CyberEye

Blog archive
Role for humans in cybersecurity automation

Security automation: Are humans still relevant?

Cybersecurity is being pushed in two directions. On the one hand, the growing complexity of information systems and the onslaught of threats facing them are putting a premium on speed. Automation is the future of security, said Matt Dean, vice president of product strategy at FireMon. Decisions made about who and what gains access to resources need to be smarter and faster.

“We’ve got to get humans out of the equation,” Dean said. “They can’t react fast enough.”

The trend toward automation is evident in the government’s growing emphasis on continuous monitoring of systems and networks. It is the only practical way to achieve the situational awareness promised by continuous monitoring. Agencies are supposed to be using SCAP-compliant security tools, and the “A” in SCAP stands for Automation: Security Content Automation Protocols. 

On the other hand, Randy Hayes, who leads Booz Allen’s global predictive intelligence business, said more humans are needed in the loop.

“You do need fully automated solutions,” Hayes said. But machines can’t do it all. Agencies need security operations centers (SOCs) staffed with highly trained analysts to monitor alerts and connect the dots, using human intelligence to anticipate attacks in a way that even the fastest machines can’t do. “We need to bring more intelligence tradecraft to bear.”

Hayes advocates an approach called resiliency, an operational strategy that treats cybersecurity like warfare. Protecting yourself from an attack with static defenses provides a false sense of security, he said. Attacks must be anticipated through knowledge of the enemy and blocked before they occur.

The two views of security are not mutually exclusive. As Hayes acknowledged, automated solutions are necessary, if not sufficient, for cybersecurity. And proponents of automation recognize that a primary benefit is to free analysts from routine chores so that they can concentrate on the threats that require human attention.

The conflict comes down to two questions: How many humans are needed in the cybersecurity loop and how many humans can we afford?

How many are needed will vary depending on the size, complexity and criticality of the enterprise being protected, of course. The more effective the automated tools being used, the more attention humans can give to serious issues. But with increasingly tight budgets and an employment market in which government is competing with the private sector for scarce human resources, agencies are likely to be perennially short staffed with experienced cybersecurity professionals.

Hayes is convinced that the money to provide adequate human intelligence for cybersecurity across government already is there, if budgets are just prioritized properly at the highest levels of management. Many agencies already are operating their own SOCs or have access to shared facilities, Hayes pointed out.

But human staffing remains a problem for cybersecurity analysis, according to a report from the Homeland Security Department’s inspector general.  Evaluating DHS efforts to coordinate federal cyber operations centers, the IG found that the National Cybersecurity and Communications Integration Center’s (NCCIC) incident response capability could be hindered by the inability of the Office of Intelligence and Analysis and the Industrial Control Systems CERT to provide around the clock staffing. Cyberattacks can happen at any time, but the Office of Intelligence and Analysis provides coverage only 14 hours a day for five days a week, which less than half of the week. NCCIC told the IG it does not have funding to hire more analysts.

Doubtless, more effective use could be made of existing budget and staff, but it is unlikely that personnel for effective 24/7 analyst staffing in government SOCs will be available soon. To fill this gap, there will have to be greater reliance on automation rather than humans for the time being.

Posted by William Jackson on Jul 25, 2014 at 8:28 AM


Reader Comments

Sun, Aug 10, 2014 Fernando de Almeida

Interesting perspectives. Automation certainly plays key role when dealing with Big Data type of surveillance. Humans still need to be part of the oversight, need to understand internals of the technologies, and have the ability to override automation. Advanced Persistent Threats can be caught but are subtle. With low profile in volume and long time span they are better handled by automation (ex. flow analysis throughout the Enterprise along with domain controllers and perimeter devices logs). Put in the mix IPv6 along with virtualization and identify management in the Cloud and Mobility. How fast can a human reason? Keep in mind that automation is the result of human coding stimulus leading to response ... There is room for failure if not constantly revisited as changes are made in the Enterprise. Fernando

Sat, Jul 26, 2014 Don Turnblade

The are two specific areas that I see that speed is of the essence. 1) The Mean Time To Repair a hacking smash and grab data leak needs to drop be low 20 minutes. 2) The Mean Time To Detect unauthorized personnel in out of bounds locations needs to actually drop to less than 4 minutes. If these objectives could be met, the process to transforming a major Information Security Incident into a minor Security Incident would pay for itself in minutes of its first use.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

resources

HTML - No Current Item Deck
  • Transforming Constituent Services with Business Process Management
  • Improving Performance in Hybrid Clouds
  • Data Center Consolidation & Energy Efficiency in Federal Facilities