There’s a lot of noise around autonomous security. For years, analysts and security operations teams have been promised a utopia where they leave monotonous tasks behind, and yet the burnout rate for these professions continues to be high. Clearly there is much work to be done, but it helps to understand where we are today and there’s no better place to look than the automobile industry.
The auto industry may not always be considered the most innovative, but it’s put a lot of thought into what it means to create self-driving cars. This includes a standardized framework that provides a good roadmap to what’s ahead for cybersecurity.
Lessons from the Road
Automobiles are more fuel-efficient, fancier and safer than they have ever been. But one thing has arguably gotten worse: the driver. An analysis by the National Highway Traffic Safety Administration’s (NHTSA) shows that human error is responsible for 94% of serious automobile crashes.
To improve safety – and driver experience – automakers are introducing innovations such as rain sensing wipers, automated headlights and blind-spot detection systems that allow drivers to focus more of their attention on the road. But that’s not always the result.
Cruise control, for instance, was designed to eliminate the cumbersome act of keeping your foot on the accelerator. The problem is, it reduces cognition in other areas. Putting your foot on the accelerator forces you to pay more attention; without it, going too fast into a curve is just one of the many potential consequences. Now, adaptive cruise control (ACC) is becoming standard because it solves some of the challenges in Cruise Control 1.0.
This is a great example of something that evolved from being “automated” to being “autonomous.” In fact, the Society of Automotive Engineers (SAE) developed a standard for describing the level of automation in cars that’s been adopted by the U.S. Department of Transportation and the United Nations. On this scale, traditional cruise control is a Level 0 and ACC a Level 1. Tesla’s Autopilot or Cadillac Super Cruise are considered Level 2.
If this standard was adapted to cybersecurity, here’s what it might look like:
- No automation. Zero autonomy; security analysts perform all triage, hunting & investigations.
- Analyst Assistance. Most security is manual, but some analyst assist features maybe included in the toolset.
- Partial Automation. The security program automates functions like response actions and policy enforcement, but the analyst must remain engaged due to the prevalence of false positives and negatives.
- Conditional Automation. Analysts are a necessity and can take control at any time but high-fidelity detections, autonomous hunting, triage, investigations and response result in improved security and efficiency.
- High Automation. All security tools can operate in an autonomous manner under certain conditions. The analyst focuses on defining and controlling policies that are then enforced by the technology.
- Full Automation. All security tools operate autonomously under all conditions. The technology automatically defines and then enforces policies. The analyst can override these autonomous policies.
The Self-Driving Security Journey Has Just Begun
In cybersecurity, one basic form of automation considered to be standard today is the correlation performed by SIEMs and network security tools. For example, collating all the alerts associated with an IP address together onto one screen or identifying an attack campaign by grouping alerts that share a source or a destination. Some tools are smarter and use additional sources of context such as active directory (AD) or threat intelligence, or filter out the “known good.” But much like cruise control, there are a lot of unintended consequences that manifest in the security world primarily through false positives and negatives. For instance, as devices become more mobile, they tend to “roam” inside and outside of corporate networks. With a new IP address at each location, the same device could have several addresses over a short period. The average IP address could have several devices associated with it too, making any analysis based on an IP address flawed from the get-go.
If cruise control is considered Level 0 on SAE’s scale of automation, it’s safe to say IP correlation would be the same on the security scale. Looking more broadly at cybersecurity automation, most of the industry is probably only at a Level 1.
The Security Orchestration, Automation and Response (SOAR) category could have the best claim to Level 2 – Partial Automation. These technologies automate several low impact response and remediation tasks like creating support tickets for the IT helpdesk, automatically correlating between multiple security tools, or grabbing evidence into an incident data store.
Getting to Level 4 and 5 will require the entire cybersecurity industry to substantially raise its game. For now, the focus should be on getting to Level 3 – Conditional Automation.
To bring back the automobile analogy, Tesla Autopilot understands the vehicle (speed, travel lanes, braking, acceleration, etc.) in the context of other vehicles sharing the road and surfaces data the driver needs to make a decision.
We need similar levels of automation to bring cybersecurity to Level 3, and based on what we’ve learned from cars, there are three basic requirements to get there. We need to reduce the cognitive load on humans so security teams can focus on what’s important, eliminate stressors like monotonous tasks, and focus on user experience in a way that documents decision paths so humans can dig deeper if and when they want to.
Human analysts continue to play a significant role in the security operations process and likely will for years to come. With that said, human skills can be elevated to a higher level by eliminating both the tribal knowledge and the rigor needed to surface the information they need to make optimal security decisions. That is what will put organizations firmly on the path towards autonomous security.