The Security Automation Train is Coming Fast – Will you be on board?

5 Minute Read

Having led marketing in cybersecurity throughout much of my career, I’ve had the opportunity to position and launch a range of products that protect endpoints, networks, applications, the cloud, mobile devices, web content and more. It has been a privilege to work with some extremely intelligent security pros, and market some of the most impactful and game-changing security products of our time. My latest endeavor at Swimlane is no exception.

But as I tune into current events, I can’t help but wonder what the general public must think of the cybersecurity industry today? After all, organizations of all sizes and types continue to be compromised at will. And for those uninitiated into technology, it must appear that anything can be compromised – from beer and beef, to gasoline and cruise lines.

Less-comforting are the words of United States Secretary of Commerce Gina Raimondo, who recently commented that businesses of all sizes and industries should assume that cyberattacks will likely only intensify.

But if you step back and observe our world today, there are some logical explanations to these challenges we all face. For one, there’s more data being generated and gathered everyday from applications, endpoints and networks. And when coupled with the current infrastructure explosion and application sprawl to the cloud, it’s no wonder the billions of dollars being spent on cybersecurity are not enough to prevent leaks and attacks.

The “new world order” of security

It used to be just servers and server virtualization. Now it’s serverless, Internet of Things (IoT), cloud, 5g, and even cars. As I discuss this new world order with Swimlane co-founder Cody Cornell, someone who’s been deep in the trenches of implementing and managing security for much of his career, he poses a very simple academic question: “If I give more people all the data, netflow, log data, alert data, vulnerability data, and everything that an organization produces in an hour, how long would it take that team to run that data down?”

He chuckles at my response of “Well, it depends,” but his point is that it can take days of time dedicated to analyzing and processing just an hours-worth of app, network and endpoint data. He goes on to point out that if we filled every one of the nearly 500,000 cybersecurity job openings right now in the US alone, we still would not have enough people to catch those critical “small” things – before they become “big” things. Take the emergence of Kubernetes for example. How many tried and true Kubernetes security experts are there in the world? Safe to say not many.

Beyond the human challenge of security, we must also evaluate the approach. There are plenty of vendor-led approaches out there for “proactive” threat detection and response, but Cody likes to single out one approach in particular that many security vendors like to talk about: Prioritization. These approaches are designed to help you “prioritize” the most important things, looking for the outliers, and helping you find the things that are critical.

But here’s the rub. According to Cody, these are symptoms of not having enough capacity. “If I get five emails a day, I don’t create Outlook rules. I work through my five emails and call it a day,” he argues. “But when you get 500 emails a day, prioritization becomes a problem.”

Here comes the bullet train to security automation

What automation does is give you the capacity to reduce the amount of work down to a manageable level so that prioritization is not needed. Historically, when automation has been pitched to organizations, the IT leadership might have outsourced more to India or simply hired more people. There was a reluctance to let go of the steering wheel, or just general doubt about the maturity of the technology. It was more of a privilege for those who could afford it in order to make their lives better. Today, Cody contends that “automation is a necessity, or you will be blind.” This is a reality that drives the entire Swimlane team and product development, day in and day out.

To understand this more, you only look as far as the killchain or threat attack lifecycle modeling, where we are looking for that catastrophic data exfiltration event or some lateral movement. But that didn’t just happen. It was the 3, 5, or 100 things that happened before that event, none of which came up “red” on the dashboard. They came up green, yellow or blue. Cody says there’s always a canary in the coalmine. What was the thing, that led to the thing, that led to the “oh sh** moment.”

It begs the question: What if you could have acted on that low level thing? It’s when those tools start generating low-level alert data and potential false positives. All these tools that are available are good, but what is the action being taken? What do they do about it? As NDR, EDR, XDR, and other tools start generating alerts at the lower deviation level, the customer will just start saying “that’s a false positive…I don’t like all the false positives.”

If you have a machine that is eating false positives, the machine doesn’t care. It will do that all day long. As a human being, this approach erodes confidence in the technology. But as a machine, you’re saying give me something that’s a slight variance because I don’t care. Cody says no one is going to get pissed off and would rather find something early, and if it takes going through 8 million false positives to find the one true positive, it’s a machine…it doesn’t care!

It’s called operations for a reason, because there is a human element to all of this. Just look at the two decades of psychology that generated a level of trauma and stress with false positive rates. That’s changed the way we think about operations because of this new world we live in. Cody says it’s a re-think, “We need to stop thinking about things as a people problem, but a combination of people and technology.” You don’t have people that are doing data science thinking about how to get the efficiency out of the team. Cody argues it’s about building a data pipeline, and security, orchestration and automation and response (SOAR) is like the first and last mile of the data pipeline for security.

What’s next for security automation?

I leave you with these questions: Will any organization in the world have all the expertise they need in order to be the best they can be from a security operations perspective? Will we ever have enough security resources to stay ahead of the threat? Back in January, Cody said in a blog post that as a category, security automation has the highest potential to improve the security of organizations globally. This is why I believe automation is the single most important segment of cybersecurity today.

Having recently joined the Swimlane team, I am incredibly excited to play a role in providing organizations with a low-code solution that empowers them to leverage automation in ways that work specifically for them. If you haven’t seen it yet, check out our latest product announcement. And don’t take my word for it, schedule a demo and see for yourself.

Request a Live Demo