It’s never been more challenging to work in cybersecurity. The cost of a breach keeps going up, the number of attacks is constantly increasing and the industry is in the middle of a multi-year staffing crisis. It’s no surprise that 90% of security teams see automation as essential for them to deliver on their mandate to protect their organizations from attack. Automation has unlocked machine-speed business across nearly every team in today’s digital-first organizations—from marketing and HR to IT and engineering. Cybersecurity needs the same ability—to deliver protection at machine speed—to keep us protected each and every day. Over the past five years, there’s been a massive rise in the number of AI- and ML-driven cybersecurity platforms on the market—all promising to unlock the benefits of automation for overworked cybersecurity teams.
There’s no doubt that these platforms help deliver real results by processing events at a speed and scale not humanly possible. But there’s a huge gap that these technologies can’t help fill—where security teams have to rely on different teams for input or where multiple responses may be equally appropriate.
A recent survey of AI and ML adoption among cybersecurity teams found that the top five use cases were all focused on identifying threats. But a security incident doesn’t stop at detection. The National Institute for Standards and Technology (NIST) outlines four other stages within incident response: Analysis, containment, eradication and recovery. And it’s in these stages that the limits of AI- and ML-driven automation become clear.
Challenges of AI and ML for Automation
Looking at the complete incident response lifecycle, three distinct challenges emerge with the use of AI and ML for automation:
1. The first is the introduction of risk. By placing machine-speed actions in the middle of containment, eradication and recovery steps, organizations open themselves up to risk. We can joke about artificial intelligence chatbots all we want, but the fact remains that the technology is far from ready to control critical systems during times of attack. One wrong decision can be the difference between a thwarted attack and a multimillion-dollar data breach.
2. Similarly, for many incidents, cross-team collaboration between security and other business groups is required for effective containment and eradication. Even the best machine learning models are ill-equipped to understand the interplay between different teams, their processes and tools—significantly limiting any efficiency gains during those stages of the incident response process.
3. Lastly, throughout incident response, there exist a number of critical decision points and, as discussed above, without human involvement these introduce significant risk. But the cybersecurity skills gap has kept many teams from being able to fully staff the SOC, leaving them without the necessary analysts to supervise ML and AI tools and ensure appropriate human controls.
It’s not that AI and ML don’t have a place in cybersecurity—far from it. But their role is limited to how organizations detect threats and begin to triage them. The need for automation goes far beyond this—from improvements to security posture made in preparation for the next attack to the later stages of incident response and post-incident analysis.
It’s in these areas that more security teams are increasingly turning to alternative methods of automation—notably, no-code automation. By adopting tools that allow any security professional, regardless of software development talent, to turn manual tasks into automated workflows, security teams are able to unlock the benefits of automation in a much more robust way than AI or ML can deliver.
This type of automation is human-centric first—humans build and deliver automated workflows—anything from minor tasks to complex incident response flows. But ultimately, it’s under human guidance that the processes are built and enabled. Because no-code tools are designed to be human-readable, they come inherent with a full audit log of activities—meaning that there’s always clarity for security teams as to what was automated, when and how. This allows organizations to manage the risks of automation via testing, audit and approval workflows.
Building Machine-Speed Efficiencies
At the same time, because no-code platforms allow automation of activities across any tool in the security stack, they can deliver value at every stage of the incident response life cycle and beyond. Instead of unlocking rapid detection that is hampered by human-speed analysis, quarantine and eradication, security teams can build machine-speed efficiencies into every process they currently do manually, unlocking a much higher return on security investment than AI or ML tools can offer.
This return then unlocks even more benefits; as security teams are able to automate more of their daily operations, they then have more time to invest in preparation and prevention. That bolsters their organization’s security posture to be better prepared for not just the next attack, but the next decade of attacks as well.