We have two fundamental beliefs about automation at TalonX. First, we believe that automation is the most logical response to a world in which society’s use of technology has rapidly outpaced its supply of professionals who can ensure that the technology is safe to use. Second, we believe that activities and processes in cybersecurity (i.e. the ones that are worth doing in the first place) that can be automated should be automated.
However, unlike other sectors of the economy where automation is focused on cost cutting and often results in a reduced human workforce, cybersecurity doesn’t have workers to spare. Digitized enterprises need every edge they can get to expand their cyber capability and magnify the impact of individual defenders.
We started TalonX, because we wanted to develop solutions to address the global shortage of cybersecurity talent that we’ve all heard so much about. While the specific nature of the shortage has been disputed (see this and this), the inability to hire the right people is a frustrating reality for most teams. And, for many organizations outside North America and Western Europe, suitable workers (i.e. talent that is local, speaks the language, has a legal right to work, etc.) can’t be had for any price. These ideas were just a few of the many inputs to the business case for our team, but we wanted to confirm these hypotheses with facts.
To this end, we surveyed more than 70 companies of all sizes across industries on their usage of automation for cybersecurity. While other surveys have focused on automation as a factor in other contexts (e.g., in the context of a cybersecurity staffing report, or cyber resilience), ours focused on characterizing what, specifically, people are automating in cybersecurity and why. This article is the first of a series that will bring readers hard data and insights from that survey
Priority outcomes from automation
Automating the cybersecurity team is a complex undertaking with a range of potential outcomes. We wanted to understand how security teams think about automation as a solution, so one of the first questions we asked when we surveyed the market was, “What are the primary reasons for the use of cybersecurity automation in your organization?” Of the many potential reasons offered as answer choices, there were three that clearly resonated with a majority of respondents.
Automated cyber capabilities are accelerated cyber capabilities
63% of respondents cited new or accelerated cyber capabilities as the top priority for their cyber automation program.
Even with elite talent, cyber teams are still handicapped in the face of today’s cyber threats. Attacks, especially those against targets in the cloud, are increasingly automated. Indeed, the early stages of the cyber kill chain- reconnaissance and initial exploitation, are fully automated by most sophisticated attackers. In responding, humans are just too slow. To be clear, the right processes and the best tools just won’t work anymore. Against an automated attack, the only answer is an automated defense.
Cybersecurity tool vendors have come a long way in building APIs and other external interfaces into their tools. Indeed, most feature RESTful APIs that simplify interactions by removing the need to understand custom protocols or use specific programming languages. This means that practically all tools and data sources used by the cybersecurity team can be assimilated into automated workflows. Teams can accelerate by orders of magnitude analysis and response processes that previously were measured in minutes or hours.
More importantly, automation can integrate analytical capabilities that humans can’t duplicate. Machine learning techniques are being used by an increasing number of cybersecurity tools to identify previously unseen malicious behavior, and automation tools can further enrich these insights by rapidly correlating them with other sources of data throughout the enterprise.
Automated controls reduce downtime
35% of respondents considered reduced downtime as a priority outcome for their security automation program.
Security controls might disrupt the business, but security failures can destroy it. Consider the impact of ransomware- arguably the scourge of the decade from a malware perspective. Ransomware, once released into an environment, begins encrypting (i.e. destroying) data at machine speed. For teams lucky enough to detect an attack of this type in progress, there isn’t a human alive who can type or click a mouse fast enough to stop the attack before it has a chance to cause damage. If allowed to continue, ransomware can destroy not only valuable data and records but also computer files that control the operation of web sites, online storefronts, order processing systems, and other business critical applications for an enterprise.
The right automation can enable teams to rapidly identify attacks via complex data correlation, and it can also respond effectively to head off outages before they’ve had a chance to occur.
The TalonX team has experimented with automation use cases that correlate various types of network activity (e.g., identified malicious code moving across the network) with endpoint activity that might indicate an attack but wouldn’t normally be considered malicious by endpoint protection tools. While straightforward data correlation can be performed by the SIEM, automation enables defenders to query endpoint activity in real-time and to configure chains of queries that take different branches according to the circumstance- just like an experienced human analyst.
Automation can also be leveraged to respond to an attack and rapidly restore affected systems in the aftermath. This capability is especially powerful in the cloud where entire networks can be “blown away” and re-constituted in minutes with configuration changes necessary to harden them against further attack made on the fly by automated workflows.
Automation unlocks new integration opportunities
24% of respondents plan to use automation to integrate cybersecurity with other enterprise functions.
While the use of dedicated automation tools in cybersecurity is relatively new, efforts to automate business technology more generally have been in progress for decades. Most enterprises have significant automation associated with core business functions such as human resources, accounting, and marketing and sales. Not only do these functions have significant data that could be leveraged by the cybersecurity team (e.g., HR databases are usually the single source of truth for identify and role information in the technology environment), but they also include troves of data that can be monetized by attackers.
Integrating cybersecurity capabilities with automated systems in other parts of the enterprise can enable cyber defenders to improve their situational awareness about malicious activity in the environment, and it can also create opportunities for new types of active defenses.
Consider a scenario where physical access rights to company facilities are controlled by an HR-managed database (e.g., rights encoded into access badge are assigned according to job role which is controlled by HR). An automated workflow could use a connection to HR systems to automatically identify specific users on the network based on characteristics of their access and activities, and it could leverage the same connection to suspend physical access rights in cases where an insider threat might be indicated.
Increasing the value of security to the business
18% of respondents intend to use automation to support market messaging about their companies’ advanced and effective cybersecurity programs. This implies that acceptance is rising for cybersecurity as a business enabling function rather than just a controls or compliance function in many enterprises.
This is an important trend that we intend to explore more fully along as we share other insights from our survey throughout this article series.