Evolve security automation like the human brain: Part 2

What’s in a Brain?

In my previous blog [CS(1] , I explored how we should approach automation using the Triune Model of the human brain. I broke down how many view our metaphorical brain in three key functional parts: the lizard, the dog, and the primate. I explained how each of those areas function and how they mirror our digital businesses goals. Just in case you need a quick refresher:
The lizard section handles autonomic functions like heartbeat and respiration. Artificial intelligence (AI) and machine learning are similar to this portion, providing your business with automated, but rigid security measures.
The dog section is in charge of “feelings” which act like a form of currency for what we should remember. People like those in your SOC or other key security roles are like this portion, working alongside the automated processes to ensure effective and well-informed security decisions.
The primate section is responsible for the development of language, reasoning, and the ability to learn from mistakes. Business leaders are like this portion, processing the actions of the other two sections and using what they learn to improve overall performance.

This time, I’ll be looking at the role each of these parts play when it comes to creating an effective, highly efficient, highly secure, and well-automated ecosystem.

The Role of the Lizard in 2019

As I write this in 2019, I still feel we need to treat even the most intelligent of computer AI as the lizard portion of the brain. Yes, it can deal with machine-scale problems, but we need to bring those machine-scale problems down to a human-scale, understanding they are of little use to technical and business leaders without proper context. Making sense of data is square in the domain of human understanding. At the end of the day, we want to make sure that the person behind the console understands why a security alert was triggered and help them resolve that security issue.

I was careful to specify 2019 because machines will evolve over time and will figure out how to supplement the dog and likely even the primate sections of our model. But for now, I think it is safe to treat machine-based decision making and automation like the lizard portion of the brain and all its qualities (compulsive, obsessive, rigid, etc). This simple realization allows you to use it more effectively and sidestep applying it in areas that could be ineffective or detrimental.

Criteria for Automation

So, when and where should you use AI and ML to improve your security? Let’s look at three key criteria for applying automation.

Automate actions that are deterministic in their outcomes and that are internal to the system.
When your automation is based on an observation, automate with near equal or greater precision as the observation. Rarely can you generalize the action to take and not end up with collateral damage. For example, if you have a host at a branch that is misbehaving, automate the mitigation of that particular host and not the entire branch. Conversely, if you have evidence of an application misbehaving, taking action at the IP address level might adversely affect business-critical applications on that same IP address.

Automate what is routinely and frequently executed or as much of it as can safely be automated.
Let the machines act as the lizard part of the brain while you, the business owner, play the role of the dog and primate knowing what is good or bad for the business and applying human reasoning to adapt to any necessary changes.

For all those machine-scale problems, automate them to bring them down to human scale so that you can appropriately orient yourself into better decisions and actions.
We often think of automation just being action oriented, but I would argue that in this day and age, more automation is applied just to bring internet scale data sets down to a human scale dimension so that our mental models can make informed decisions. We want to automate those actions which are frequent, require the least latency, are deterministic in their outcome, and can adapt to environmental factors like threats.


While AI and machine learning will certainly evolve with time, they’re not a one-size-fits-all solution for all your automation needs. Just like how the lizard portion of the brain needs the dog and primate portions to function at full capacity, automation also requires the right amount of the human touch, both at the SOC level and C-Suite level, to truly be at its most effective. By using AI to bring machine-scale problems to human scale, the less stringent and creative minds working alongside your automated processes can apply human reasoning and rationale for a more comprehensive, secure, and highly effective digital business ecosystem.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.