Cybersecurity Automation: Leveling the Playing Field

By Leonard Kleinman, Field Chief Technology Officer (CTO) ) Cortex for Palo Alto Networks JAPAC

Many things challenge how we practice cybersecurity these days. Digital transformation has brought significant adoption of new technology and business models, including cloud solutions, e-commerce platforms, smart devices, and a significantly more distributed workforce. These, in turn, have brought with them an increase in new threats, risks, and cybercrime.

As organizations emerge post-pandemic, many of the risks and uncertainties manifested during that period will persist, including the hybrid workforce, supply chain risk, and other cybersecurity challenges.

Let’s look at some of these cybersecurity challenges and how automation can level the playing field.

Problem: not enough cybersecurity talent

A major contributor to the growing spate of cyberattacks is the lack of skilled cybersecurity personnel. The overall global numbers of experienced cybersecurity practitioners are low compared to the need for such practitioners to handle the cyberthreats that manifest across all industry sectors. While demand for practitioners continues to escalate, the growth in actual numbers is low, leading to the increasing deficit between demand and supply.

This contrasts significantly with the global cybersecurity market, which is expected to expand at a compound rate with more demand for solutions and products. The increasing number of cyberattacks, digital transformation changes, and talent shortages are contributing to this growth, and organizations are expected to acquire/deploy more advanced security solutions to detect, mitigate, and reduce the risk of cyberattacks.

Automation, AI, and vocation

Automation systems are everywhere—from the simple thermostats in our homes to hospital ventilators—and while automation and AI are not the same things, much has been integrated from AI and machine learning (ML) into security systems, enabling them to learn, sense, and stop cybersecurity threats automatically. So instead of just alerting us to a threat, an automated system would be able to act towards neutralizing it.

At its core, automation has a single purpose: to let machines perform repetitive, time-consuming, monotonous tasks. This, in turn, frees up our scarce human talent to focus on more important things or simply things that require the human touch. The result is a more efficient, cost-effective, and productive cyber workforce.

Even threat actors are themselves using automation to facilitate their attacks. The MyDoom worm, one of the fastest-spreading pieces of malware on the internet, uses automation to propagate and is estimated to have caused around $38 billion in damage. It is still spreading, but the surprising part is MyDoom is not new. Released in 2004, it can still be seen trolling the internet.

A persistent fear in cybersecurity is that automation is here to replace humans. While somewhat justified, the reality is that automation is here to augment humans in executing security operations and, in some cases, help organizations supplement and address the growing talent gap. As advanced as it may be perceived, automation will always be reliant on humans, completely configurable, and under the supervision of the security team. If anything, automation and AI are bringing forth new cybersecurity roles such as Algorithm Bias Auditor or Machine Risk Officer.

The benefits of automation

Automation can do many things, from detecting potential threats to containing and resolving threats. These actions take seconds and are largely independent of human intervention. Provided via security orchestration, automation, and response (SOAR), automation gives SOCs a significant boost in execution, significantly improving productivity and response. The Cost of a Data Breach 2022 Report highlights the role of automation in halving the cost of a data breach and reducing the time to identify and contain by 77 days.1

Orchestration provides the ability to activate the many tools in your operational environment, seamlessly connecting them via playbooks to undertake specific actions. This allows for a consistent, repeatable response process together with all the necessary information for your cyber practitioner, all in one place.

Additional efficiencies are derived from the AI/ML engine within SOAR, which can learn attributes from alerts and use that knowledge to prevent future attacks. Every alert and event handled are learned from for future purposes. Automation plays a significant role in terms of enabling an agile, proactive cybersecurity capability.

Most importantly, automation provides a better quality of life to your cybersecurity team, reducing alert fatigue and frustration and giving them back precious time. In the age of the Great Resignation, retention has become a significant issue.2 Retaining staff allows you to increase your ROI on people—acknowledging the significant investment organizations make through recruitment, ongoing training, and tacit knowledge learned on the job.

Automation helps organizations address the talent challenge. It also enables a greater ROI on your current tools and technology, bringing them into play as part of the orchestration process.

Where to start?

A prerequisite for automation begins with gathering and correlating data. Any good automation system requires good data to work efficiently and effectively. The more data sources, the better the quality of operations.

Aim to gather data from all aspects of your business environment, such as endpoint, network, and cloud. The AI/ML system within the automation platform makes analyzing and correlating all this data easier. These two components are what make cybersecurity automation possible.

Next, analyze your current standard operating procedures (SOPs), looking for regularly recurring activities/processes—ones that reduce workload and the risk of an overlooked alert. Look for tasks that do not deviate or vary in an unpredictable manner. These are prime candidates for automation.

Now, identify the tools that need to be orchestrated within those processes, along with the required APIs (or create them) to enable the integrations.

Finally, create your playbook. This gives you control over the process, providing you with the ability to consistently replicate and improve the process over time. Include any specific actions you require, the tool/s to perform, and any other additional tasks, e.g., block, notify, contain, etc.

Don’t drop the ball on automation

Cybersecurity is essential for any business in a digitally transformed world, protecting company data, its people, and its customers. However, just the implementation of cybersecurity will not be enough as our adversaries continue to innovate and get craftier in their approach.

As organizations continue to pursue digital transformation initiatives coupled with technology advances, the automation of cybersecurity is not just recommended—it is mandatory in leveling the playing field.

Learn more about the benefits of consolidation.

1. Cost of a Data Breach 2022 Report, IBM Security, July 2022

2. Paula Morgan, “Top Five Tips For Retaining Employees During The Great Resignation,” Forbes, August 4, 2022.

About Leonard Kleinman:

Len Kleinman is the Field Chief Technology Officer (CTO) – Cortex for Palo Alto Networks JAPAC focusing on critical industry sectors such as Government, Banking and Finance, Utilities, and Education. His mission is to work with executives and business stakeholders to make security a strategic priority that translates into business value and assist in the development of a risk-based cybersecurity culture aimed at protecting our digital lives.

Artificial Intelligence, IT Leadership, Machine Learning