A Call for Automation of Cybersecurity

Intrusion Team
Oct 20, 2020

A stock analyst asked me to take a look at another artificial intelligence (AI) company in the security space. I love the idea of breakthroughs from newly discovered companies and am an eternal optimist, but the shine rapidly wore off on three fronts:

  1. The AI didn’t have a goal to stop breaches in real-time – or ever.
  2. The output alerts were generated within a few hours of an event and were then sent to human analysts to decide what action to take.
  3. Their detection methods that were being implemented with AI were flawed. AI does not make a bad approach wonderful.

There is little evidence that Henry Ford actually said, “If I had asked people what they wanted, they would have said faster horses,” but I think it helps get my point across. If asked, there may be people that think they need more or better security alerts, but I can tell you that no analyst really wants more data. Ok, they should always want more, a lot more. (How else can they be heroes for finding what nobody else noticed?) But they really don’t need more because they are in the human analysis business not in the big data graph analytics or AI business.

They also don’t need more because they are already hopelessly unable to process the security alerts they get every day. This is why they ask their vendors to prioritize events by severity, so they can work a smaller set each day and not feel as if they are hopelessly behind.

Analysts analyze by looking at the evidence and making a recommendation that will protect, but also not harm, operational systems. As an analyst, you may get 50,000 event alerts a day – or even 5,000 – and they might hope to clear each alert in 20 minutes (they often take hours or weeks to research even one – depending on complexity – but for the purpose of this article we’ll stick to simple math). So, one analyst can look at 4-16 alerts a day. That means to clear 5000 alerts a day a company would need to hire about 500 analysts. There are few companies, if any, where this would be a realistic approach, therefore most have no choice but to let some breaches continue to have access to their network.

Cybersecurity is seeing a lot of new players join the industry. The industry is awash with cash from companies desperately looking for a breakthrough approach that actually works.

About 30 years ago, we began training security analysts. Most cybersecurity organizations have a few awesome analysts. They are the ones who can take a seed of a trigger or alert of an anomaly all the way to an understanding of what happened, ultimately coming up with how to prevent it in the future. In the event of an elite operation by a smart adversary, these analyst make up the very best quick response teams that are sent to the site with new/better instrumentation and can generally work out the problem (and offer a solution) – in about a month.

The process of having humans run down security events and attempt to protect after the fact is reminiscent of the early decades of mainframes where teams of software experts manually managed core memory swaps to and from disk – by hand. If you got more jobs, you needed more core memory experts. Of course, by the 80’s all of this became automated – which is why only a few more tenured software experts remembers that was ever a thing. It’s time for automation in cybersecurity. There just aren’t enough humans to stop all breaches. And we do need to stop them all.

This is a call for automation of threat blocking – the industry clearly has more alerts than it can handle. Coincidently, this is the vision we’ve held for some time –focused on building a solution that offered real-time blocking of only malicious traffic. In other words, how to build a solution that neutralizes bad activity while still ensuring businesses can function normally.

Automated blocking doesn’t put analysts out of business. Just as changes to mainframes only adjusted the type of jobs for which software experts were needed, analysts will still be needed for the more sophisticated cyberattacks. However, the power of automated blocking being applied to the bulk of malicious activity is that analysts will now have the bandwidth to dedicate the time needed to successfully thwart more intricate attacks.

Learn more about Intrusion Shield and how you can put automated blocking to work for your company.

Resources that might interest you.

Get the insights cybercriminals don’t want you to know.