Advancements in the fields of machine learning and AI have become increasingly noticeable in the cyber security industry in recent years. Various solutions designed to streamline the incident response efforts and make them more effective, employ these technologies nowadays.
There is no question that automating certain tasks within the incident response process – in particular those involving routine and mechanical work – helps make organisations more resilient to cyber attacks. But, some cyber security professionals tend to equate automating some aspects of the process with making the entire process automatic, which are actually two different concepts.
It’s important to note that, when it comes to cyber incident response, automation and automatic should not be considered to be synonymous.
In its essence, automation, when combined with an orchestration solution, helps reduce reaction times by replacing the most repetitive and routine tasks that usually consume a large portion of the time security professionals dedicated to cyber security events, while allowing them to keep control over the entire process and maintain the possibility to use human judgment during the decision-making stages.
Automatic, on the other hand, basically means giving complete control of the incidents to a machine, which in some cases may produce incorrect results and even incur severe damages to an organisation.
How CISOs are navigating the “new automated vs. automatic world”
In this newly-created environment, where the idea of automatic response is gaining more and more traction, one of the main questions that arise within the cybersecurity professionals community is how CISOs are navigating it and whether they are eager to implement full automation or they are aware of the potential risks that it involves and are determined to stick with an orchestrated approach.
It can be said that there are a lot of CISOs that are tempted to embrace automatic incident response, but what they need to know before they do that is that there are numerous challenges and hurdles associated with such a move.
For instance, there are specific compliance risks that might arise from this type of scenario. Compliance with data breach notification laws is paramount in the incident response realm, as organisations are required to notify their customers about breaches and submit reports on those breaches to the appropriate authorities within a given period of time.
To be able to achieve that type of compliance, organisations simply can’t rely on an automatic incident response system, since it involves human input during the process of assessing the scope, severity and impact of breaches, which must be completed before the organisation can decide if a specific breach is subject to notification laws.
The General Data Protection Regulation (GDPR) as an example, which is set to go into effect in May 2018, is one of those strict regulations that require certain organisations that have experienced a data breach within 72 hours of becoming aware of the breach, and notifying individuals affected by that breach if it is determined that the breach had an adverse impact.
To determine these facts, and decide whether a breach should be reported, organisations need cyber security professionals who are aware of the existence of such regulations and know them in details, and react in accordance with those regulations, something that an automatic incident response system is not capable of doing. The sanctions for not complying with these regulations can be pretty severe, including high fines that can seriously hurt an organisation’s bottom line.
Will cyber security keep the human element in the future?
Another major question that is being raised in the cyber security community is whether there is still a need for the human element in incident response. Rapid advances in the field of machine learning and artificial intelligence have brought this question to light, with proponents of automation claiming that it is the logical and inevitable next step for cyber security.
While the idea of having automatic incident response may sound appealing, the more reasonable and founded opinion is that the human element will continue to play a significant role in cybersecurity, due to several important reasons. First and foremost, as stated above, there is the fact that human judgment is still necessary in many key aspects of incident response, such as ensuring regulatory compliance.
>See also: Automation: a network necessity
Then, experienced and highly-skilled cyber security professionals are, and should continue to be, an inseparable element in the incident response orchestration process. Orchestration is necessary for security teams to be able to effectively and efficiently conduct the entire incident response process without losing control over some essential aspects of it, such as recovery and eradication, in addition to preparation and post-incident analysis, which require human input.
Furthermore, CISOs are undoubtedly expected to remain a part of some of the more wide-reaching activities related to incident response, such as raising cybersecurity awareness among all employees within their organisations, and enhancing their organisation’s resilience to future cyber attacks.
To put it briefly, incident response is bound to get more and more automated, as machine learning and AI have a lot of potential for making the whole process more efficient, but automation should be done with caution and up to a certain point, without giving up the human element and allowing CISOs to keep control over all cyber security events, due to the irreplaceable knowledge and expertise they have and due to the obvious shortcomings of these technologies that have yet to be resolved.
Sourced from Dario Forte, founder & CEO of DFLabs