Security vendors' pursuits of an autonomous security operations centre (SOC) are fruitless, according to claims by a leading industry analyst.
According to Allie Mellen, senior analyst at Forrester, security vendors are all searching to build an all-in-one product that could entirely automate the many functions of a security team but the idea would be almost impossible to implement due to technical and logistical limitations.
Mellen argued that although automation has been instrumental in areas such as automating back office functions, and is increasingly powerful for security applications, the complexity with which threat actors operate means a machine could never fully protect against their various techniques.
Threat actors are also highly unpredictable in their methods and anticipating the next move in any engagement would require a well-trained human mind, she said.
“In contrast, security tools must follow a set of rules - they are built with an intention in mind, whether it’s to detect threats on the endpoint or to find anomalies in otherwise consistent data,” said Mellen in a blog post.
Security oversight still demands escalation to human workers and always will, Mellen added, especially with complex environments in which automated systems could “go off the rails".
“These constraints force a limitation on technology that cannot be overcome without the aid of humans. If an organisation uses endpoint detection and response, an attacker will find a way to bypass it or not target an endpoint. If an organisation collects all logs from every single asset into a security information and event management system, an attacker will find a vulnerable employee to leverage for covert access.”
Theoretical upsides to fully automated SOCs and security orchestration, automation, and response (SOAR) solutions include the reduced impact of cyber skills shortages on organisations and fewer data protection weak points among employees, but human decision-making is still required for the best protection.
The retained need for human input is the key differentiator between SOAR and fully-autonomous solutions and although companies such as Google Cloud and MITRE have taken steps to provide customers with pre-built threat-hunting queries in their environments, no one is selling an out-of-the-box, fully automated cure-all to security fears.
Tech giants including Microsoft continue to offer business security solutions that blend automation and expert insight. Providers that offer security as a service might yet fulfil the same role as automated security for smaller businesses, as this still has the end result of freeing employees from the burden of threat management.
Firms such as QuSecure even offer ‘quantum security as a service.’ In this sense, it could be argued that there is less of a need for a fully-automated SOC, with hybrid solutions working well.
A number of meaningful advances have been made in recent years using artificial intelligence (AI) and machine learning (ML) in security applications.
In 2022, AI cyber security software has continued to innovate and has seen the uptake of tools capable of identifying suspicious web traffic, such as NDR products.
Microsoft and Darktrace partnered on AI cloud security in 2021, while it was recently revealed that MI5 and the Alan Turing Institute have collaborated on AI since 2017 with the specific focus of using the technology for defence and security.
Additionally, a great deal of research and development is being done into the potential for deep learning solutions to threat actors, which carry the potential to predict ransomware strategies, or even combat AI malware developed by leading-edge threat actors.
