While I generally dislike abstract security debates like “how to be more proactive?”, “are we dynamic enough?” and “should we automate more?”, some recent experiences made me pick the last one up. So, in one ear I am hearing “we need to automate more” since we don’t have enough people or since our infratructure is too fluid, but in the other ear I am hearing “automation breaks things“, “robots suck at security” etc.
My conclusion? There is – at this stage of security technology development, at least – GOOD AUTOMATION and EVIL AUTOMATION. Longer term, we will certainly see more automation and more domains of information security (cybersecurity, if you have to) covered by automation, BUT I’d be willing to bet anything that the profession of a security analyst will never be full automated (just like [IMHO] doctors and police offices will always use automated tools, but will never be full replaceable by technologies, smart machines notwithstanding).
So, this here is my informal attempt to separate the cases of “automate OR die” from cases “automate AND die”….
Automate to WIN:
- gather additional information from various sources
- fuse gathered information together
- enrich alert data for better alert triage
- share data with another system
- sandbox stuff and gather results
- process raw inputs with analytic algorithms, and present the results
- ask for approval when needed
- generate email notification
- open tickets for a human to act on some issue
Overall, this category of “good automation” covers ways to acquire more useful data to make a decision, to help human make a decision, streamline routine, and other boring and repetitive tasks.
Automate to LOSE [at least, proceed VERY carefully!]
- block network access
- disconnect system or device
- change configuration of something
- disable user
Overall, “evil automation” covers cases where the systems is supposed to make a disruptive change to external systems and applications, and have potential to cause heavy damage to our fragile IT infrastructures….
To mitigate its “evil effects” while preserving the benefits, look at “semi-automated” or assisted mode with human in the loop where the automation gathers all the information and then a human makes one simple call with all available data.
Select blog posts tagged “philosophical”:
- On Tanks vs Tractors
- Enable the Business? Sometimes Security Must Say “NO”…
- Defeat The Casual Attacker First!!
- Critical Vulnerability Kills Again!!!
- Security Essentials? Basics? Fundamentals? Bare Minimum?
- On “Defender’s Advantage”
- Security And/Or/Vs/Not Compliance?
- Bye-bye, Compliance Thinking. Welcome, Military Thinking!
- Security Chasm Illustrated