The self-driving car of security automation – CSO Online

By Kumar Saurabh, Contributor, CSO | Aug 22, 2017 7:01 AM PT

Opinions expressed by ICN authors are their own.

Your message has been sent.

There was an error emailing this page.

When I speak with CISOs about automation in cybersecurity, it can conjure up parallels to self-driving cars. After all, if machine learning can create cars that drive themselves, why cant we have self-driving security?

Its a bit early and optimistic, however, to say machine learning and automation will immediately solve all cybersecurity challenges, if ever. Given the threat landscapes inevitable evolution, it will most likely remain an arms race between the defenders and the attackers for the near and long term.

Alternatively, the promise of a machine doing what we thought only humans could do is quickly approaching reality. Theres a lot of early results, hype and even more potential. In fact, this is also true for self-driving cars. The Washington Post highlighted the different levels of development in regards to autonomy in self-driving cars established by the Society of Automotive Engineers (SAE).

Specifically, the evolutionary path to the much-hyped fully autonomous car with each stage providing exponential value.

Similarly in cybersecurity, increasing levels of intelligent automation will also provide exponential benefits. If we compare the levels in the auto industry and apply them to the world of cybersecurity, level zero has very little automation while level five is most autonomous.

On one hand, you have solutions such as User Behavior Analytics and Network Traffic Analysis that profess to automatically analyze normal behavior and alert anything abnormal. The drawback is the inability to understand the full context of an environment or situation, which results in a tendency to generate too many false positives and requires significant analyst involvement to triage.

On the other hand, you have early orchestration solutions that can partially automate some of the easier and repeatable actions during an incident response process. While this solution is adequate to collect relevant information for an investigation process, the actual decision making is delegated to the analyst.

In essence, Level 2 automates actions and repeatable tasks, but not the decision making and judgments that require intelligence.

The first is full, end-to-end alert triage automation. This is where the system has the intelligence, based on context and awareness of an alerts severity, to make decisions and accept feedback from human analysts. Though more advanced systems are able to provide a full explanation of their scoring, analysts still need to review the systems results. However, 95 percent of the overhead work they used to have to do is effectively eliminated.

Second is automated threat hunting that is possible after expert analysts map out the logic they would use in an investigation. The system applies cognitive automation to intelligently hunt for threats 24/7, but at a scale with which human analysts cant keep up. This approach can be made more manageable with prescriptive logic flows for specific use cases, such as Threat Hunter for CloudTrail or Threat Hunter for Office 365.

Such a solution does not exist today, but is often what CISOs hope for when they hear security automation. Achieving this nirvana will require significant advancements in machine learning and computing power.

Security operations technologies have greatly evolved in the past decade. The first big wave was driven by log aggregation and analytics, followed by predictive technologies. The next generation of solutions will be Prescriptive Security Intelligence, offering specific solutions to typical security use cases. The industry will take time to enter a fully autonomous state. If security automation is your end goal, start by looking for Level 3 security solutions that can drive 80 percent of the way to your destination.

This article is published as part of the IDG Contributor Network. Want to Join?

Kumar Saurabh is the CEO and co-founder of security intelligence automation platform LogicHub. Kumar has 15 years of experience in the enterprise security and log management space leading product development efforts at ArcSight and SumoLogic, which he left to co-found LogicHub.