Piers Wilson from Huntsman Security discusses the problem of "frictional" inefficiencies in cyber security operations. As threats and alerts increase, security teams face growing "workloads" that waste time and resources. Automating threat verification and response can help reduce this "friction" by filtering out false positives, providing diagnostic context to prioritize real threats, and handling basic responses, freeing analysts to focus on more strategic work. The goal is to increase "friction" for attackers while decreasing it for defenders through streamlined, certain, industrial-scale security automation.
Have observed from dealing with large enterprises customers, MSSP’s etc.
Recognise the complexity – lots of controls, lot of interfaces, almost back to pre-siem days – EASIER SAID THAN DONE
Need security to be effective
Technology that supports Operations
Interfaces and data models are a means to an end
Coping with additional control layers / increasing detections
Recognise security analysts and data scientists are scarce
Having data and certainty reduces this risk
Value of responding quickly, and in a repeatable way can outweigh downside
i.e. risk of inaction > risk of action
Data, context, threat data, business impacts and asset values drive this calculation
Need data and analytic capability
Give examples:
Registry keys, network captures, file changes
A robot may not injure a human being or, through inaction, allow a human being to come to harm.
A robot must obey the orders given it by human beings except where such orders would conflict with the First Law.
A robot must protect its own existence as long as such protection does not conflict with the First or Second Laws.
Response in well defined circumstances or a portion of the response – like routine tasks
Autopilot – can take back control – example of mature automation
E.g. quarantining machine in secure VLAN, remove from guest wifi
Volume
Scalable processing
Cope with additional control layers
Scale across the expanding threat landscape
Respond at speed
Repeatable
Not black and white – respond as much as is known to be safe with in the specific circumstances
Certainty that it is safe, not based on feelings or hunches
What level of automation would todays certainty give you – what would you automate / adopt today