Skip to content

The benefits of automation to cyber security

Opinion

08:30 Wednesday, 05 January 2022

UK Cyber Security Council

Many aspects of IT management and support can be highly manual, and the specific area of cyber security is no exception. In many cases human activity is necessary; it needs a flexible, thinking human being to achieve the task in hand. 

Where we can automate security activities, though, and get machines to do the work, we discover a plethora of benefits over a human-driven process. 

Let's begin with some of the well-known - obvious, even - observations. The most fundamental benefit of automation is that, once the automation scripts and routines have been tested and debugged, the likelihood of error is considerably lower than a manual approach. This is even the case for manual approaches with a "second pair of eyes" check: complacency is common, generally in proportion with how tedious the work is, and even reasonably conscientious reviews can suffer mistakes, particularly during busy or rushed periods.  

Also of benefit is the fact that automation can run whenever one wishes, without any need for overtime pay or complaints about unsociable hours. Without unattended operation, it would simply not be possible to fit everything into a working day. 

We noted earlier that no matter how much we automate there will always be a need for a "a flexible, thinking human being". We all prefer to do interesting, engaging work over something tedious and mundane, so we can use automation not just as means of ceasing to do the latter but an opportunity to do more of the former. People are stimulated by tasks that make them think, and which require human skills that are not shared by machines, so we must take every opportunity to focus the people on that type of work. 

None of this is surprising, of course: most of us have been using some kind of automation - even if just an occasional batch file or Unix shell script. Let us move on, though, and look at an area of automation that has existed for over 15 years: Intrusion Prevention Systems, or IPS.

According to the SANS Institute, Intrusion Detection Systems, or IDS, have existed in one form or another since the 1980s. Rudimentary at first, just like any other technology, IDS has developed rapidly into what estimated in 2020 to be a US$1.5bn industry. 

IDS and IPS have a key difference: as the name implies, IDS detects attacks; similarly the aim of IPS is to prevent intrusions. IPS does this by using the data from the IDS to take pre-defined actions automatically to stem the intrusion without the need for human intervention. 

The automation of reactions to attacks can be unpalatable to both technical and business staff. This is, ironically, because it can be difficult to trust a machine - just as the automated system will carry out the precise actions that have been configured into it, there is an inevitable air of doubt regarding what will happen and the impact thereof. 

This is a perfectly understandable concern. If we look at the field of incident response, the high-level view shows us a documented framework outlining the fundamental elements, with a team of people responding to the crisis call, evaluating (and constantly re-evaluating) the situation and any information coming in, and reacting (and adjusting the reactions) accordingly. 

An IPS cannot think like an incident response team; it merely behaves as its configuration tells it to. At a low level, this is not a problem - and hence not tremendously unnerving to the technical or business teams - as the impact of an IPS rule firing can be modest: it can drop data packets that are part of traffic streams it considers malicious, or block the source IP addresses of suspect connection requests. 

Cutting off the attack 

Configuring the IPS to take modest, low-impact actions is, however, a failure to use it as it was intended. The whole point of IPS is that it can get there first and not just tinker at the edges of an attack and impede it a little, but that it can potentially halt an intrusion in its tracks. We have a tool that watches network traffic all through the day and night, every day of the year, so we should bite the bullet and configure it to take drastic action where to do so is warranted. 

In many ways we can even use this approach to alleviate humans' natural hesitancy when under pressure: even when a policy says one should take a particular action, there can be a natural reticence to take drastic action such as taking the business's internet connection offline, or shutting down Active Directory domain controllers because they are seen to be helping a ransomware attack replicate across the organisation. So long as the automated action has been understood and signed off in advance by management as part of the incident response plan, there can be no finger-pointing in the event that an attack occurs, and causes the automated intervention to be triggered. 

Lowering the risk 

Let us step back for a moment from high-impact automation, though, and look at some of the more routine tasks for which automation can bring us benefits - because although automated incident intervention brings potentially large benefits, it is required relatively infrequently. What about automation that benefits us day in, day out? 

The security activity that lends itself best to automation - in that it can provide the greatest saving of human time whilst also gaining the benefits that automation brings with regard to eliminating human error - is identity management. If one has a variety of systems and applications, each will have its own level of difficulty when it comes to automating user ID provisioning and de-provisioning. The majority of organisations base their systems on a Microsoft platform, which lends itself tremendously to automation because standard tools such as Microsoft's own PowerShell scripting platform make Windows (or, more correctly, Active Directory) user provisioning a very simple process. And where applications use AD groups for their permission control, it is therefore highly trivial to extend the automation to cater for those applications. The most useful aspect of automating such tasks is that one can take a gradual approach: provisioning can be done one system at a time, each exercise giving a benefit in time saving, unlike many implementations where one sees no benefit until the last system has been dealt with. 

And the same applies to other areas that one automates. Automation is ideal for monitoring, again because the majority of mechanisms for interrogating systems are straightforward and hence simple to implement. And on top of real time monitoring of basic attributes such as server uptime or network link saturation/error rates, one can go a step further and monitoring changes to systems by automatically downloading configurations from devices such as firewalls or routers on a daily (or even more frequent) basis, comparing versions, and alerting the team to changes that are detected. 

One must not forget, of course, that automation is not always trivial. As with many areas in technology, a great deal is straightforward while certain elements are quite the opposite.  

The security elements of automation can be trying, for example - particularly when automating tasks that change system configuration - because one has to achieve the functionality whilst defending high-privilege automation routines against misuse by intruders. And in a purely technical sense, there are some circumstances where one has to resort to rudimentary or inelegant means of automation - for instance where a system's user access list is available only via an inconvenient mechanism such as a screenshot or a PDF rather than a structured format such as an Excel document or a comma-separated data file. And of course, one will occasionally happen upon something that simply cannot be automated - for example, where a system is hosted and managed by a third party, with access provisioned manually by that party on request from our company. In such cases we can only automate up to a point - by auto-filling and auto-sending the request form, for example. 

AI and ML: automation++ 

The automation concepts discussed so far are those that one might term "traditional", in which one writes a script or program that unfailingly and predictably execute precisely the commands programmed into it. The state of the art of automation is, however, moving toward a much less deterministic approach using artificial intelligence (AI) and the current popular subset thereof known as machine learning (ML). ML is, as the Oxford Learner's Dictionaries put it: "a type of artificial intelligence in which computers use huge amounts of data to learn how to do tasks rather than being programmed to do them", and is a rapidly growing approach to automation in IT in general and cyber security in particular. 

ML is becoming popular because it allows automation to extend further than the specific instructions it is given by the implementer: although the term "learn" in the OLD's definition is perhaps a little strong, the fact remains that an ML program is able to vary its behaviour based on the data it encounters or that is fed to it. 

The skills of automation 

With regard to the skills we need in order to introduce automation into cyber security, the goalposts have moved significantly and will continue to do so. Until just a few years ago the core skills of automation were algorithm design and software development, but now the task is a much more complex one and needs an understanding of data science, and statistical analysis - not to mention specific knowledge and experience of the ML tools and platforms that will be used to implement the automations themselves.  

Modern - and near-future - automation is a significant departure from traditional automation, then, which gives an attractive opportunity for anyone who can train or self-learn the tools and techniques required to implement AI/ML automation. 

And these new techniques, when applied on top of the ubiquitous traditional automation tools, provide us with an opportunity to make the machines work harder than ever before, while the human brains focus on the tasks that are difficult or impossible for the machines to do.