Given the growing number and complexities of today’s cyberattacks, it is no secret that implementing cybersecurity products and services comes with a substantial price tag. However, when considering what level of cybersecurity is needed, insufficient security measures can lead to disastrous consequences and significantly affect a business’ reputation and budget.
Deciding the level of cybersecurity an organization needs can be a challenge. On the one hand, companies likely want to find effective yet cost efficient solutions, while on the other, the cost of an error when introducing cheaper tools is far too high. One solution could be to automate incident prevention, as it can reduce costs and eliminate the human mistake factor. However, in practice, effective cyber protection is only possible with a combination of automated solutions and human effort.
Why is that? The main reason is that cybercrimes are committed by human beings. Attackers constantly come up with new ways to bypass security systems, invent and implement new sophisticated cyberattack tactics and actively use people’s weaknesses to gain access to a company’s infrastructure. Even the most sophisticated artificial intelligence (AI) can’t combat the variety of malicious activities because it works on the basis of previously acquired and learned experience.
With this in mind, it is important to explore and consider several cybersecurity practices that require human involvement.
Detection of complex threats
Even the most carefully tuned sensors can’t detect previously unknown malicious activities. This is because such attacks usually consist of a series of separate and legitimate actions that could easily be confused with system administrator or common user actions.
AI that analyses telemetry from sensors also has limitations, as it can’t collect and process all possible data or actions that occur at different times. Even if that was possible, situational awareness becomes a challenge. This term refers to the availability of information about all the processes currently taking place in the infrastructure. For example, AI could observe what it believes to be a human-driven APT, but it turns out to be a dedicated employee conducting research. This can only be uncovered by contacting the user directly. Situational awareness is crucial to differentiate true incidents from false-positive alerts such as this, no matter if the alert logic is based on a particular attack technique behavior pattern or anomaly analysis.
This doesn’t mean that AI is ineffective in terms of threat detection. In fact, it can successfully combat 100% of known threats and, when properly configured, can significantly reduce the burden on analysts. The joint force approach of human involvement paired with artificial intelligence requires special skills, high-grade analyst experience and constant algorithm adjustment.
When identifying new threats, proactive manual threat hunting is also required. Proactive threat hunting allows security teams to identify current cybercriminal and cyber espionage activity in the network, understand the reasons behind these incidents and the possible sources, and effectively plan mitigation activities that will help avoid similar attacks.
In summation, analysts are needed to constantly adjust and retrain the AI-based algorithm, enabling it to detect new threats as well as test the efficiency of the improvements.
Advanced security assessments
Assessments are crucial to gain a detailed perspective of a company’s cybersecurity readiness. There are automated solutions designed for this, such as vulnerability assessments that can help discover publicly-known vulnerabilities among a strictly defined set of systems. This service uses a database of already known security issues, but can’t test security system resilience towards sophisticated attacks and unconventional adversaries’ behavior.
To ensure that the company is able to protect itself, more advanced assessment processes should be implemented. For example, services that can actually simulate a cyberattack, such as penetration testing and red teaming, that are mostly manual and based on a specialist’s knowledge and experience. These approaches use a mix of techniques, tactics and procedures and adjust to the company’s specific cyber defense capabilities, imitating the real behavior of attackers.
Studies indicate that the average organization faces over 700 social engineering attacks each year. Moreover, weak passwords and phishing emails are still among the top initial attack vectors.
While cybercriminals are inventive, an organization’s defense team can’t completely withdraw themselves from security awareness processes. A company’s employees need to have a clear understanding of the importance of cybersecurity policies as well as the consequences of their actions. That is why it is not enough to simply develop an awareness manual or test that is only used for onboarding new team members. The cybersecurity team should keep an eye on the relevance of their security education and invent new and non-standard approaches to deliver crucial information to their colleagues or outsource their security awareness training.
When considering whether or not to fully automate an organization’s cybersecurity needs, the all or nothing approach to AI should be reconsidered. Instead, the solution lies somewhere in the middle. Only a smart mix of automated services with human creativity, skills and control can ensure comprehensive cyber defense.