate the CEO’s machine from the network because you got a false positive,” says ReliaQuest’s Partlow. “You want to verify multiple sources of truth before you do something like that. As soon as you start downing machines, that’s going to end your automation project quickly.”
Zero-day after tomorrow
For IT leaders who still can’t fully staff out their teams with outside talent or reskilled employees, automated workflows can serve as a critical hedge against the certainty that risks will only keep escalating.
As tens of millions of new devices come online over the next few years, greatly expanding every organization’s attack surface, the need for automated responses will grow dramatically, notes Kenneth Mendelson, senior managing director for Guidepost Solutions, a global security consultancy.
“With the increasing presence of IoT devices in networks, it will be essential to automate the task of identifying all devices on the network, as well as evaluating the vulnerabilities of those devices and patching any weaknesses,” he says.
Security organizations that aren’t already implementing automation are inviting new risks, in part because hackers are using automation tools themselves. “We’ve already seen exploits that spread automatically, like the NotPetya worm,” says Stiennon, “and preprogrammed attacks like Stuxnet that can operate independently.”
It’s about to get a lot worse. Future ransomware attacks, he adds, are likely to use some form of AI to understand the network, extract credentials from endpoints, and extract data. “Attacks will execute in minutes and some day in seconds,” he adds. “The only way to counter that is with automation.”