• United States




Why automation isn’t everything in cybersecurity

Jul 14, 20174 mins
Data and Information SecurityTechnology Industry

Everything is becoming more automated, but what does this really mean or look like for SecOps? How do you evolve with automation while still keeping your analysts?

4 machine human
Credit: Thinkstock

With the latest advancements in automation and AI, many CISOs are recognizing the potential for automation to transform security operations. Given the way many technology vendors hype their solutions, you could be forgiven for thinking humans should be removed from security flows to the greatest extent possible. But, you would be wrong!

On the contrary, security analysts are not only an important part of the security process, they are THE most important part. So, when you think of automation, you should think of it not as a way of replacing security analysts, but rather as a way of empowering them to do more of what they do best. This is an important distinction.

More automation does not mean a smaller analyst role

The fact is, automation is not a panacea. Certainly, the early and rudimentary forms of automation our industry has seen in the past decade have fallen short of their promise. SIEM systems allow you to collect lots of log data, but the growth in data means ever-increasing amounts of backlog to process. Those same systems, with their inflexible, rules-based approach to threat detection, overwhelm analysts with torrents of false positives.

To make things worse, there are still far too many false negatives and intrusions that get by undetected. No matter what an automation vendor tells you, humans are still the absolute best at identifying previously unknown threats. However, we just can’t do it at scale.

Solving the cybersecurity crisis can’t start with the assumption humans should be automated out of the system – in fact, it should be quite the opposite. In an ideal configuration, human analysts are at the center of everything, supported with advanced automation tools that can make sense of the torrents of data being generated and allowing them to make the types of nuanced decisions that will take a very long time to yield to technology.

Uniting analyst and machine

Some new generation solutions are purely focused on AI and machine learning. The promise is you turn it on in your environment and after a few days of the system learning on its own, it will be able to detect all the bad stuff. However, these systems suffer from a fatal flaw: missing the business context, adaptability and explainability needed to be truly effective.

What do human analysts know better than any system or, more importantly, any intruder? They know their own environment and the enterprise context, as well as having an intuition about how their system operates and what is normal versus what is questionable. Humans also adapt quickly to fast changing conditions and can always explain why they did something. On the other hand, humans cannot scale and could struggle with mistakes and inconsistencies. Machines, as we know, are exponentially faster and consistent.

The ideal system is still one that unites analyst and machine, augmenting the intelligence of a security analyst with the automation scale of a machine. To achieve this, we need the right kind of automation.

There are different types of automation. As explained by Harvard Business Review, basic robotic process automation handles routine and repeatable tasks, and can only scale some of the motions of an analyst, but cannot scale intelligence. Cognitive automation, on the other hand, can handle decision making around the severity of an alert by evaluating the full context of all data surrounding an event. Cognitive automation by itself, however, is not sufficient. To avoid pitfalls of a “blackbox,” automation needs to be complemented by analysts’ input and feedback on a continuous basis.

Technology that supports a human-centric approach to automation

Recent, new technologies now make it possible to play to analysts’ strengths far more effectively. The next generation of automation technology allows analysts to feed their tribal knowledge about context and environment easily into the machine learning system, without requiring large training data sets. In addition to drastically increasingly efficacy, this allows a properly designed system to adapt and evolve flexibly as context and environment change. The analyst is in charge and the machine dutifully mimics and executes what the analysts would do, only at extreme scale.

The right automation

Security automation doesn’t mean removing analysts from the equation. Instead, good security automation is about empowering your analysts to force multiply their efforts, aiding them to be more productive and satisfied in their jobs, and freeing them to tackle the most challenging threats. With the right technologies and processes in place, your secops dream team can become a tag team of expert human security analysts plus virtual security analysts powered by cognitive automation.


Kumar Saurabh, CEO and co-founder of LogicHub, has 15 years of experience in the enterprise security and log management space leading product development efforts at ArcSight and SumoLogic, before co-founding LogicHub. Kumar has a passion for helping organizations improve the efficacy of their security operations, and personally witnessed the limitations of existing solutions in helping SOC analysts detect threats buried deep within mountains of alerts and events. This frustration led him to co-found LogicHub to empower cyber analysts by building intelligence automation, not just analytics.

While at ArcSight, Kumar was one of the early engineering leads and saw the company grow from zero revenue to IPO. He left ArcSight to co-found SumoLogic, which he left to start LogicHub.

Kumar earned his M.S. in Computer Science from Columbia University and B.S. in Computer Science from IIT Kharagpur.

The opinions expressed in this blog are those of Kumar Saurabh and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.