They’d be happy with it suggesting actions or providing clear instructions on what to do, but a human always had to be ‘in the loop’ to make the final decision.
The idea of a ‘black box’ with the power to block certain applications, systems or even customers was just far too risky. How could they trust it to do the right thing?
As computing environments become more software-based and more advanced methods of automation appear on the scene, attitudes towards automation have started to change. It seems the more people experience automation, the more they’re able to trust it. Today, many security teams are increasingly comfortable with being ‘on the loop’ with the system as the key decision maker as opposed to ‘in the loop’ where they must approve every action.
They can trust a system to schedule a security update or policy change as long as they have a human ‘on the loop’, at least during an initial phase, to monitor how systems operate and investigate or revert unwanted changes in a moment. Then, after a period of optimising, tuning and tweaking, confidence can grow to a point where humans can be taken completely ‘out of the loop’.
A good example of this is how widely accepted security automation for email phishing has become. These days, when somebody flags a suspicious email, it doesn’t go to a member of their security team anymore but triggers a workflow that analyses the email’s text for malicious URLs or attachments. If the link is definitely malicious, it will block the URLs or alert defences for protecting the user’s device if they’ve clicked the link, while keeping the person updated on the process.
Throughout most of these stages, humans are now largely ‘out of the loop’ on ‘definitely malicious’ links – although, some organisations may still allow a human to be ‘in the loop’ if the link is classified as ‘might be malicious’ or ‘on the loop’ if the link is classified as ‘probably malicious’ and they can then have the final decision on whether to block those URLs for their entire organisation. On the whole, it’s still saving considerable time and energy for security teams to focus their efforts elsewhere.
This is just one way that automation can benefit an organisation’s defence strategy. Ever-growing volumes of cyber threats, widespread shortages of cybersecurity skills and attackers using their own automation to accelerate threats are just some of the reasons why it’s critical to start taking advantage of automation.
But before you start implementing automation into your own processes, it’s important to be clear on exactly what your organisation is hoping to achieve and define what success means for you. There’s no ‘one size fits all’.
Based on my experience, organisations adopting automation are looking for one of three things:
For one organisation, it might make sense to automate highly repetitive daily tasks to free up analysts’ time to focus on larger scale attacks. Another may rely heavily on analysts to make decisions but will use automation instead to detect likely threats and provide options that significantly reduce their time to respond.
The key is to find where automation provides the most effective value for your organisation without watering down your capabilities, introducing additional risks or removing essential human oversight.
Automation isn’t something you can build and then forget about - it requires a continuous process of improvement that’s built in as part of your methodology. These systems usually rely on a complex set of interdependencies which can degrade over time as things inevitably change – whether that’s the tools and processes you use, the conditions of the threat landscape or even the goals of your organisation.
It’s certainly a lot to consider, but we can help you to embrace your automation journey. Our advisory services offer strategic guidance and solutions to organisations across the globe. We’ll help to assess and test your defences and select the solutions which match your security needs. You can find out more about our security advisory services here and take a look at our latest whitepaper for further information on security automation.
