Cybersecurity automation: what expectations, what limits?

Improving the productivity of cyber analysts by relieving them of repetitive and time-consuming tasks: this is the main promise of automation. Beyond this quest for productivity, is automation a possible answer to the talent shortage? What are its limits?

Automation has become a double-edged sword. On the one hand, cybercriminals are exploiting it to carry out increasingly frequent and sophisticated cyberattacks. On the other, operational security teams (SecOps) are forced to use it to counter these threats. At the same time, automation also appears to be a response to the scarcity of cybersecurity experts. However, beyond its apparent advantages, what are its real constraints and limitations?

Automation in cybersecurity: challenges and promises

What is automation in operational safety?

Automation in cybersecurity involves 'industrialising' certain tasks carried out by cyber analysts and SecOps teams. The aim is to optimise threat detection and respond more quickly. It is therefore part of a strategy that is both preventive and proactive.

Why automate cyber security?

Cyber analysts face constant challenges on a daily basis:

• Analysing and processing an ever-increasing volume of information.
• Make decisions about the actions to be taken.
• Carry out these operations within a (very) tight timescale and reduce incident response times.

Faced with these constraints, automation and artificial intelligence provide an effective response. They meet the growing expectations of organisations in terms of reducing reaction time and the relevance of alerts. In particular, the aim is to reduce false positives.

As the scope of assets to be protected expands, the pool of experts available to deal with them remains as scarce as ever. Put another way, automation improves the productivity of cyber analysts while reducing the risk of burnout or 'cyber fatigue'.

What tasks can be automated?

The main use cases for automation in operational safety are :

• automated threat detection and response. This involves rapidly identifying suspicious or malicious activity and responding to it autonomously, often in real time.  
• automated detection of anomalies in data circulation. Analysis of data flows can reveal abnormal behaviour or unexpected traffic patterns. Once identified, these anomalies may be indicative of malicious activity or compromise.
• Cyber Threat Intelligence (CTI) automationThis is an automated process for collecting and analysing data on cyber threats. Automating this process enriches threat profiling, gives a clearer picture of the tactics used by cyber attackers, enables existing security measures to be adapted (blocking ports, for example) and guides the decisions that need to be taken.  

The rise of automation in incident detection and response solutions

The evolution of incident detection and response tools clearly illustrates the growing integration of automation into operational security processes. These tools include :

• EPP (Endpoint Protection Platform) to protect terminals. It is generally an evolution of traditional antivirus software, offering more comprehensive protection.
• UEBA (User and Entity Behavior Analytics) which identifies suspicious activities based on the behaviour of users and entities within an organisation.
• SIEM (Security Information and Event Management). This centralised solution collects, stores, analyses and displays security logs and events in real time or historically, to provide an overview of potential threats and incidents.
• EDR (Endpoint Detection and Response). This platform identifies and responds to potential threats to terminals. It offers advanced analysis and intervention capabilities.
• XDR (Extended Detection and Response). This evolution of EDR extends detection and response beyond simple endpoints to include other sources of data, such as networks and servers.
• SOAR (Security Orchestration, Automation and Response). This solution combines data collection, automated response and orchestration to improve the efficiency of security operations.

Traditional anti-virus software installed on workstations alone can no longer counter today's threats, such as WormGPT or evasion attacks. Especially as some of these attacks are based on artificial intelligence. This reality is forcing cybersecurity professionals to incorporate not only automation, but also AI into their defensive arsenal. These new types of attack are also forcing them to undergo continuous training to ensure that their practices evolve.

With its ability to process huge volumes of data, AI can analyse, prioritise and respond to threats with unprecedented speed. It is also an invaluable asset for establishing automated response scenarios, often referred to as playbooks.

How far have companies come towards automating their cyber security?

According to a recent study on the adoption of automation in cybersecurity carried out by the cybersecurity company ThreatQuotient in 2022, automation is gaining momentum. In fact, the level of confidence companies have in it and the budget they allocate to it are increasing significantly. In 2022, 84 % of the companies surveyed have confidence in automation, compared with just 59 % in 2021. Of this panel, made up of 750 security professionals based in the UK, USA and Australia, 98 % indicate that their budget allocated to automation is increasing. The main projects underway concern the automation of the Cyber Threat Intelligence and incident response.

The study also reveals that most companies are still in the early stages of adopting automation. When asked about their current level, 63 % said they were at level 2 or 3, on a scale where 5 represents the maximum level of maturity. This shows that automation can still progress. What's more, during this process, companies are faced with some very concrete questions: how can automation be deployed in heterogeneous environments? How can it be integrated with existing tools? How can they ensure that their automation solutions remain up to date in the face of constantly evolving threats? And what can be done to ensure that automation does not give rise to additional data protection or privacy risks?

What place is there for human beings in the face of automation?

Automation: a lever for performance, not a replacement for talent?

Although AI and automation are now widely deployed to improve the productivity of teams overwhelmed by a growing volume of events to be analysed, they are not strictly speaking a response to the shortage of cybersecurity talent. Rather, their main interest lies in their ability to "improve the working environment for analysts", as IBM points out in its June 2022 report "AI and automation at the service of cybersecurity".

Thanks to automation, analysts gain in precision and concentrate their efforts on threats requiring more in-depth analysis. This not only improves the investigation phase for the most critical threats and increases productivity, but also allows them to focus their expertise on higher added-value tasks.

No successful automation without experts

The implementation of automated models or scenarios requires the intervention of experts to ensure that the configuration is adapted to the threats and organisational specificities of each company.

Faced with the rise of automation, cybersecurity professionals not only have to find a new role, but also invest in ongoing training. A division of labour between man and machine is already taking shape. While incident detection and response actions will benefit from automation, some experts believe that the actions of remediation (designed to limit the impact of a risk or incident) must continue to be driven by humans. Ultimately, to be truly effective, automation must be closely associated with human expertise.

What are the obstacles and limits to automation?

While automation is a promising way of lightening the load for cyber analysts and operational teams, there is nothing simple about it. In practice, a number of challenges can stand in the way of its integration, such as the lack of precise knowledge of the perimeter to be protected, particularly if the company does not have an up-to-date map of its information system. Another is the heterogeneity and complexity of the systems and equipment to be analysed. Organisational silos between different teams and business lines can also hamper effective implementation.

What's more, the effectiveness of automation is closely linked to the organisation's level of maturity when it comes to cyber security. Successful integration of automation requires operational processes that are well documented by... experts.

From a technical point of view, automation faces a number of challenges:

• Data integrity the lack of complete and up-to-date contextual data, as shown by the limit of MITRE ATT&ACK®,
• Managing complexity The need to handle complex actions and stages requiring human validation.
• Scalability The extension of automation on a large scale can present challenges.
• Remote orchestration The complexity of remote orchestration of on-premise solutions.

Finally

Although neither magical nor omnipotent, automation is nonetheless raising great expectations in terms of productivity, and its adoption by businesses is accelerating. However, to be fully effective, it needs to be implemented in organisations where cybersecurity projects are already well established. Far from replacing cybersecurity analysts, on the contrary, it encourages them to deploy their expertise where it will be most useful, and to constantly develop new skills. What does the future hold for automation? Hyperautomation is already on the horizon. The use of machine learning algorithms, which can themselves create automation models and make decisions, is evidence of the rapid evolution towards even more automated cybersecurity.