3 Reasons Automation Is an MSSP's Best Friend

Recent analysis by my team focusing on critical and high-severity detections revealed that 96 percent of firms reported seeing at least one severe exploit during the second quarter.. News of these attacks and breaches – and their consequences, such as fines and loss of consumer trust – has spurred organizations across industries to take action.

The challenge is that you, and your, customers simply can’t see enough or respond fast enough using manual response. Cybercriminals actively are adopting automation to increase the volume and speed of their attacks, allowing them to launch multiple malware volleys simultaneously, each loaded with its own library of exploits. This challenge will only increase as criminals also begin incorporating machine learning into their attacks, allowing malware to more efficiently detect and target specific vulnerabilities.

Compounding this problem further, your customers’ networks are becoming increasingly interconnected through the adoption of multicloud strategies, the escalating deployment of IoT devices and the growth of applications and smart devices connecting to critical resources, which means their security teams must now monitor more traffic than ever, with little to no increase in the resources available to do so. And, they’re often saddled with silos that make things worse.

When properly implemented, automation allows you and your customers’ security specialists to reduce the time spent on breach detection and close the gap between detection and response. Automated security solutions enable them to keep pace with increasingly sophisticated and high-speed attacks, reduce redundancies in tedious tasks such as patching, and coordinate real-time responses across multiple security and network devices, allowing overburdened IT personnel to focus on higher-order activities.

In spite of these advantages, there are still plenty of security pros who remain hesitant to trust automated technology solutions. If you leave aside concerns that automation will put them out of job – unlikely given the acute IT talent shortage – that leaves three core fears that I often hear:

Inaccuracy and Loss of Control

One concern is that automation reduces authority over controls, such as deciding who can access network resources and how data may be moved and managed. Without hands-on control, some IT professionals fear, they will be less able to identify threat trends and take preemptive measures.

There are also concerns that automated systems may miss something, especially a complex, multivector attack that a security professional might have caught.

Given the sophistication of today’s automated solutions, these concerns are largely unfounded. Automated and integrated security actually enhances control by reducing the complexity of monitoring today’s rapidly expanding and dynamically evolving networks. It also extends visibility by rapidly sorting through large volumes of data to detect anomalous behavior.

When integrated with AI and machine learning, automation also can quickly detect patterns and take countermeasures at speeds no human can achieve. Your customers can then focus their human resources on more complex tasks, such as analyzing and refining automated responses, reviewing intelligence updates and improving policies and processes.

False-Positives & Performance

Another concern is the fear of false-positives. If controls are too sensitive, they can potentially block legitimate requests as potential threats. They can also lead to alert fatigue, which occurs when there are so many incidents being reported that security teams become desensitized to alarms and don’t validate reported incidents.   

By adding machine learning to automation, however, solutions are able to better understand the context of the network over time, enabling an increasingly more accurate assessment of which traffic is malicious and which is legitimate. By running automation in monitor-only mode while the system baselines normal network behavior, IT teams can see a dramatic reduction in false positives over time, giving them confidence in the solution when it goes live. And since these solutions can also be taught to respond to certain suspicious behaviors autonomously, security teams will not have to evaluate each alert, thereby avoiding alert fatigue.

Security Evasion Technology

Cybercriminals are developing sophisticated attacks specifically designed to avoid detection. Polymorphic malware constantly evolves to disguise identifying code, and situation-aware ransomware uses anti-detection technology to increase its chances of infecting targeted systems. GandCrab, a ransomware that has seen significant growth in 2018, now uses agile development to counter updates to anti-malware products.

While some may fear that automated security won’t be able to detect these more sophisticated threats, autonomous security is actually one of the best defenses against them, especially as they typically occur at digital speeds.

To achieve this, your customers must tie automation to an integrated approach to security that enables the sharing and correlation of information and response across distributed security devices. For example, advanced sandboxing solutions can automatically detect thousands of code variations within a malware family, something that no human operator can do. That automated solution, however, needs to be tied to an integrated security fabric that contains all available security resources. Then, once malicious code is detected, it can be automatically blocked everywhere, thereby addressing the threat at machine speed.

Rather than replacing technologists, automation enables your customers’ security teams to be more strategic with their time. They can focus their limited human resources on higher-order activities such as discovering and analyzing threat trends rather than manually evaluating each request and alert. By enhancing visibility, reducing alert fatigue, taking over menial tasks and responding to threats at machine speeds, automation enables your customers to focus on those tasks that enable them to stay a step ahead of the cybercriminal communities that mean them harm. 

Jon Bove is the vice president of Americas channels at Fortinet. In this capacity, Bove and his team are responsible for strategizing, promoting and driving the channel sales strategy for partners in the United States as the company seeks to help them build successful – and profitable – security practices.