Automated security needs human oversight – but many companies struggle with the balance

Just investing in tools isn’t enough to keep good staff engaged

Buying good threat-hunting technology isn’t enough to lure the best security staff anymore, a security specialist has said while warning that cybersecurity’s “incredibly difficult” human capital problem has left many companies flat-footed when it comes to launching their security response.

Attackers were leaning heavily on automation to compromise targets “but once they compromise an endpoint they are being really slow” to propagate across the network undetected and compromise backups that might be used for recovery, JJ Thompson, senior director of managed threat response, told CSO Australia.

“They are being surgical to identify the assets that matter most, and to exfiltrate as much valuable content and intelligence as possible.”

With these strategies making cybercriminal attacks far less obvious than in the past, companies needed to build and maintain rosters of skilled humans with the nous to make the most out of the security tools that are installed.

Yet the people best suited for those kinds of jobs are those that love a challenge – and will quickly walk away from a position that isn’t helping them grow.

Sophos, for one, had no trouble attracting candidates: “We post a job and within 24 hours we have 30 to 40 qualified candidates,” he said, noting the importance of maintaining relationships with academic and commercial networks.

Yet for many other companies, a discordant approach to integrating security and human capital was perpetuating the shortcomings that were leaving many companies more exposed than they should be.

“We are not fusing the people, process and technology correctly,” Thompson said, warning that many companies’ otherwise-noble defence strategies were being compromised by operational staff pushing for workarounds to circumvent key protections.

Advanced problem-solving capabilities were still the domain of human reviews where security tools’ effectiveness, or lack thereof, can be monitored and responded to.

“What’s interesting about all this is how successful they are able to be when we have so many different technologies out there that are able to detect them,” Thompson explained.

“The reason that’s happening is that companies’ internal security teams are often pushed by IT operations to disable some of the protections that are in place to keep that protection working.”

Human oversight of security automation had also proven crucial in taking a step back to fully consider the implications of new technologies that have been enthusiastically purchased, but have often proven to have unforeseen implications.

Data lakes were one example: “those on the leading edge right now are re-evaluating the whole data lake strategy,” Thompson said.

“They’re looking at this very expensive, robust logging data lake structure that is very compute intensive and cost heavy on the compute and research side. These have been very useful for creating big piles of alerts – but they are realising that finding the needles in a big stack of needles is harder than they thought.”

This had driven a shift in strategy “to something that is more data centre-oriented”, Thompson said.

That suited the technological change made possible by moves such as the company’s June acquisition of Rook Security, which paved the way for the increasingly cloud-based security firm to offer a range of managed threat response services.

Potential customers needed to make sure they didn’t take the services as set-and-forget propositions – and that they continually engage their security staff to ensure that they remain productively focused.

“You retain people by having them do more of what they love, being excited about what they do, being passionate about what they do, and knowing they are getting smarter and better every day,” Thompson explained.

“You cannot do that by having someone sit and monitor a SIEM and playing whack-a-mole. That burns them out and makes them want to leave.”