Addressing the trust factor in security orchestration and automation
Any conversation about using automation in cybersecurity inevitably wanders into a discussion about trust. IT and security professionals simply have trouble “taking the leap” and trusting in software to manage tasks that have always relied upon personal experiences, years of training and in many cases, gut instinct, to take the proper actions. While some vendors choose to pit automation vendors against human cyber analysts in an all or nothing battle royal, the reality of how automation can complement human intelligence is a bit more nuanced and subtle.
But the question of whether automation can be trusted is a valid one, and when it comes to automating any aspect of information security, being skeptical is understandable. After all, a good IT or cybersecurity professional needs a little bit of skepticism and an ability to ask critical questions when vetting the technology that will secure their organization.
For those that realize the promise that automation holds in the cybersecurity fight, but want to ensure proper due diligence before implementing it, here are 5 prerequisites that must be satisfied before any enterprise can trust security automation.
Prerequisite #1: Security Automation Must Be Repeatable
Without predictability, there is no trust. In order to believe that an automation tool will perform as intended, there needs to be a demonstrated record of repeatability. Think of every meal you’ve ever eaten in a restaurant: a server is willing to take your order and bring you drinks and the chef is willing to cook your food all without demanding you pay up front in full. Why would they take that risk? Because thousands of transactions have proven that customers will pay. A similar thought process must be applied when choosing to implement security automation. It’s important to look for solutions that have been proven to repeatably achieve their intended tasks.
Prerequisite #2: Auditable
While some think of automation as a “black box” comprised of a mixture of magic and alchemy, true automation must be repeatable and visible to the user. Every action taken and every decision made must be auditable. Other technologies, such as online banking, have shown that this philosophy is key to earning the trust of customers. In the early days of online banking, people were justifiably confused by the idea that all transactions would happen automatically without a person being involved. But the fact that a searchable record exists showing every dollar going in and out of the account allowed for the trust needed to make the switch from paper and trips to see the teller. In other words, it’s important to trust, but verify.
Prerequisite #3: Reversible
Any time a system has access to a company’s data and the ability to take action, there must also be a process in place to reverse those actions. Without a way to reverse a course of action, automation will be too much of a risk for large scale adoption. In some respects, this goes hand-in-hand with having an audit trail – you need make sure that any technology being evaluated has the capability of walking back the steps it has taken. This ability will go a long way in making it easier to trust automation and provide the peace of mind needed take the initial leap of faith.
Prerequisite #4: Kill Switch / Interrupt
To fully trust automation, there must be a way to stop it. Even in the physical world, places where we use technology to automate tasks – from a factory assembly line, to the escalator in the mall – have some sort of kill switch. The cutting-edge world of driverless cars is another example – you’ll note that any driverless vehicle is equipped with an override that allows the driver to take control. When dealing with any automated technology, simply having the option for a human to step in and take control is a major trust factor. This is just as important in cybersecurity as it is in any other field.
Prerequisite #5: Learn/Adapt
Finally, an automation solution must be able to learn and adapt for enterprises to be willing to invest the time and resources to get up and running. Without the ability to get better with time and more data, you’re only able to automate what you know today. But tomorrow is coming, and you can bet it will bring with it new challenges. These challenges are impossible to predict today, so for technology to be providing return on investment years, or even weeks from now, it must be capable of learning and adapting.
If any cybersecurity automation technology you’re evaluating shows that it is repeatable, auditable, reversible, can be interrupted and can learn and adapt, these attributes should go a long way in earning your trust. Cybercriminals are automating the methods they use to increase the volume and complexity of attacks, so automating a defense will be key to maintaining a strong security posture. It’s time to take the leap and even the playing field.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.