The Road to Autonomous Security – Infosecurity Magazine

Theres a lot of noise around autonomous security. For years, analysts and security operations teams have been promised a utopia where they leave monotonous tasks behind, and yet the burnout rate for these professions continues to be high. Clearly there is much work to be done, but it helps to understand where we are today and theres no better place to look than the automobile industry.

The auto industry may not always be considered the most innovative, but its put a lot of thought into what it means to create self-driving cars. This includes a standardized framework that provides a good roadmap to whats ahead for cybersecurity.

Lessons from the Road

Automobiles are more fuel-efficient, fancier and safer than they have ever been. But one thing has arguably gotten worse: the driver. An analysis by the National Highway Traffic Safety Administrations (NHTSA) shows that human error is responsible for 94% of serious automobile crashes.

To improve safety and driver experience automakers are introducing innovations such as rain sensing wipers, automated headlights and blind-spot detection systems that allow drivers to focus more of their attention on the road. But thats not always the result.

Cruise control, for instance, was designed to eliminate the cumbersome act of keeping your foot on the accelerator. The problem is, it reduces cognition in other areas. Putting your foot on the accelerator forces you to pay more attention; without it, going too fast into a curve is just one of the many potential consequences. Now, adaptive cruise control (ACC) is becoming standard because it solves some of the challenges in Cruise Control 1.0.

This is a great example of something that evolved from being automated to being autonomous. In fact, the Society of Automotive Engineers (SAE) developed a standard for describing the level of automation in cars thats been adopted by the U.S. Department of Transportation and the United Nations. On this scale, traditional cruise control is a Level 0 and ACC a Level 1. Teslas Autopilot or Cadillac Super Cruise are considered Level 2.

If this standard was adapted to cybersecurity, heres what it might look like:

The Self-Driving Security Journey Has Just Begun

In cybersecurity, one basic form of automation considered to be standard today is the correlation performed by SIEMs and network security tools. For example, collating all the alerts associated with an IP address together onto one screen or identifying an attack campaign by grouping alerts that share a source or a destination. Some tools are smarter and use additional sources of context such as active directory (AD) or threat intelligence, or filter out the known good. But much like cruise control, there are a lot of unintended consequences that manifest in the security world primarily through false positives and negatives. For instance, as devices become more mobile, they tend to roam inside and outside of corporate networks. With a new IP address at each location, the same device could have several addresses over a short period. The average IP address could have several devices associated with it too, making any analysis based on an IP address flawed from the get-go.

If cruise control is considered Level 0 on SAEs scale of automation, its safe to say IP correlation would be the same on the security scale. Looking more broadly at cybersecurity automation, most of the industry is probably only at a Level 1.

The Security Orchestration, Automation and Response (SOAR) category could have the best claim to Level 2 Partial Automation. These technologies automate several low impact response and remediation tasks like creating support tickets for the IT helpdesk, automatically correlating between multiple security tools, or grabbing evidence into an incident data store.

Getting to Level 4 and 5 will require the entire cybersecurity industry to substantially raise its game. For now, the focus should be on getting to Level 3 Conditional Automation.

To bring back the automobile analogy, Tesla Autopilot understands the vehicle (speed, travel lanes, braking, acceleration, etc.) in the context of other vehicles sharing the road and surfaces data the driver needs to make a decision.

We need similar levels of automation to bring cybersecurity to Level 3, and based on what weve learned from cars, there are three basic requirements to get there. We need to reduce the cognitive load on humans so security teams can focus on whats important, eliminate stressors like monotonous tasks, and focus on user experience in a way that documents decision paths so humans can dig deeper if and when they want to.

Human analysts continue to play a significant role in the security operations process and likely will for years to come. With that said, human skills can be elevated to a higher level by eliminating both the tribal knowledge and the rigor needed to surface the information they need to make optimal security decisions. That is what will put organizations firmly on the path towards autonomous security.

See more here:

The Road to Autonomous Security - Infosecurity Magazine