In this Help Net Security interview, Mick Baccio, Staff Security Strategist at Splunk SURGe, discusses the future of cybersecurity, emphasizing the importance of data analytics and automation in addressing evolving threats.
He points out the changes in threat tactics, the significance of automation in reducing human error, challenges in implementing data analytics, and envisions a future where AI-assistants transform cybersecurity operations.
How have cybersecurity threats evolved in recent years, and what role do data analytics and automation play in addressing these evolving threats?
In recent years, cybersecurity threats have undergone a notable evolution, marked by the subtler tactics of mature threat actors who now leave fewer artifacts for analysis. The old metaphor ‘looking for a needle in a haystack’ (to describe the detection of malicious activity) is now more akin to ‘looking for a needle in a stack of needles.’
This shift necessitates the establishment of additional context around suspicious events to effectively differentiate legitimate from illegitimate activities. Automation emerges as a pivotal element in providing this contextual enrichment, ensuring that analysts can discern relevant circumstances amid the rapid and expansive landscape of modern enterprises.
The landscape of cyber threats continues to further evolve, and recent high-profile data breaches (MoveIT, accelion, goanywhere, etc.) underscore the gravity of the shift. In response to these challenges, data analytics and automation play a crucial role in detecting lateral movement, privilege escalation, and exfiltration, particularly when threat actors exploit zero-day vulnerabilities to gain entry into an environment.
Furthermore, the deployment of AI and LLMs has become a game-changer in the realm of cybersecurity. Threat actors are increasingly utilizing AI and LLMs to enhance the speed and effectiveness of their attacks, as seen in the creation of more convincing phishing emails using tools like GenAI. To effectively counter these evolving tactics, network defenders must embrace automation to stay ahead of the dynamic threat landscape and protect against sophisticated cyber threats.
How can automation help reduce the risks associated with human error in cybersecurity?
Automation serves as a valuable asset in mitigating the risks associated with human error in cybersecurity. Given the inherent susceptibility of humans to mistakes compared to robots, a strategic approach involves identifying areas where analyst misclassification could be costly or likely to occur. By pinpointing such vulnerable points, automation can be effectively employed to replace tasks where cognitive bias and decision fatigue may potentially induce errors.
For instance, complex multi-step incident response workflows, such as quarantining a host, blocking an indicator, and searching for additional compromised assets, can be automated to minimize the likelihood of costly oversights or missed steps. This targeted application of automation aims to enhance the accuracy and efficiency of cybersecurity processes.
It is crucial to recognize that automation is most effective when used as a tool to augment human workflows rather than entirely replacing tasks and responsibilities. Addressing decision fatigue and bias, automation becomes a supportive force, enabling security analysts to collaborate seamlessly with automated tools. This collaborative approach accelerates and scales operations while concurrently reducing the probability of human error. In this way, automation becomes an essential ally in enhancing cybersecurity resilience.
What are some of the most prominent challenges organizations face when implementing data analytics in their cybersecurity protocols?
Implementing data analytics in cybersecurity protocols presents organizations with several prominent challenges. One key challenge is the dilemma of prioritizing threats effectively. Organizations grapple with the question of which threats to prioritize amidst the vast array of potential risks. This decision-making process involves determining the criticality of different threats and allocating resources accordingly.
Another significant challenge revolves around handling the multitude of security detection content available in both products and open-source repositories. Organizations need to navigate through this abundance of information to identify relevant and effective security measures for their specific cybersecurity needs.
Allocating analyst resources across disciplines poses yet another challenge. Determining how to distribute and utilize the expertise of cybersecurity analysts efficiently is a crucial consideration. Organizations need to strike a balance in resource allocation to address various aspects of cybersecurity effectively.
Moreover, organizations face the challenge of qualifying and quantifying their coverage, particularly concerning frameworks like MITRE ATT&CK TTPs (Tactics, Techniques, and Procedures). Understanding the extent of coverage and ensuring comprehensive protection against potential threats within such frameworks requires careful evaluation and strategic planning.
Additionally, fine-tuning data analytics over time introduces a challenge that involves trial and error. Learning and perfecting the art of prioritizing data, utilizing tools for optimal insights through queries and dashboards, and refining analytics processes demand a considerable investment of time and effort. This iterative process is essential for organizations to enhance the effectiveness of their data analytics in bolstering cybersecurity protocols.
How do you envision the future of cybersecurity with the advancement of data analytics and automation technologies?
Envisioning the future of cybersecurity in light of the advancing data analytics and automation technologies reveals a transformative landscape. In the near term, the integration of AI-assistants is poised to revolutionize the way analysts investigate and interpret data. These AI tools will serve as invaluable aids, streamlining the analytical process and enhancing the efficiency of cybersecurity operations.
Looking further ahead, I anticipate a further shift, where AI-assistants evolve to independently triage and investigate alerts. Analysts could transition into roles primarily focused on final classification decisions and remediation actions.
What advice would you give cybersecurity professionals looking to enhance their data analytics and automation skills?
Stealing a line from Ted Lasso – “Be curious.” Having spent my career in this field, I think it is that curiosity that has allowed me to be successful. Experiment. So much of cybersecurity is ‘learn by doing,’ and with the seemingly exponential growth in technology, technical curiosity will lead to solutions that advance not only cybersecurity, but help raise the security posture of organizations globally.