Security Automation, Lessons Learned from Top Gun: MaverickMarc Solomon
The cybersecurity industry has talked about security automation for years. We’ve grappled with what, when and how to automate. We’ve debated the human vs machine topic. And when we’ve been burned by machines quarantining a system or blocking a port on a firewall in error, we’ve wondered if there’s any place at all for automation. But deep down we know that automation is the future, and the future is here. Plus, given the cybersecurity talent shortage, we simply must automate certain time-intensive, manual tasks if we want to retain and make better use of the security professionals we have.
The question now is: How to automate successfully?
Security Orchestration, Automation and Response (SOAR) platforms and Extended Detection and Response (XDR) architectures have emerged to tackle the automation challenge. But the truth is, in cybersecurity we tend to focus on technology to solve all our challenges and sometimes lose sight of the importance of people. Turning automation over to machines works if you’re in a static environment doing the same thing over and over again. But for detection and response, which is dynamic and variable, that’s not the case.
Two movies immediately come to mind that illustrate this perfectly. The first is Top Gun: Maverick and if you haven’t seen it yet, don’t worry, this isn’t a spoiler. Suffice it to say that in the sequel the Top Gun program is positioned as a program that is going to be displaced by automation. Until then, the military has to “make do” with the best pilots they have, armed with state-of-the-art aircraft, to undertake an extremely risky mission. It’s Maverick’s job is to teach the pilots how to work within the guardrails of the machine to accomplish the mission. We all know that isn’t Maverick’s style, and with good reason. You’ll have to go to the theater to see how it all plays out, but I’ll just say that training, instinct and collaboration are also critical to the mission—not just technology.
For another example, think back to the movie Sully. It’s the story of Captain Chelsey “Sully” Sullenberg who famously made an emergency landing of US Airways Flight 1549 on the Hudson River, saving all 155 souls onboard. When technology was telling him to pull up and try to reach an airport, the results would have been disastrous had he simply listened. Instead, his intelligence, intuition and 29 years of experience as a commercial pilot kicked in. Informed by data, Sully was able to make the right series of decisions at the time to land the plane safely in the river.
Balanced automation drives adoption
At ThreatQuotient, we’ve never framed the automation discussion as human vs machine, but rather human + machine. We refer to this as balanced automation where you automate repetitive, low-risk, time-consuming tasks, while human analysts take the lead on irregular, high-impact, time-sensitive investigations with automation simplifying some of the work. Balancing automation with human intelligence and analysis allows teams to always have the best tool for the job.
I’ve written before about how the ThreatQ Platform and our approach to automation helps you better enable SOAR. Here’s how balanced automation comes into play in all phases of security operations as the ThreatQ Platform enables XDR.
Detection. Adversaries have become craftier and shifted tactics to achieve their goals. So, detection has evolved from finding the one control point or system where the attack is being triggered, to the multiple points across the enterprise that are involved – and time is of the essence. With an open integration framework, data from disparate internal sources can be automatically aggregated, augmented and enriched with external threat data from the multiple sources the organization subscribes to – commercial, open source, government, industry and existing security vendors. When all this data is presented on a single screen, and prioritized based on parameters security teams set, it’s easier and faster for analysts to identify relationships and detect malicious activity across the enterprise.
Investigation. Automating many of the initial and repetitive aspects of detection accelerates the investigation process, which is best driven by humans. Bringing intuition, memory, learning and experience to the process, analysts contextualize correlated data with internal and external enrichment sources, such as the identity of the impacted user and the MITRE ATT&CK framework. For instance, if targets include the finance department, human resources or the C-suite, this could indicate a more serious threat. From there, they can pivot to external data sources like MITRE ATT&CK that describe campaigns, adversaries and their tactics, techniques and procedures (TTPs), to learn more about the malware and then expand the search further. If they discover an indicator is associated with a specific campaign or adversary, are there associated artifacts to look for in other tools to confirm the presence of malicious activity? What other intelligence can be deployed to the infrastructure for future blocking? This complex level of investigation requires human effort augmented by automation. It’s the most effective and efficient way to validate data and findings, connect the dots and reveal a broader picture that includes all impacted systems, versus a single incident on a single system.
Response. Now, the SOC is poised to execute a comprehensive response. Here too, certain aspects can be automated, like translating and sending data back to the tools across the defensive grid to update policies, rules and signatures. But depending on the security control and the recommended response, sometimes a human is required to review and validate the recommendations within the context of their own environment before executing. And when it comes to critical, legacy systems such as those that are pervasive across industrial environments, a human must walk through the process to make sure any actions will have no operational impact and, if so, identify and implement a compensating control. Closing the loop, a modern approach to response must also include the ability to capture and store data from the response for learning and improvement. This should include automated updates to data and actions, as well as analysts adding comments about their observations.
There is a reason why security teams have shied away from automation for many years; things can break. But when automation is consciously balanced between humans and machines—optimized for an organization’s unique environment—we can unlock the full value of automation and accelerate adoption.