Speed and accuracy in identifying and responding to threats are the alluring promises of automated cybersecurity defenses. The average cost of a data breach is $3.86 million, with the average time to detect and contain pegged at 280 days, according to Ponemon Institute research. Any system that can reduce those figures is welcome, so it’s no surprise that artificial intelligence (AI) and other automated defenses are seeing rapid and wide adoption.
While there’s enormous promise in AI-powered tools and machine learning, they are very much a double-edged sword. Cybercriminals and other threat actors can engage the same techniques or manipulate the automated systems businesses employ. Because these technologies are not mature or well understood by the average IT department, there’s also scope for misconfiguration and disruptive clashes between overlapping systems.
Hype accompanies every new cybersecurity trend. A wave of automated defense technology is being hailed as the answer to skills shortages and increasing levels of attack. Security orchestration automation and response (SOAR), extended detection and response (XDR), and user and entity behavior analytics (UEBA) are leading the charge. The trouble is that their capabilities are sometimes oversold, and the problems they introduce can outweigh the benefits.
The scope and complexity of most organizations make adoption challenging. To reap the rewards of an automated system requires proper planning and compatible infrastructure. There’s also a dangerous temptation, especially after making a large investment, to push these new technologies to handle things they were not designed to handle.
While they may enable cost-cutting in the longer term, proper integration and management of automated systems can increase costs in the short term. Unrealistic expectations and complacency can lead to disaster.
Lack of Understanding
Automated cybersecurity is a competitive space. The SOAR market is growing fast and expected to reach $1.3 billion by 2026, up from $721 million this year, according to 360 Research Reports. The leaders are naturally determined to protect their intellectual property. Many machine learning systems also rely on a black-box model, so there is very little, if any, insight into these products’ inner workings.
If the vendors don’t understand why decisions are being made, how can their customers?
Placing this level of trust in an unproven autonomous system is very risky. To make matters worse, there’s a knock-on effect in terms of diminishing skills throughout your workforce. As automated systems take over with the expectation they will plug the skills gap, there will be fewer hires and less incentive for training.
One of the biggest dangers of placing trust in an automated system is that it can be manipulated by threat actors. The organization under attack has no way of knowing if the system has been tampered with. It can be alarmingly easy to poison automated systems with tainted datasets. This could dangerously skew machine learning algorithms over time or cause innocent traffic to be flagged as anomalous in the short term. Attackers don’t necessarily have to fool the system; they can just overload it, prompting shutdowns of services or networks that could leave everyone locked out.
Even without malicious actors at work, some automated defenses may clash with other tools and systems on your network. Take the analogy of infection causing fever in the human body. The immune system is turning up the heat to try and kill the bacteria invading your body, but the fever can incapacitate or even kill you in extreme circumstances.
How to Approach Adoption
While there are risks, automated cybersecurity defenses also represent a real opportunity. But they must be handled carefully. Adoption should be fully planned, set a reasonable expectation level, and ensure that you have the internal skills to properly configure and interpret the automated system.
It’s crucial to assess the level of autonomy these systems have and limit their ability to shut down services without some human oversight. Build trust slowly. Closely examine the sources that automated defenses rely upon, and find a way to continuously monitor the data sets to guard against poisoning attempts.
Mitigate risk by drafting incident response plans to cater to different automated system failure scenarios. Rehearse these response plans and tweak them as necessary to ensure they are effective. It’s also wise to implement strict testing and change management to curtail overreliance on any automated system.
There’s little doubt that automated cybersecurity defenses will have an increasingly important role to play, but we must resist the temptation to move too rapidly. Choose a considered strategy over blind trust and temper your expectations to get the most from this burgeoning technology.