Breach Preparedness , Continuous Monitoring , Cybersecurity
Experts Debate If Machines Could Take Over Security Decision Making(Editor's Note: This feature is based on excerpts from a special session titled "Automating Security - Threat to Security Profession?" that took place at a recent DSCI Security Summit in New Delhi, India.)
See Also: Take Control of Security's Biggest Blind Spot: Third Party Vendor & Partner Risk
Many reports in the market today talk about the changing role of the security practitioner and how the demands in the profession are evolving. With it becoming increasing difficult for human operators to process all aspects of security, including massive amounts of data, "machine learning" and "automation" are terms that are increasingly common in security literature and forums (see: How Is The CISO Role Changing?)
From computing being used to support decision making to computers making the decisions themselves, there is a paradigm shift occurring, and this may have direct implications for the security profession, says Vinayak Godse, senior director at the Data Security Council of India.
Security automation is broadly defined as technology that effectively removes the security decision process from the user. Across all the specific domains of security, there is a push to bring in a range of automation strategies that take security decisions beyond human intervention, covering all levels of the security stack. Machine-assisted SOC decision support, security workflow automation and automated threat response are growing popular, and IT organizations are increasingly looking at security as a target for automation.
But is this good news or bad for the profession?
"Automation may affect the demand for security professionals adversely," Godse says. "Many companies, especially in the service sector, are talking about dynamic automation and reducing the number of operational jobs in the organization." Gartner, for instance, says that in the coming three to four years security skill demand predictions may not hold true because security is emerging as a key area for automation.
So, why is automation in security such a big deal? Is a situation imminent where security decision making goes beyond human intervention? If that is true, would that impact the demand for security jobs?
Why Automate
Automation is important in the security domain because, aside from the efficiency it brings, it can help reduce risks and operational error, where the human element may be a big factor. There is a lot of focus right now on risk and control automation in terms of understanding the specific functions that can be automated, experts says.
Supporting his premise, Godse says that attacks come in today through multiple vectors, and there is a need for contextual security that incorporates all the stages and vectors through which an attack reaches an organization, to enable informed decision-making. Security decision-making systems are going to be taking over this function in the future, he believes.
Godse says that because of the human cognitive limitation for processing information, while one asset, for instance, may have multiple vulnerabilities, human operators may only include a few of these in their analysis. Therefore, the introduction of machine learning and automation has a dramatic potential to change each and every aspect of how security is approached. The scale of detection is bound to go up, and the risks are bound to come down. Which is going to make a strong case for relying on machines to do this, rather than on humans, he says.
Technology and automation can certainly be force multipliers in the security profession, David Shearer, CEO at (ISC)², agrees. "My hope is that automation can help us get our head above the water and enable us to look at the parts of the security program which are not being adequately addressed right now - from awareness, educating the board, and investment to ensure that security gets in at the budget formulation stages, so that resources are available to look more holistically at the issue, during execution."
Testing is right now a big part of security, and many aspects of it may still depend on manual analysis which uses statistical samples to detect issues. Automation enables one to check everything on an ongoing basis, in a more timely and accurate manner, which would not be feasible with a human agent alone, experts say. Shearer says that in the short term, major gains can be made by using automation to secure systems in segments like operations and productions management, manufacturing and industrial control systems - disciplines where the use cases are more finite than in the massive types of permutations elsewhere.
How Might the Profession Change?
(ISC)²'s Shearer says that while the profession may be good at finding threats, a mistaken view is taken that automation and increased dependence on technology and crunching information feeds mean that the security program is now in place.
"There is so much not being done in the holistic view of security, because most people are just busy keeping their head above water, just trying to keep the fundamentals in place," he says. "As workloads shift and we can leverage some of this automation, which I do think has great promise, It will help in getting some economies, as automation always does, but will not be the end state - I don't think it is the silver bullet."
Srikant Shitole of Symantec India believes that humans supported by the right tools and processes can deliver better output, and automation tools are going to play an important part in zeroing down on the right actionable intelligence for humans to take a call on. But this is not necessarily going to reduce security demand, as one would still need people to manage these systems.
"There is a paradigm shift happening, and analytics and security are the two key areas on which the entire automation paradigm is revolving," he says. This is where business models are shifting, and it is a balancing act. But he feels that employment in security is bound to go up and will not be adversely affected by security automation (see: Human Behavior Analysis: The Next Big Thing?)
Sapan Talwar, head of IT security at Adobe, agrees that the approach needs to be balanced, for the simple reason that humans create intelligence. But given the proliferation of threat vectors on a daily basis, and that practitioners are always playing catch up with the bad guys, it will probably be the hackers that turn to automation and artificial intelligence first, he says. "But as long as there is a human being trying to leverage these tools to break security, a corresponding human intelligence will always be needed to defend."
However, the trends in automation in other industries show that sizable investments have meant that operational investment in terms of people are going down drastically across sectors, and security may not be any different, argues Godse.
He feels it is a reasonable assessment that dynamic automation technologies are going to lead to the level 1, level 2 kind of job roles in security, which have the potential to be automated to the extent that human intervention is no longer required, being phased out.
Should Practitioners Be Concerned?
Talwar agrees that while new technology paradigms may create new areas and roles for security, the conventional area will see a drastic reduction in the number of jobs that are available. However, he points out that machines would perhaps not do such a great job of handling exceptions and unique situations that fall outside their programmable parameters. Experts also opine that with the increasing customization of attacks, it is reasonable to assume that attackers will try to customize attacks in ways that exploit the machine element in automation, making human oversight a critical element.
Automation is going to have more and more economies, but it's going to be some time before we can see the ubiquitous use of automation across the industry, says Shearer. And as and when automation and AI and cognitive systems arrive on the scene, there needs to be a human to operate this paradigm and that is likely where the profession may be headed (see: Strengthen the CISO Office)
Just as with air traffic control, where the question of automation has only led to increased capacity and accuracy, that is what the sizable consensus is in terms of automation in security, experts say. For a long time to come, it is expected that with the adoption of all these technologies, the demand for security professionals will only go up. When it gets to a point that these machines start to become reliable enough to operate on their own, reskilling is what will be required, and automation certainly shouldn't be looked upon as a threat to the profession, they say.