Security Automation


Fear, one of the most powerful drivers of all time. Movies, novels, companies, even I had the unfortunate chance to hear the following phrase directed to a coworker: " I can replace you with a script and I will save money".

Automation is the new catchy word in the industrial environment, we see it everywhere: in car factories, coal mines, banks, even in the airports where tasks related to security are being transferred to automatic tellers. But is this suitable for all commercial environments?, the answer is partially.

Humans are valuable (not costly as some executives like to view them) by their decision making capabilities and a new evolution process has been taking place all over the world, thinking people are getting hired, and mechanical people are getting displaced. It is not a matter of justice nor survival, it is a matter of cost vs profit.

Is automation in security viable?

Yes it is but in a partial way, everyday hackers all over the world bypass security controls designed and maintained by fellow humans, automated systems are predictable (which is a terrible word in the business), we can automate tools and monitors but security intelligence? that's not automatable.

No matter how complex is the algorithm (computer process), the fact that all possible routes are programmed means there will be a thousand ways to bypass it, human ingenuity and logic is paramount to stop cyber-criminals.

Don't take me wrong, every company should invest in security means and tools to aid the process and some automation is necessary to analyze the tens of thousands of transactions the average enterprise performs daily, but every machine, every analyzer in the market will depend on search patterns and every search pattern will cause a situation known to security professionals: false positives and negatives.

A false positive is an event which triggers an alarm but is not a situation worthy TO INVESTIGATE, like a common employee performing a click on a file he is not authorized to and not getting access.

A false negative is a situation where the alarm should be triggered but it is not like the employee in question getting access to the file he has not been authorized to read/change/delete.

These factors are part of the everyday work of a cybersec engineer and a great deal of our training, human instincts become the differentiator to detect the anomalous behavior.

Then what can automation do?

To detect these factors which allows us to identify the possible intrusions, we would have to manually check all servers under our watch. which would severely raise the amount of people involved, instead the security orchestration tools allow us to see the activity in various fronts even in a graphical way enabling a major coverage on our duties.

In words of Eran Barak, CEO and Co-Founder, Hexadite: "All of these security automation technologies free up overtaxed security resources, allowing security teams to be less focused on mundane – but essential – tasks, and more focused on strategic initiatives that will make their organization more secure. "

Automation needs to be seen as a tool and as any tool it is only good for the person trained to use it, we cannot expect to take in someone trained to be a network technician and takeover cybersec without so much than a manual.


E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

RSAC Meetup Banner

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)