The journey to automation

Automation has touched every industry, from automobile manufacturing to accounting. It has bought an unprecedented improvement in productivity, at levels that early industrialists could only have dreamed of.

Yet there are still some disciplines that struggle to automate. Paradoxically, some of those disciplines are products of automation themselves.

Cybersecurity is a good example. Without automation and digitisation, there would be no computing, no networks, and no cyber attacks. Yet at Sentinel One, we’ve noticed that the security operations centres (SOCs) responsible for identifying and mitigating attacks often still rely on manual labour. It’s time for that to change.

Why automate the SOC?

Why automate at all? There are two driving factors. The first is the increasing volume of security events. Networks and the devices that attach to them are spewing out more data each day. But not all data is equal. Some of it is valuable, pointing to potential anomalous events including cyber attacks. Much of it is extraneous, though, and simply lowers the signal-to-noise ratio.

The second driver for automation is us. Human operators can’t keep up with the increasing demands of an incident response operation. They are too slow to respond, because there are more alerts than a team of any size can handle in a working day. Simply put, human beings aren’t built to operate at machine speed, or at network scale.

These limitations leave us with several weaknesses. We tend to focus too heavily on past knowledge rather than adapting to new information. That’s a problem in a world rife with zero-day vulnerabilities and constantly evolving attack techniques.

 “Human operators can’t keep up with the increasing demands of an incident response operation”

 Increasing our automation capabilities can ease these problems. SOCs have tried to do it in the past, but these attempts have been limited at best.

Where previous attempts at automation failed

One example of automation is sandboxing, in which automated tools spot executable code in email attachments, HTML email bodies, or web pages. These tools then execute that code in a safe, virtualized environment and watch for any unusual or dangerous activities, such as questionable calls to system APIs.

The problem with sandbox automation is that attackers are wise to it. They now write their malware to detect sandboxed environments, behaving differently when they are running in one. Then, when the automated tool approves them to run on real systems, they can execute their real payloads unchallenged.

Another common approach to automation is scripting for remediation. Beloved by many sysadmins, bash or PowerShell scripts are a great way to carry out system tasks with little-to-no human interaction. Typically, a simple scanning tool will trigger a script based on a pre-defined issue.

Scripting might seem like a good idea, but it is problematic. Not only is it error-prone, but those scripts are also unlikely to cover every specific scenario under a security policy. Different applications will require different sub-policies, leading to forks that create a forest of similar scripts. Then, you have to update them all. This creates busywork for SOC operators, who now waste unnecessary time maintaining their scripts.

A final attempt at automation in the SOC is to correlate events logged in security information and event management (SIEM) systems. SOC operators will aggregate and analyse log data from across the infrastructure, using rules to flag potential threats.

SIEM correlation comes with its own challenges. Correlation rules take expertise to define, and they aren’t static. They must change with the threat landscape as it evolves, consuming time from highly skilled staff.

Event correlation also often leads to still more events that operators must still analyse, creating still more work. It’s also worth noting that the rules correlation is only as good as the data that it draws upon. Many SIEM systems work on low-fidelity data, which increases the number of false positives, lowering the signal-to-noise ratio and exacerbating the problem.

How AI helps

We have some automation today via things like anti-virus and endpoint detection and response (EDR), but as the pressures on the SOC grow, we need to expand our automation capabilities still further. Artificial intelligence (AI) is the next step.

AI is a set of tools for analysing large sets of data to find patterns that humans might not see. It uses these patterns to categorise new data, find new correlations, and even make predictions. Instead of following a set of algorithmic rules, AI uses statistical analysis to parse large amounts of data, returning a probabilistic result rather than relying on exact matches of known signatures.

This approach gives AI several advantages. First, it detects significant events that might not match known historical ones, enabling SOCs to look beyond what they already know. This is especially important when identifying attacks that rely on zero-day vulnerabilities or new techniques. Think of it as machine processing with a little human-like intuition. A well-trained AI can spot and flag something that seems ‘off’, even if it isn’t a known attack.

Second, AI’s pattern-matching capabilities enable it to look at things in context. Like a chess player that sees the whole board over time, it can analyse chains of events to spot correlations that conventional tools might miss.

Finally, AI acts more like experienced human operators but does so at scale. It can handle far more data arriving far more quickly than a human team could, and it also operates on a 24x7 basis. This makes it harder for attackers who rely on non-peak periods when there are fewer analysts staffing the SOC. In short, it’s automation on overdrive.

What does all this mean for the SOC? One of the biggest benefits is that it speeds up response time early in the incident response cycle by increasing detection rates. The other is that it empowers SOC analysts rather than replacing them. Well-implemented AI-based automation will help deliver the right information to human operators, enabling them to make accurate, data-driven decisions more quickly.

In an environment where the stakes are getting ever higher, and in which operators face a rising tide of threats, automation is becoming more than just a handy option; it’s becoming a necessity. As we watch attackers rise to new levels of sophistication and automate their own capabilities, AI might have arrived just in time.

By Jan Tietze, Director of Security, EMEA, SentinelOne