In recent years, a great deal of focus has been placed on using automation to close the skills gap. However, although it is true that automation can help narrow the gap, it cannot close the gap completely by itself. This fact becomes more obvious when you consider the steps that a cybersecurity analyst takes throughout the entire lifecycle of an incident:
- Preparation: Preparation involves having a workable plan to deal with an incident should one occur. The preparation may involve drafting an effective incident response plan, training employees or conducting "fire drills" to ensure that everyone knows how to react to an attack.
- Prevention: Although it is impossible to prevent every hacker from launching a successful attack, adequate prevention is still needed. Prevention may involve researching emerging threats to discover the vulnerabilities that they exploit, determining whether your company is a likely target, and taking the necessary steps to eliminate vulnerabilities.
- Detection: Before an attack can be addressed, it must first be detected. Not every incident that triggers an alarm is a genuine threat, so organizations must analyze the incident to determine whether it is a false alarm or an attack that must be dealt with.
- Containment: Once an incident is detected and analysis shows that it represents a genuine attack, the damage must be contained. The longer malware exists and the longer hacker has to download data, the greater the damage will be.
- Eradication: Containing a threat is not the same as eradicating it. For example, if malware has infected 10 computers, it must be removed from all of them.
- Recovery: After an incident occurs, it is essential for the business to return to its normal status as quickly as possible. Recovery procedures will depend on the type of attack and the extent of the damage. For example, if an organization has suffered a ransomware attack, recovery may involve scrubbing all hard drives and restoring files from a "clean" backup.
- Forensics: Following an incident, it is important to conduct a postmortem. Analyzing all aspects of the breach can help determine where to strengthen defenses to avoid a similar attack in the future. This is also an excellent time to evaluate the incident response plan to determine whether changes need to be made.
Collaborative, Interactive Investigation with Automation Can Address the Skills Gap Issue
As you can see, automation can help, but it cannot handle every task that is required. There is a need for collaborative, interactive tools to investigate and scale the incident response function beyond what automation can achieve. Automation can deliver great benefit in the following instances:
- In most organizations, the cybersecurity team must deal with hundreds — if not thousands — of alerts every week. Many of these are false positives, but the possibility always exists that the alerts were triggered by an intrusion. However, the team can be easily overwhelmed by the number of alerts and develop "alert fatigue," increasing the risk that a genuine breach could go undetected. Automation can filter out almost all of the false positives, giving analysts the time and focus to deal with the genuine threats.
- Manually assigning workflow and monitoring progress can be time-consuming. Using automation to assign tasks to specific analysts and provide periodic updates can streamline the process.
However, although automation can reduce the workload through these functions, it is not enough. Incorporating artificial intelligence and machine learning with automation and humans provides the perfect combination for defending systems against cyber-criminals, even while the industry grapples with the security skills gap. For example:
- Hunting for threats manually is a hit-or-miss proposition that can be extremely time-consuming. Artificial Intelligence allows the system to leverage threat intelligence to identify potential patterns or detect unusual activities. Automated threat hunting can help identify intrusions that have missed detection and already dwell within an organization’s system. This allows the security team to contain and eradicate attacks before they cause any additional damage.
- Machine learning has made it even easier to give junior analysts the assistance that they need. For example, the machine can learn how best to respond to different types of alerts by learning the actions that experts take when dealing with a specific type of attack. The machine can then recommend those actions to junior analysts who may be struggling to determine the proper response. Machine learning can also allow the machine to identify the people who are experts in particular attacks; the junior analysts can then be advised to contact the proper experts for help with the current threat.
As time progresses, the blending of humans and automation is going to become increasingly necessary in the world of cybersecurity. Just as most cybercriminals are no longer "lone wolves," cybersecurity professionals must embrace collaboration with both their human and machine counterparts to help close the skills gap and best protect their organizations.