Cybersecurity automation: what expectations, what limits?

Improving the productivity of cyber analysts by relieving them of repetitive and time-consuming tasks: this is the main promise of automation. Beyond this quest for productivity, is automation a possible response to the talent shortage? What are its limits ?

Automation has become a double-edged sword. On the one hand, cybercriminals are exploiting it to carry out increasingly frequent and sophisticated cyberattacks. On the other hand, operational security teams (SecOps) are forced to use it to counter these threats. At the same time, automation also appears to be a response to the scarcity of cybersecurity experts. However, beyond its apparent advantages, what are its real constraints and limits?

Automation in cybersecurity: challenges and promises

What is automation in operational security?

Automation in cybersecurity consists of “industrializing” certain tasks carried out by cyber analysts and SecOps teams. The goal is to optimize threat detection and respond more quickly. It is therefore part of a strategy that is both preventive and proactive.

Why automate cybersecurity?

On a daily basis, cyber analysts face constant challenges:

• Analyze and process an ever-increasing volume of information.
• Make decisions regarding actions to take.
• Carry out these operations within a (very) tight deadline and reduce incident response times.

Faced with these constraints, automation and artificial intelligence provide an effective response. They meet the growing expectations of organizations in terms of reducing reaction time and the relevance of alerts. The aim is in particular to reduce false positives.

While the scope of assets to be protected expands, the pool of experts available to take care of them remains as rare as ever. In other words, automation improves the productivity of cyber analysts while reducing the risk of burnout or “cyber fatigue”.

What tasks can be automated?

The main use cases for automation in operational security are:

• automated threat detection and response. This involves quickly identifying suspicious or malicious activities and responding to them autonomously, often in real time.  
• automated detection of anomalies in data circulation. Analyzing data streams can reveal anomalous behavior or unexpected traffic patterns. These anomalies, once identified, can be a sign of malicious activity or compromise.
• Cyber Threat Intelligence (CTI) automation, collection and analysis of data on cyber threats. Its automation makes it possible to enrich threat profiling, obtain a clear vision of cyberattackers' tactics, adapt existing security measures (blocking ports, for example) and guide the decisions to be made.  

The rise of automation within incident detection and response solutions

The evolution of incident detection and response tools clearly illustrates the growing integration of automation into operational security processes. Among these tools, we include:

• EPP (Endpoint Protection Platform) to protect terminals. This is generally an evolution of traditional antivirus software to provide more comprehensive protection.
• UEBA (User and Entity Behavior Analytics) which identifies suspicious activity based on the behavior of users and entities within an organization.
• SIEM (Security Information and Event Management). This centralized solution collects, stores, analyzes and visualizes real-time or historical security logs and events to provide an overview of potential threats and incidents.
• EDR (Endpoint Detection and Response). This platform identifies and responds to potential threats on endpoints. It offers advanced analysis and intervention capabilities.
• XDR (Extended Detection and Response). This evolution of EDR extends detection and response beyond simple endpoints to include other data sources, such as networks or servers.
• SOAR (Security Orchestration, Automation and Response). This solution combines data collection, automated response and orchestration to improve the efficiency of security operations.

Traditional antiviruses installed on workstations can no longer, on their own, counter current threats such as WormGPT or evasion attacks. Especially since some of these attacks rely on artificial intelligence. This reality is pushing cybersecurity professionals to integrate not only automation, but also AI into their defensive arsenal. These new types of attacks also force them to continually train to develop their practices.

Through its ability to process enormous volumes of data, AI can analyze, prioritize and respond to threats with unprecedented speed. It is also a valuable asset for establishing automated response scenarios, often referred to as playbooks.

Where are businesses in terms of automating their cybersecurity?

According to a recent study on cybersecurity automation adoption by cybersecurity firm ThreatQuotient in 2022, automation is gaining momentum. Indeed, the level of confidence that companies have in it as well as the budget they allocate to it are increasing significantly. In 2022, 84 % of the companies surveyed trust automation, up from just 59 % in 2021. From this panel, made up of 750 security professionals based in the UK, US and in Australia, 98 % indicate that their budget allocated to automation is increasing. Current projects primarily concern the automation of Cyber Threat Intelligence and incident response.

The study also reveals that most companies are only at the initial stage of their automation adoption. Asked about their current level, 63 % believe they are at level 2 or 3, on a scale where 5 represents the maximum level of maturity. This shows that automation can still progress. Moreover, during this process, companies face very concrete questions: how to deploy automation within heterogeneous environments? How to integrate it with existing tools? How can you ensure automation solutions stay up to date with constantly evolving threats? And what can be done to ensure that automation does not create additional data protection or privacy risks?…

What place for humans in the face of automation?

Automation, a performance lever, not a replacement of talent?

Although AI and automation are now widely deployed to improve the productivity of teams overwhelmed by an increasing volume of events to analyze, they are not strictly speaking an answer to the cybersecurity talent shortage. Their main interest lies rather in their ability to “improve the working environment for analysts”, as IBM highlights in its report “AI and automation for cybersecurity” from June 2022.

Through automation, analysts become more precise and focus their efforts on threats requiring deeper analysis. This not only makes it possible to improve the investigation phase on the most critical threats and increase productivity, but also to enhance their expertise by devoting themselves to higher value-added tasks.

Without experts, no successful automation

The implementation of models or automated scenarios requires the intervention of experts for a configuration adapted to the threats and organizational specificities specific to each company.

Faced with the rise of automation, cybersecurity professionals must not only find a new place, but also invest in continuing education. A division of tasks between man and machine is already taking shape. If incident detection and response actions benefit from being automated, some experts consider that remediation actions (intended to limit the impact of a risk or incident) must continue to be driven by humans. Ultimately, to be truly effective, automation must be closely coupled with human expertise.

What are the obstacles and limits to automation?

While automation holds promise for reducing the tasks of cyber analysts and operational teams, there is nothing simple about it. In practice, several challenges can hinder its integration such as the lack of precise knowledge of the perimeter to be protected, particularly if the company does not have an up-to-date map of its information system. The heterogeneity and complexity of the systems and materials to be analyzed is another. Or organizational silos between different teams and different professions can also hinder effective implementation.

Additionally, automation effectiveness is closely linked to the organization's cybersecurity maturity level. Successful automation integration requires operational processes that are well documented by… experts.

On a technical level, automation encounters several challenges:

• Data integrity : the lack of complete and up-to-date contextual data, as shown by the MITER ATT&ACK® limit,
• Complexity management : the need to deal with complex actions and steps requiring human validation.
• Scalability : Scaling automation at scale can present challenges.
• Remote orchestration : the complexity of remote orchestration of on-premises solutions.

Finally

Neither magical nor omnipotent, automation nevertheless raises high expectations in terms of productivity, and its adoption by businesses is accelerating. However, to be fully effective, it must take place in organizations where cybersecurity projects are already well established. Far from replacing cybersecurity analysts, on the contrary it invites them to deploy their expertise where it will be most useful and to continually develop new skills. What is the future of automation? Hyperautomation is already rearing its ugly head. The use of machine learning algorithms, which can create automation models and make decisions on their own, demonstrates the rapid move towards even more automated cybersecurity.