This article was originally posted on CSO

Everything is becoming more automated, but what does this really mean or look like for SecOps? How do you evolve with automation while still keeping your analysts?

With the latest advancements in automation and AI, many CISOs are recognizing the potential for automation to transform security operations. Given the way many technology vendors hype their solutions, you could be forgiven for thinking humans should be removed from security flows to the greatest extent possible. But, you would be wrong!

On the contrary, security analysts are not only an important part of the security process, they are THE most important part. So, when you think of automation, you should think of it not as a way of replacing security analysts, but rather as a way of empowering them to do more of what they do best. This is an important distinction.

More automation does not mean a smaller analyst role

The fact is, automation is not a panacea. Certainly, the early and rudimentary forms of automation our industry has seen in the past decade have fallen short of their promise. SIEM systems allow you to collect lots of log data, but the growth in data means ever-increasing amounts of backlog to process. Those same systems, with their inflexible, rules-based approach to threat detection, overwhelm analysts with torrents of false positives.

To make things worse, there are still far too many false negatives and intrusions that get by undetected. No matter what an automation vendor tells you, humans are still the absolute best at identifying previously unknown threats. However, we just can’t do it at scale.

Solving the cybersecurity crisis can’t start with the assumption humans should be automated out of the system - in fact, it should be quite the opposite. In an ideal configuration, human analysts are at the center of everything, supported with advanced automation tools that can make sense of the torrents of data being generated and allowing them to make the types of nuanced decisions that will take a very long time to yield to technology.

Uniting analyst and machine

Some new generation solutions are purely focused on AI and machine learning. The promise is you turn it on in your environment and after a few days of the system learning on its own, it will be able to detect all the bad stuff. However, these systems suffer from a fatal flaw: missing the business context, adaptability and explainability needed to be truly effective.

What do human analysts know better than any system or, more importantly, any intruder? They know their own environment and the enterprise context, as well as having an intuition about how their system operates and what is normal versus what is questionable. Humans also adapt quickly to fast changing conditions and can always explain why they did something. On the other hand, humans cannot scale and could struggle with mistakes and inconsistencies. Machines, as we know, are exponentially faster and consistent.

The ideal system is still one that unites analyst and machine, augmenting the intelligence of a security analyst with the automation scale of a machine. To achieve this, we need the right kind of automation.

There are different types of automation. As explained by Harvard Business Review, basic robotic process automation handles routine and repeatable tasks, and can only scale some of the motions of an analyst, but cannot scale intelligence. Cognitive automation, on the other hand, can handle decision making around the severity of an alert by evaluating the full context of all data surrounding an event. Cognitive automation by itself, however, is not sufficient. To avoid pitfalls of a “blackbox,” automation needs to be complemented by analysts’ input and feedback on a continuous basis.

Technology that supports a human-centric approach to automation

Recent, new technologies now make it possible to play to analysts’ strengths far more effectively. The next generation of automation technology allows analysts to feed their tribal knowledge about context and environment easily into the machine learning system, without requiring large training data sets. In addition to drastically increasingly efficacy, this allows a properly designed system to adapt and evolve flexibly as context and environment change. The analyst is in charge and the machine dutifully mimics and executes what the analysts would do, only at extreme scale.

The right automation

Security automation doesn’t mean removing analysts from the equation. Instead, good security automation is about empowering your analysts to force multiply their efforts, aiding them to be more productive and satisfied in their jobs, and freeing them to tackle the most challenging threats. With the right technologies and processes in place, your secops dream team can become a tag team of expert human security analysts plus virtual security analysts powered by cognitive automation.

Blog

Related Posts

May 20, 2022 Willy Leichter

Automating Threat Detection: Three Case Studies

Demystifying the technology with case studies of AI security in action Many automation tools, such...

Learn More

May 17, 2022 Willy Leichter

It's Time to Put AI to Work in Security

While we’ve been talking about and imagining artificial intelligence for years, it only has...

Learn More

May 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: May 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

May 9, 2022 Tessa Mishoe

Bad Luck: BlackCat Ransomware Bulletin

Blackcat Ransomware On April 19th of 2022, the FBI Cyber Division released a flash bulletin...

Learn More

May 6, 2022 Kumar Saurabh

Let Humans Be Humans and AI Be AI

LogicHub’s unique decision automation technology can build clients the ultimate security playbook...

Learn More

May 3, 2022 Kumar Saurabh

How to Build a Threat Detection Playbook In 15 Minutes or Less

Automating a threat-hunting playbook with the help of AI Many threat-hunting playbooks we build for...

Learn More

April 29, 2022 Tessa Mishoe

Integrating Better: What Can Integrations Do For Me?

Introduction Within the realm of security, there are many different toolsets and opinions on what...

Learn More

April 27, 2022 Willy Leichter

Beyond No-Code: Using AI for Guided Security Automation

SOAR Playbooks Outside of football, the term “playbook” is well understood by a relatively small...

Learn More

April 21, 2022 Willy Leichter

Goodbye Lonely SIEM, Hello MDR

When updating your systems from a pure Security Information Event Management (SIEM), choosing the...

Learn More

April 15, 2022 Tessa Mishoe

LogicHub Security Roundup: April 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More