In this interview with Help Net Security, Daniel Clayton, VP Global Security Services and Support at Bitdefender, talks about the cybersecurity skills shortage gap and the role of automation in improving the work of cybersecurity professionals.
It is crucial for all organizations nowadays to invest in their SOC team to enhance their security posture. How widespread is this realization among enterprises?
I think the realization is relatively widespread today. High profile attacks over the last five years put cyber on the boardroom agenda and ensured enterprises are paying attention to security and Security Operations Centers (SOCs). This is why services like MDR are growing so fast. If we look at investments in technology driving automation across SOCs, it’s still a relatively new concept and tends to be bolted on later to solve for scale, so enterprise budget holders are less invested than security teams are.
The teams that are building and delivering security operations or outsourcing MDR, understand the huge role automation plays because they live it every day. Yet, we still see organizations applying a traditional model of building something manual and reliant on research and then plugging in automation as needed. That’s just where we are as an industry and that’s how most enterprises with security teams approach the automation process. Teams need to start implementing on top of automation from the start; if you build for automation first, you can build for things that you didn’t even know you could automate.
How can automation improve threat hunting and incident response?
Effective threat hunting and incident response are reliant on informed decision-making about what has happened, what is happening now and what is most likely to happen next. Decision-making is reliant on context and context comes from multiple sources (telemetry, threat intel, knowledge bases etc.) and getting it in front of the analyst fast enough for he/she to make an informed decision. That is what automation can help solve.
We as security teams know we’re going to be attacked. The nature and scale of looming attacks are out of our control, but what we can control is how readily equipped our security teams are to respond. We can quickly apply the knowledge of the environment (what tech do we have? what tools do we have running?, etc.) our knowledge of the attacker (the way they operate, the tactics, techniques and procedures they use, etc.) and discern what bad actors’ objectives are, what’s their intent, their likely course of action and what are they ultimately trying to achieve. Then we can make an informed decision about response actions that we can take to defeat the attack.
The same goes for the benefits of automation when it comes to threat hunting. Modern security organizations can automate that backend legwork so analysts can spend less time triaging cases and more time honing that experience, expertise and intuition needed to develop relevant hypothesis about potential attacks and deliver hunts that prove or disprove those hypothesis.
Could automation remove the human element completely or is it perceived as an enhancement to the work of cybersecurity professionals?
The human element is the decision making engine behind what we do and the automation provides the timely delivery of context to quickly and effectively do it well. The value in automation comes when leveraged in tandem with human expertise, not a dilution of one over the other.
What automation does is drive more information and context to the analysts/cybersecurity professionals to augment their work, but it’s the circumventing of knowledge that the analysts bring to the table that can’t be replicated by technology tools. These tools automate enrichment – which is provides the analysts with the context of the environment, but does not replace the need for the human intuition that you get when you combine experience and expertise. It is intuition that enables analyst to detect and respond to activity that tools just don’t see.
Do you think automation can be an answer to the growing shortage of cybersecurity professionals?
My view of the skill shortage is not that there are a shortage of people, it’s a problem with a shortage of experienced experts out there that can do the job needed in today’s threat landscape. This might not be a popular opinion in the market, but in my experience, there’s a wide margin of difference between analysts ‘on paper’ and analysts that can be productive in a modern security operation.
Automation is not the answer to the cybersecurity professionals shortage gap, but it can deal with much of the lower skilled repeatable work to enable analysts to focus on the tasks set them apart from technology-driven solutions.
What can be done to close the cybersecurity skills shortage gap?
Take security out from under the IT organization. If you lump security into the IT organization, then security becomes IT work and that’s not what it is. All too often I see organizations that have system administrators that have minimal security experience or ambition, yet they find themselves leading security teams. Don’t hire IT professionals only to turn them into security professionals by default. Security needs to be treated as a career path not a job.
Rethink the role of analysts. An analyst traditionally looks at data post-event and makes recommendations about what should be done moving forward to prevent incidents. But that’s not the role anymore – they are cyberwarfare operators. They work in real time, triaging complex security environments that require analysts to know their field, know their environment and have the confidence to make decisions. As an industry, we need to have a more clear delineation between various analyst roles – there’s a difference between an analyst that works in a SOC versus a vulnerability or forensic analyst.
Diversity. The conversations taking place around diversity, equity and inclusion are industry agnostic. But, specifically within the cybersecurity field, it’s an area that needs more attention. As an industry we need to do a better job of appealing to women in cyber and tech roles at large in order to challenge the status quo.
Career management. A frustration I frequently see and hear is around a common misconception that analysts chase money. That may be true sometimes, but mostly if you don’t manage your teams’ career – then they will manage their own. If you can’t present your team with a clear upward trajectory for their career paths, and confidence that as an organization, you’re building career momentum for them within your organization, then they will move on. Oftentimes, the people I hear complain about the career shortage gap aren’t providing basic fundamentals around career and people management that’s expected from an employee base.
Invest in education and training. One of the main areas we focus on during the hiring stage and early career development are: aptitude and ability to think like an analyst. Moreover, can an analyst think from the perspective of a potential attacker? Having that natural aptitude is almost something you can’t teach, but with this in mind we invest in education models and build employee training that cater to exactly what we need from them in these roles. We’re transparent in expectations and provide this education throughout their entire career.
This is a fast moving, disruptive industry – clouds, microservices, etc. all of these technology platforms bring with them risks that can be exploited by bad actors. It is critical that our teams know these platforms as well as the bad guys do and understand the vulnerabilities associated – whether inherently or in the way they are deployed across the customers environment. And that won’t happen without frequent training in the newest technologies.
Even with a highly skilled team, in just two years’ time that team will be outdated and no longer applicable to the threat landscape and cybersecurity environment. Making team members better than they were when they arrived, not only makes us better, but drives retention and leaves you with high quality people at a price lower than if you hired from the street, or worse, from another company.