Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/13/2017
10:30 AM
Gary Golomb
Gary Golomb
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Automation Could Be Widening the Cybersecurity Skills Gap

Sticking workers with tedious jobs that AI can't do leads to burnout, but there is a way to achieve balance.

According to Cybersecurity Ventures, the cybersecurity skills shortage is now expected to hit 3.5 million positions by 2021 — a huge jump from current estimates of 1 million job openings.

To help compensate for the growing shortage of talent, the cybersecurity industry is embracing artificial intelligence and automation to fill the gap. But can automation actually make the skills gap even greater? Unfortunately, yes — but security can still find a balance.

The Leftover Principle of Automation
The concept of mechanizing human tasks to drive efficiency has been studied since the advent of industrial automation. The primary goal is to automate as much as possible and thus eliminate human decision making in the process because human decisions can be the most frequent source of error in a given process. Any task not assigned to machines is "left over" for humans to carry out.

The problem with this theory, especially in cybersecurity, is that only very well-understood (relatively simple) processes can be automated, meaning the tasks left for security teams are the hard tasks that can't be automated. These difficult tasks require security professionals who have experience and deep domain knowledge. 

This is exacerbating the vicious cycle of security analyst burnout we currently face: 

  • Tasks that provide a sense of completion/satisfaction are automated.
  • Security analysts are increasingly asked to work on tedious, arduous tasks that lead to burnout.
  • Analysts leave to find greener pastures, leaving the security operations center shorthanded.
  • Company struggles to find talent to fill the gap.
  • When security management finds someone to hire, they give the new employees tedious, arduous tasks that lead to burnout.
  • Wash. Rinse. Repeat.

Lessons from the '90s and the IT Community
This isn't the first time this phenomenon has reared its head in the technology world. We saw a similar cycle in the IT/sysadmin world 25+ years ago. The sysadmin of the '90s was near omnipotent when it came to domain knowledge of technology and IT systems. This was driven by need — IT professionals had to be able to fix every problem across technology infrastructure, and that infrastructure was nowhere near as reliable and interoperable as it is today.

As technology advanced, this need for all-knowing IT admins lessened, driven by technology improvements. This necessarily lessens the experience and accumulated knowledge gained from fixing systems and making sure they work together.

Today's IT professionals no longer implicitly acquire deep domain expertise on IT infrastructure in the same ways; however, the analogy also ends here for two significant reasons:

  1. While admins always have to contend with users who break systems unintentionally, they are not faced with armies of users distributed around the world with the sole intention of sabotaging their systems. Simple repetitive tasks can be automated. Accurately discerning behavior and intention within environments that are difficult or impossible to accurately model in the first place is a fool's quest.
  2. Automation of IT infrastructure (DevOps) has led to many positive outcomes, such as requiring fewer people to manage more systems. This works for knowledge domains that slowly evolve and/or are hyper-focused on a specific component of a system. In security, however, the knowledge domain is not dictated by just "security practices" (quite limited), but rather the security professional must be knowledgeable about how technologies are abused across all the legitimate technologies and architectures adopted in the enterprise, most of which evolve extremely rapidly.

Compensating for Automation
Where does this leave the security industry? Is it possible to find a balance? The offshoot of the Leftover Principle is called the Compensatory Principle. This theory says that there are tasks that humans do well that machines don't. People and machines should focus on what they do well, compensating for each other's shortcomings. 

Attempting to automate humans out of cybersecurity is detrimental to our industry and destined to fail, primarily because we're not facing a tech opponent — we're facing human adversaries who go to great lengths to find weaknesses to exploit. Because so much is automated now, security analysts simply aren't required to go to the same depths, which is creating an even wider and more detrimental gap between attackers and defenders.

What's an example of "leftover" work today? The work that nowadays we call hunting — the responsibility of the team to compensate for the ineffectiveness of automated systems — is one example. The inability of most teams to hunt has created a perception that work isn't getting done because there's no talent to do it. The reality is that automation is making matters worse in this context, because effective hunting is based on the analyst having learned the more fundamental techniques while completing more "simple" tasks.

What's the solution? How do we embrace machine learning and automation without making our situation worse?

Organizations need to focus automation on the tedious and error-prone tasks that drive security analyst burnout —while leaving jobs needing more discernment to analysts.  

For instance, automating parts of the alert investigation process can have a huge impact on security analyst productivity. Automating things such as tracking a device as it moves across the network and identifying infected devices by its human owner and their behaviors, rather than ephemeral identifiers like IP addresses (which require more human work to then identify the owner), can be enormously helpful and positive for analysts.

Like many of the overhyped features we've seen over the past couple of decades, from anomaly detection (early 2000s) to analytics (late 2000s), automation is not a cure-all for our cybersecurity woes of today. And worse, without a clear understanding and strategy for how automation will improve the work of your employees, automation might make some of your challenges worse — in a way that could be difficult to compensate for later.  

Related Content:

Gary Golomb has nearly two decades of experience in threat analysis and has led investigations and containment efforts in a number of notable cases. With this experience — and a track record of researching and teaching state-of-the art detection and response ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprise
Assessing Cybersecurity Risk in Today's Enterprise
Security leaders are struggling to understand their organizations risk exposure. While many are confident in their security strategies and processes, theyre also more concerned than ever about getting breached. Download this report today and get insights on how today's enterprises assess and perceive the risks they face in 2019!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-5271
PUBLISHED: 2019-11-12
Pacemaker before 1.1.6 configure script creates temporary files insecurely
CVE-2014-3599
PUBLISHED: 2019-11-12
HornetQ REST is vulnerable to XML External Entity due to insecure configuration of RestEasy
CVE-2014-7143
PUBLISHED: 2019-11-12
Python Twisted 14.0 trustRoot is not respected in HTTP client
CVE-2018-18819
PUBLISHED: 2019-11-12
A vulnerability in the web conference chat component of MiCollab, versions 7.3 PR6 (7.3.0.601) and earlier, and 8.0 (8.0.0.40) through 8.0 SP2 FP2 (8.0.2.202), and MiVoice Business Express versions 7.3 PR3 (7.3.1.302) and earlier, and 8.0 (8.0.0.40) through 8.0 SP2 FP1 (8.0.2.202), could allow creat...
CVE-2019-18658
PUBLISHED: 2019-11-12
In Helm 2.x before 2.15.2, commands that deal with loading a chart as a directory or packaging a chart provide an opportunity for a maliciously designed chart to include sensitive content such as /etc/passwd, or to execute a denial of service (DoS) via a special file such as /dev/urandom, via symlin...