Security Strategy, Plan, Budget

The automation quandary: Or how to stop worrying and start automating

Information security is threatened from multiple angles. Threats have grown more sophisticated, digital infrastructures more complex, data more voluminous, and security talent increasingly scarce. The pace and volume make it impossible for IT groups to keep up. Automating tasks is an obvious solution to these challenges, but there are deeply ingrained concerns that automation will make matters worse, taking down essential service elements, quarantining senior executives, or otherwise disrupting critical business processes.

Cybersecurity in a world without automation

The number of threats in cyberspace today is almost beyond human comprehension. Our threat intelligence service responds to 48 billion queries every day and has 600 million samples in the database. Within the next few years, there will be 30 billion IoT devices, 3 billion smartphone users, and 450 billion Internet-based business transactions per day. It is little wonder that the magnitude of data and alerts is overwhelming even the most experienced and efficient human security professionals. Without the scale that automation enables, the future of cybersecurity looks grim.

Do you have automataphobia?

Despite spending millions of dollars on security tools and teams, organizations continue to get breached. Our research indicates three probable drivers behind this conundrum: poor digital hygiene, undeployed security tools, and isolated security processes.

Digital hygiene refers to foundational activities, like keeping patches up to date, testing updates, and validating signatures. With most attacks coming out within a few hours of a vulnerability disclosure, lengthy update approvals and manual patch processes leave organizations at risk. Cloud and SaaS operations have proven that automated patch testing and deployment works well with minimal downside risk. The human capacity gained from automating basic tasks can be redeployed on more critical security activity such as threat hunting or incident response.

Buying security tools and not deploying them is usually related to lack of resources. External security consultants are a logical path to solving this problem if your team doesn’t have the necessary time or expertise. Another option is to use the time saved by automating mundane tasks to deploy the shelved security tools.

Finally, many attacks are successful because they find gaps ripe for exploit between security products. Manual or no integration between security products allows suspicious activity to dwell unnoticed. If an attack is identified and blocked, all entry points should be instantly informed. If a compromised device is detected, security products should automatically scan all other devices for evidence of similar compromise, and quarantine affected systems. Allowing machines to make these decisions, based on policy set by the security team, accelerates time to detection and remediation without incurring material risk of unintended IT consequences.

Human-machine teaming is the path forward

Automation has long played a minor role in the security process. IT environmental complexity, attack velocity, and talent scarcity are moving it from an optional to a mandatory element of sound cybersecurity practice. Combining human strategic intellect with more reliance on the analytic strength of machines delivers superior security outcomes.

Machines collect and analyze large quantities of complex data, sifting through massive datasets to find patterns and anomalies while they are still fresh in the environment. This moves data analysis from a backward-looking, forensic activity to an active pursuit. With appropriate training, machines can collate and prioritize alerts for human investigation, while instantly acting on those that fall within defined policy parameters.

Humans are able to take information that machines put forward and apply strategic intellect. They understand the context of multiple pieces of data threaded together and are much better at deciphering the subtle clues that unearth an attack. For example, Operation Sharpshooter attacks start as realistic-looking job recruitment messages, followed by links to download a malicious document. When the machine flags the malicious document or the anomalous behavior caused by the embedded macro, humans can follow the communications trail to the broader campaign and take steps to inform and protect the organization from these social-engineering attacks.

With the human and machine acting together, repetitive tasks are automated, humans have more capacity to apply their essential skills, and the machines continually learn and improve their capabilities. When you combine this with an architecture built to facilitate rapid and active sharing of threat intelligence, you create an advantage for those trying to secure their cyber assets versus those trying to exploit cyber assets.


The need for speed in cybersecurity makes automation mandatory. By automating tasks that play to the engineered ability of machines, we accelerate the time to detection and correction of attacks. Humans are then able to focus on the trickiest investigations and tasks that leverage their cognitive abilities. Together they mitigate the risk of overlooking critical cyber incident clues needed to avoid or recover from potentially catastrophic attacks.

If the security industry delivers on this human-machine teaming vision, we can harness the power of machines and humans to further the cybersecurity cause and secure the digital assets most important to consumers and organizations alike.

Candace Worley, Vice President and Chief Technical Strategist, McAfee

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.