A recent article in Network World by ESG's Jon Oltsik correctly called out the fact that Incident Response (IR) automation is becoming a very hot topic in the infosec world. In it, Oltsik calls out the multiple factors that are driving demand for IR automation and orchestration, including the manual nature of IR work, the cyber skills shortage, and the difficulty of coordinating activity between secops and devops.

We agree wholeheartedly with Oltsik's conclusions, but we would like to push the logic even further, and argue that while automation is important for IR, it is even more important in threat detection (TD) by several orders of magnitude.

The Scale of the Threat Detection Problem

IR automation kicks in when an intrusion has been discovered. The volume of instances where it can be applied is a tiny fraction of the total workload of any secops team. As an example, take a financial institution whose SIEM system was kicking out 750 alerts for a single SIEM rule each month. Of those, manual investigations by human analysts resulted in only 2 verified threats that merited an IR.

Automating the resulting IR would save some time, it is true, but the massive bulk of that team's human bandwidth was devoted to triage on those 750 alerts. And, to be clear, their SIEM system had several tens of rules generating comparable volume.

That investigation activity, much of it manual and repetitive in a way similar to IR, is an order of magnitude larger opportunity to save resources through automation.

When you combine the scale of TD work with the cybersecurity skills shortage called out in the article, you have an extremely compelling case for TD automation.

Causality in the Secops Flow

There is linear causality between TD processes and IR processes. When TD is not effective at scale (currently the case for many organizations), then it yields to too many false positives, which can cripple IR efforts downstream.

At the same time, a major challenge today is with too many false negatives, ones that should have been remediated but never got detected. Automating TD will help discover more of these hidden breaches, hence creating a greater need for faster IR.

Because of this, automation at the TD stage has a greater impact on downstream results and directly impacts IR automation.

TD Automation - Cognitive Automation vs Robotic Process Automation

Harvard Business Review article describes 3 types of automation:

  • Robotic process automation: Routine tasks, low complexity, wide application scope.
  • Cognitive automation: Nonroutine tasks, decision-supporting, exploratory, hybrid AI/human training, targeted at specific data sets.
  • Social robotics: training based on human to human interaction, wide application scope.

Automating IR falls into the category of low complexity and tends to be rules-based, which puts it in the robotic process automation group.

Conversely, TD automation falls into the cognitive automation category. It is solving a more complex problem, that supports key decision making by exploring a targeted data set. It requires machine learning and humans working together. At first glance, this may seem impossible.

Quite the contrary. Not only is TD automation possible, it is currently being done. And even though it has a slightly higher upfront cost in terms of setting up the automation, the payoffs are much greater because of the first two drivers we discussed - scale and causality.

As a result, we expect to see TD automation grow in prominence and importance in the very near future, just as IR automation has.


Related Posts

May 20, 2022 Willy Leichter

Automating Threat Detection: Three Case Studies

Demystifying the technology with case studies of AI security in action Many automation tools, such...

Learn More

May 17, 2022 Willy Leichter

It's Time to Put AI to Work in Security

While we’ve been talking about and imagining artificial intelligence for years, it only has...

Learn More

May 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: May 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

May 9, 2022 Tessa Mishoe

Bad Luck: BlackCat Ransomware Bulletin

Blackcat Ransomware On April 19th of 2022, the FBI Cyber Division released a flash bulletin...

Learn More

May 6, 2022 Kumar Saurabh

Let Humans Be Humans and AI Be AI

LogicHub’s unique decision automation technology can build clients the ultimate security playbook...

Learn More

May 3, 2022 Kumar Saurabh

How to Build a Threat Detection Playbook In 15 Minutes or Less

Automating a threat-hunting playbook with the help of AI Many threat-hunting playbooks we build for...

Learn More

April 29, 2022 Tessa Mishoe

Integrating Better: What Can Integrations Do For Me?

Introduction Within the realm of security, there are many different toolsets and opinions on what...

Learn More

April 27, 2022 Willy Leichter

Beyond No-Code: Using AI for Guided Security Automation

SOAR Playbooks Outside of football, the term “playbook” is well understood by a relatively small...

Learn More

April 21, 2022 Willy Leichter

Goodbye Lonely SIEM, Hello MDR

When updating your systems from a pure Security Information Event Management (SIEM), choosing the...

Learn More

April 15, 2022 Tessa Mishoe

LogicHub Security Roundup: April 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More