Everyone’s talking about automation as cyber security’s salvation. I wish I could agree with the same level of enthusiasm as some of my colleagues and friends. The fact is, no matter how much lipstick you throw on that pig, it still tastes like bacon.
It appears to me that what the technology industry is lacking in process, it attempts to make up for with automation. This approach plainly does not work.
Cybersecurity appears to be learning no lessons from our colleagues in IT, and in fact, seems to be doubling down on automation for salvation. Where we lack process and expertise — we buy technology. I recognize an apparent lack of truth and transparency in the cyber security product market. Some of us have been fighting this for years with little success to show for it. For an interesting take check out this Twitter thread by Mike Murray. I, perhaps unlike you, am deeply frustrated by the lack of actual progress in our industry.
How did we get here?
Early in my career, nothing was automated like you see today. We updated anti-virus definitions by hand before Symantec introduced corporate IT to the concept of managed anti-virus. I’m not saying they were the first, only that Symantec was my first true enterprise-grade tool. Automation was very poor, and it often failed, but at least the work was not manual anymore.
In the last twenty years, security professionals have done a catastrophically poor job at creating repeatable, sustainable, process-driven activities. It started in the SOC — where analysts would just “do security stuff” sifting through raw log files, looking at a half-dozen different dashboards, and of course checking the SIEM. Because these teams were used to living in chaos, they just accepted that things were done however you can do them. Worse, documenting processes and ways of doing things became somehow undesirable. If you don’t believe me ask a SOC analyst what their processes are like. Very few organizations are mature enough to have repeatable, documented, and optimized processes for analyzing the mountains of data and alerts to make security decisions. Very. Few.
The problem spills far beyond the boundaries of the Security Operations Center (SOC). Unfortunately, in my career, I’ve experienced a lack of processes everywhere from the software development lifecycle, change management, security management, incident handling, and various other critical areas of IT.
The result is a predictable level of chaos and inefficiency.
So what have companies done to account for this obvious lack of process? Technology purchases of course! Seems logical, right?
The big problem I believe that security leaders somehow either overlook or ignore, is that technology and automation only mechanize existing processes. If you have nothing to automate … well, I’ll leave you to finish that sentence in your own head. Where does that leave the state of the industry? With three very big problems:
- Reliance on vendor “out of the box” technology — because when you have nothing, you take what you can get. I shouldn’t have to explain why this is problematic. Your vendors don’t know your organization, your staff, your particular quirks, or organizational challenges. Simply relying on out-of-the-box solutions for security automation creates a wildly inefficient, poorly implemented, and immature organization. Even if you pay a ton of money to a consultant to “customize” the technology to your environment, remember that you’re now beholden to that person to repeat that task regularly because your business is not static and changes regularly.
- Predictable in an undesirable way — because attackers know how out-of-the-box security tools work; they buy them too! Without adaptation and customization, your security organization is predictable and thereby rather easily manipulable and able to be bypassed. Evidence of this is all over the news, literally every single day.
- Immature — because chaos with a lot of technology is still chaos. It’s just very expensive chaos with pretty dashboards. Maturity is critical to security and having well-designed processes is fundamental to maturity.
So, look, while I applaud that companies are taking the initiative to implement XDR-based technologies and SOAR — that tree is unlikely to yield any fruit. If I may offer up a suggestion — before you write that next budgetary check investigate the process maturity of your security organization. Ask yourself a few fundamental questions:
- Are we interested in automation to scale and mechanize our existing mature processes, or are we looking for the tools to build processes for us?
- Do the tools we’re thinking of implementing support our processes or are we going to change how we operate to accommodate the tools?
- Does the automation technology we’re interested in purchasing adapt quickly and easily as our processes change?
It’s not too late to break out of this death spiral we seem to be in, but the point of no return is close. Technology will continue to evolve and the point where manual data analysis was practical is a distant and forgotten time. Without well-thought-out processes in the security organization, no magical tool will save you. Not even that next-next-Gen AI-powered cloud-based SOAR widget all the analysts are raving about right now.
