One of the greatest problems facing CISOs and SOC managers is the lack of qualified candidates to fill positions. According
Despite the efforts that are currently underway to develop cybersecurity talent, the skills gap is not going to be closed in the immediate future. Small and medium businesses are already feeling the shortage more acutely than large corporations and government agencies. Less than one-fourth of all
Finding the right candidate is just half the story. Training and retaining talent is also just as important to address the skills gap issue. A recent survey found that it takes an average of 9 months from the initiation of a hiring requisition until the new hire is fully trained. Since the need is frequently identified long before the hiring process officially begins, companies are without a resource – from the point where a need is identified until the
Automation Can Help, But More Is Needed
In recent years, a great deal of focus has been placed on using automation to close the skills gap. However, although it is true that automation can help narrow the gap, it cannot close the gap completely by itself. This fact becomes more obvious when you consider the steps that a cybersecurity analyst takes throughout the entire lifecycle of an incident.
- Preparation: Preparation involves having a workable plan to deal with an incident should one occur. The preparation may involve drafting an effective incident response plan, training employees or conducting "fire drills" to ensure that everyone knows how to react to an attack.
- Prevention: Although it is impossible to prevent every hacker from launching a successful attack, adequate prevention is still needed. Prevention may involve researching emerging threats to discover the vulnerabilities that they exploit, determining whether your company is a likely target, and taking the necessary steps to eliminate vulnerabilities.
- Detection: Before an attack can be addressed, it must first be detected. Not every incident that triggers an alarm is a genuine threat, so organizations must analyze the incident to determine whether it is a false alarm or an attack that must be dealt with.
- Containment: Once an incident is detected and analysis shows that it represents a genuine attack, the damage must be contained. The longer malware exists and the longer hacker has to download data, the greater the damage will be.
- Eradication: Containing a threat is not the same as eradicating it. For example, if malware has infected 10 computers, it must be removed from all of them.
- Recovery: After an incident occurs, it is essential for the business to return to its normal status as quickly as possible. Recovery procedures will depend on the type of attack and the extent of the damage. For example, if an organization has suffered a ransomware attack, recovery may involve scrubbing all hard drives and restoring files from a "clean" backup.
- Forensics: Following an incident, it is important to conduct a postmortem. Analyzing all aspects of the breach can help determine where to strengthen defenses to avoid a similar attack in the future. This is also an excellent time to evaluate
the incidentresponse plan to determine whether changes need to be made.
Collaborative, Interactive Investigation with Automation Can Address the Skills Gap Issue
As you can see, automation can help, but it cannot handle every task that is required. There is a need for collaborative, interactive tools to investigate and scale the incident response function beyond what automation can achieve.
Automation can deliver great benefit in the following instances:
- In most organizations, the cybersecurity team must deal with hundreds — if not thousands — of alerts every week. Many of these are false positives, but the possibility always exists that the alerts were triggered by an intrusion. However, the team can be easily overwhelmed by the number of alerts and develop "alert fatigue," increasing the risk that a genuine breach could go undetected. Automation can filter out almost all of the false positives, giving analysts the time and focus to deal with the genuine threats.
- Manually assigning workflow and monitoring progress can be time-consuming. Using automation to assign tasks to specific analysts and provide periodic updates can streamline the process.
However, although automation can reduce the workload through these functions, it is not enough. Incorporating artificial intelligence and machine learning with automation and humans provides the perfect combination for defending systems against
- Hunting for threats manually is a hit-or-miss proposition that can be extremely time-consuming. Artificial intelligence allows the system to leverage threat intelligence to identify potential patterns or detect unusual activities. Automated threat hunting can help identify intrusions that have missed detection and already dwell within an organization’s system. This allows the security team to contain and eradicate attacks before they cause any additional damage.
- Machine learning has made it even easier to give junior analysts the assistance that they need. For example, the machine can learn how best to respond to different types of alerts by learning the actions that experts take when dealing with a specific type of attack. The machine can then recommend those actions to junior analysts who may be struggling to determine the proper response. Machine learning can also allow the machine to identify the people who are experts in particular attacks; the junior analysts can then be advised to contact the proper experts for help with the current threat.
As time progresses, the blending of humans and automation is going to become increasingly necessary in the world of cybersecurity. Just as most cybercriminals are no longer "lone wolves," cybersecurity professionals must embrace collaboration with both their human and machine counterparts to help close the skills gap and best protect their organizations.
This article was originally published on Infosecurity Magazine: https://www.infosecurity-magazine.com/opinions/automation-solve-cybersecurity/