Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Roy Katmor
Roy Katmor
Connect Directly
E-Mail vvv

Why Automation Will Free Security Pros to Do What They Do Best

There are three reasons today's security talent pool is neither scalable nor effective in addressing the rapid evolution of cyberattacks.

People are and will always be the most critical cybersecurity resource. Right now, the talent pool with the unique skills and training to respond to cyber threats is unfortunately all too limited, and the way we are making use of this scarce resource is neither scalable nor effective in addressing the rapid evolution of cyberattacks.

The lack of analysts dedicated to advanced malware forensics and the high cost to recruit and retain such human resources, force organizations to build security operations centers (SOCs) and incident response teams in a tiered analyst structure. The further you go up the tiers, the more advanced the security analyst, and the fewer resources available to staff that position. As a result, it's critical within this structure to filter out as many false alarms as possible. This leaves only the more limited, high-tier human resources available to analyze the most extreme forensic cases. It's common that the pressure faced by these top-tier security professionals to respond quickly to alerts and filter as many false positives as possible drives many cases of missed infiltrated attacks.

To limit the negative impacts of a breach and avoid incident overload within incident response teams, many organizations rely on prevention technologies as their first line of cyber defense. Current prevention technologies are designed to log or, in obvious cases, filter out known anomalies and indicators, but they lack the ability to stop the unknown or prevent the implications of a successful attack. As a result, more sophisticated cyberattacks can remain undetected for longer periods of time by bypassing these established countermeasures.

This situation is often beyond the control of hard-working security pros. Consider the 2017 Equifax breach. Equifax had a well-qualified security team in place, but an advanced cyberattack evaded its detection systems and remained stealthy while stealing corporate data. As in this and most other breach scenarios, by the time the SOC analyst responds, his or her threat-hunting efforts are largely focused on investigative steps to determine the causes and assess the impact. There are three reasons why this approach is problematic:

Reason 1: Human-driven analysis consumes precious time. It's a manual process of painstakingly reviewing atypical compromise indicators and determining an appropriate response. For example, how many indicators do you have? How many do you need to warrant investigation? How do they even come to be an indicator? Threats are simply moving too quickly to tolerate the delays inherent in manual response.

Reason 2: Skilled security analysts are hard to find. Today's most-coveted SOC skill involves human eyes darting between screens and deciding what to do first when attempting to make sense of statistical indicators and anomalies. Aside from that being essentially a reactive exercise after the damage is done, the labor shortage of people with these skills makes them costly to hire and retain. And because it's nearly impossible to predict the number of analysts needed to analyze the increasing volume of cyberattacks and the corresponding indicators, operational expenditures (OpEx) related to salary costs are continual wild cards.

Reason 3: It's too late. Once a breach and potentially a theft have occurred, the damage is done and your data is gone. Your valuable SOC resources are focused on cleanup and damage control rather than on preventing the cyberattack and breach.

Given these problems, the current approach is unsustainable. Fortunately, automation technology offers a compelling solution that augments rather than replaces the human component in the equation. In particular, automation can help increase security efficacy and the speed of operations. While preventing all attacks is not possible, automated, real-time containment of an attack reinforces a protective posture, preventing or limiting the consequences of a breach. Once attacks are contained, automated responses can be customized and applied to remediation, but in a predictable way and more manageable time frame. That makes for efficient use of limited security resources, accelerates the time to address new threats, and improves OpEx.

Another benefit of automation is how it will increase the value of security analysts by enabling them to get even better at the more consequential aspects of their jobs. As adoption of automation inevitably increases, security analysts will need to focus beyond the art and science of manually correlating data based on memory and instinct, and more on strategic analysis, planning, and remediation, such as understanding the businesses drivers for how the organization uses, transmits, and stores data. Better understanding of the business context will empower analysts to develop predetermined automation outcomes designed to minimize disruption of critical business services and functions. For example, a decision may be made to automate containment or remediation of infections on call center endpoints that are critical for sustaining customer support operations.

Once preventative countermeasures are adopted that can ensure effective prevention and protection in real time, security analysts will then be able to focus on identifying the next potential weak link and remediating it. That will not only provide better security posture but will also guarantee security scalability and analysts' greater satisfaction in their jobs.

In summary, automation will help organizations contain breach impacts while controlling the costs of scarce staff resources struggling to keep up. But ultimately, security will still come down to people. Security analysts will create the solutions that keep their organizations safe. Automation will empower them to succeed in an environment where incident response time pressures have been minimized, freeing them to employ their best talents and skills and realize the full potential of threat hunting to discover and eliminate future risks.


Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Related Content:


Roy is a 15-year seasoned product manager and security market strategist, combining strong technical knowledge with proven sales and marketing skills. Prior to enSilo, Roy led Akamai's security strategy. Before that, he managed Imperva's data security products and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/10/2018 | 6:02:37 PM
Automation can be great, but it's no quick fix...
Nice article, Roy. Automation and orchestration are indeed 'hot' topics at the moment and are helping many organizations address issues faster and more consistently than they were before. The topics are perhaps also premier candidates for leading the latest round of fads in industry marketing.

Some caveats worth mentioning: new buyers of security automation products may find themselves experiencing sticker shock or falling victim to a still-maturing product space. Many vendor products are prohibitively expensive to the organizations that might benefit most (i.e., the long tail) and too often lock-in users with proprietary workflow formats. That said, automation is worth exploring—and perhaps adopting—for many organizations. My organization has realized numerous benefits to date.

An additional note of caution: I see many organizations rushing to automate workflows without first running the numbers; and, while automation has many benefits, it is first and foremost a matter of economics. Deciding what could, should, and will be slated for automation is an issue of resource management and optimization, whether those resources are people hours, pay-by-use cloud services, or particular team members with in-demand skills and limited availability.

Finally, organizations new to automation need to recognize that deploying new automation workflows is, in many ways, similar to deploying a new "product"—in that the workflows may (in more ways than expected) require additional support resources and know-how for testing, monitoring, and maintenance.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory w...
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieved in between the moment the file is extracted on t...
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 does not check for malicious files such as .html in the archive uploaded via the 'Import Settings' feature. As a result, it is possible for a high privilege user to upload a malicious file containing JavaScript code inside an archive which will execute w...
PUBLISHED: 2021-06-21
The Comments Like Dislike WordPress plugin before 1.1.4 allows users to like/dislike posted comments, however does not prevent them from replaying the AJAX request to add a like. This allows any user (even unauthenticated) to add unlimited like/dislike to any comment. The plugin appears to have some...
PUBLISHED: 2021-06-21
The WP Google Maps WordPress plugin before 8.1.12 did not sanitise, validate of escape the Map Name when output in the Map List of the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue