• United States




The self-driving car of security automation

Aug 22, 20175 mins
Data and Information SecurityMachine LearningTechnology Industry

What can cybersecurity learn from self-driving cars? How does intelligent automation benefit both?

When I speak with CISOs about automation in cybersecurity, it can conjure up parallels to self-driving cars. After all, if machine learning can create cars that drive themselves, why can’t we have self-driving security?

It’s a bit early and optimistic, however, to say machine learning and automation will immediately solve all cybersecurity challenges, if ever. Given the threat landscape’s inevitable evolution, it will most likely remain an arms race between the defenders and the attackers for the near and long term.

Alternatively, the promise of a machine doing what we thought only humans could do is quickly approaching reality. There’s a lot of early results, hype and even more potential. In fact, this is also true for self-driving cars. The Washington Post highlighted the different levels of development in regards to autonomy in self-driving cars established by the Society of Automotive Engineers (SAE).

Specifically, the evolutionary path to the much-hyped “fully autonomous” car with each stage providing exponential value.

Similarly in cybersecurity, increasing levels of intelligent automation will also provide exponential benefits. If we compare the levels in the auto industry and apply them to the world of cybersecurity, level zero has very little automation while level five is most autonomous.

Level 0:

  • Cars: Complete driver control of the vehicle, i.e., very little automation.
  • Cybersecurity: This is equivalent to using manual cybersecurity techniques for all threat detection, security data analysis, and incident response.

Level 1:

  • Cars: Some driver assistance with specific functions carried out automatically, such as steering or accelerating, but not both simultaneously. Adaptive cruise control or automatic emergency braking, for example.
  • Cybersecurity: This is equivalent to automatic log aggregation with SIEMs and creating rules for alerts. It is not particularly “intelligent,” but serves an important foundational role for the future of intelligent security automation.

Level 2:

  • Cars: At least one driver assistance system for both steering and acceleration/ deceleration, which responds to the environment and allows the driver to physically disengage from the steering wheel. Examples include Tesla AutoPilot and self-parking.
  • Cybersecurity: This is where we see a lot of hype in the security industry. On one hand, you have solutions such as User Behavior Analytics and Network Traffic Analysis that profess to automatically analyze ”normal” behavior and alert anything abnormal. The drawback is the inability to understand the full context of an environment or situation, which results in a tendency to generate too many false positives and requires significant analyst involvement to triage. On the other hand, you have early orchestration solutions that can partially automate some of the easier and repeatable actions during an incident response process. While this solution is adequate to collect relevant information for an investigation process, the actual decision making is delegated to the analyst. In essence, Level 2 automates actions and repeatable tasks, but not the decision making and judgments that require “intelligence.”

Level 3:

  • Cars: Drivers can be fully disengaged, but are still required to pay close attention and be “on standby” to take over should the system fail.
  • Cybersecurity: There are key areas where this is becoming a reality in security automation today. The first is full, end-to-end alert triage automation. This is where the system has the intelligence, based on context and awareness of an alert’s severity, to make decisions and accept feedback from human analysts. Though more advanced systems are able to provide a full explanation of their scoring, analysts still need to review the system’s results. However, 95 percent of the overhead work they used to have to do is effectively eliminated. Second is automated threat hunting that is possible after expert analysts map out the logic they would use in an investigation. The system applies cognitive automation to intelligently hunt for threats 24/7, but at a scale with which human analysts can’t keep up. This approach can be made more manageable with “prescriptive” logic flows for specific use cases, such as “Threat Hunter for CloudTrail” or “Threat Hunter for Office 365.”

Level 4:

  • Cars: This is positioned as “fully autonomous,” yet still doesn’t cover every situation. No driver interaction is needed and the car will deal with system failures by stopping itself.
  • Cybersecurity: A “fully autonomous” security solution is where threat hunting is automated with the system itself to create logic for 99 percent of known and unknown threats, while continuously adapting to changing threat landscapes. It can not only identify the threats, but can also automatically remediate and respond. Generally no human interaction is necessary, except for in extreme situations like the less than 1 percent of threats the system cannot detect. Such a solution does not exist today, but is often what CISOs hope for when they hear “security automation.” Achieving this nirvana will require significant advancements in machine learning and computing power.

Level 5:

  • Cars: Autonomous performance comparable to that of a human, in all conditions. Most auto manufactures have yet to achieve or confirm it is ever possible to the fullest extent.
  • Cybersecurity: Similarly, no security vendor can truly guarantee zero breaches. But if one were to exist, it would be a fully-autonomous threat detection solution that catches even the most unusual and esoteric threats without missing a beat. No human analysts would be required in the process. We are highly unlikely to reach this level.

Security operations technologies have greatly evolved in the past decade. The first big wave was driven by log aggregation and analytics, followed by predictive technologies. The next generation of solutions will be “Prescriptive Security Intelligence,” offering specific solutions to typical security use cases. The industry will take time to enter a  “fully autonomous” state. If security automation is your end goal, start by looking for Level 3 security solutions that can drive 80 percent of the way to your destination.


Kumar Saurabh, CEO and co-founder of LogicHub, has 15 years of experience in the enterprise security and log management space leading product development efforts at ArcSight and SumoLogic, before co-founding LogicHub. Kumar has a passion for helping organizations improve the efficacy of their security operations, and personally witnessed the limitations of existing solutions in helping SOC analysts detect threats buried deep within mountains of alerts and events. This frustration led him to co-found LogicHub to empower cyber analysts by building intelligence automation, not just analytics.

While at ArcSight, Kumar was one of the early engineering leads and saw the company grow from zero revenue to IPO. He left ArcSight to co-found SumoLogic, which he left to start LogicHub.

Kumar earned his M.S. in Computer Science from Columbia University and B.S. in Computer Science from IIT Kharagpur.

The opinions expressed in this blog are those of Kumar Saurabh and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.