Automation: the Cure for Security Fatigue

Automated attacks require automated responses

When you feel tired, a simple and quick way to regain some of that energy is to grab a cup of coffee – some caffeine. What is the caffeine solution for security fatigue? It’s automation.

Security fatigue sets in when security professionals begin to drown in a sea filled with unending cybersecurity alerts and warnings – whether they’re real or false alarms.

Moreover, fatigue can lead to mistakes which can lead to data loss as we saw in the Gitlab incident earlier this year. As Mordecai Rosen said in that blog:

“Newsflash: we’re all human. Mistakes will be made. Unfortunately in IT security, when you’re dealing with company, employee and customer systems and data, it’s likely that a mistake will be harmful to one or all of those stakeholders.”

It’s A Bird, It’s A Plane, It’s Another Security Alert

A recent study from the National Institute for Standards and Technology (NIST) found that when people are asked to make more security decisions than are manageable, they experience decision fatigue.

Security teams of all shapes and sizes are receiving nearly 17,000 alerts every week. This means an organization with 10 dedicated security personnel would have to review nearly 1,700 alerts per week. A Ponemon study found that only 29 percent of all alerts are investigated while 68 percent of organizations are spending a substantial amount of mitigating false positives.

If security teams are receiving thousands more alerts than they can physically address, how can we expect them successfully find the real threat among a sea of possible threats?

A technology-driven paradigm shift toward behavior, analytics and automation

In 2016, a team in the DARPA’s Cyber Grand Challenge created a program called Mayhem, which allows security teams to automatically detect system vulnerabilities for repair.

New technology is making it possible for security teams to automate their processes and stay ahead of the next big hack. But this technology isn’t exclusive to the “good guys.”

Today hackers are stepping away from their keyboards and letting automated attacks using botnets and IoT devices, like the DDoS attack leveraging the Mirai malware, do most of the work for them.

It’s no longer helpful to know days or hours after a malicious activity occurs. If a hacker is using an automated attack mechanism, then an organization’s security solution needs to be able to respond similarly. Analytics and machine learning technology have become a central part of helping detect anomalous and potentially malicious behavior and launching automated responses instantly when a risk is detected.

Identity and access management (IAM) tools can help security teams approach controlling access in a smarter way. CISOs have the ability to set automated mitigation systems that restrict access to users if there are behaviors that appear anomalous to their usual job responsibilities. By bringing governance and control to all applications, users and levels of access across the enterprise, IAM provides a responsive identity-aware ecosystem that protects and mitigates unnecessary actions.

With increasing connectivity across the globe, the stakes have never been higher when it comes to the arms race between security teams and bad actors. Automation will continue to be a key element of security response systems as the number of attacks increase in both frequency and sophistication.

About the author

David Billeter is Chief Information Security Officer at CA Technologies. David has particular expertise in securing complex systems, and proven abilities to interact and win “buy-in” from executives, technologists and varied interest groups.