How I Learned To Stop Worrying And Love… Autonomous Security?
Wandering around Gartner Summit last week I was surprised how much I was seeing the term “autonomous’’ making its way into vendor marketing. As much as this term is anathema to many practitioners, it is making its way into our collective consciousness so I thought I might dig into some of the feedback I’m hearing from customers and what it means from where I’m sitting.
What Does Autonomous Security Mean And Why Is It Scary?
Whether you’re horrified by the term or think it’s a bit of marketing genius, it’s easy to look at the word autonomous and realize that the implication is that the software would be taking decision-making away from the practitioners you’ve entrusted to defend the business from cyberthreats as well as software that may inadvertently cause outages. People like making decisions and frequently equate it to freedom — one would certainly rather have more options than fewer. Relinquishing control is scary, and the farther we get away from decision trees that we understand the harder that can become. So let’s think about this in simple terms. The simplest example I can think of would be the conditional of signature based malware detection as a preventative control. In this situation, we’re looking at an if-then conditional where if a file hashes to something we know to be bad, we allow the machine to block execution. This rather elementary example is a form of autonomous decision making that has allowed organizations to add resilience to their desktop environments for 30 years. The difference between this and the complex mathematical decision making that can be attributed to some branches of Artificial Intelligence is that the decisions being made and how they are going to impact the environment isn’t clear. Hold my beer and trust me are two words you should never hear from a vendor.
Vendor Marketing Needs To Provide Transparency
Quite simply, vendors need to help organizations understand the decision making processes behind so-called “autonomous security” from the models that are being used and how they are being trained while providing granularity about the types of response actions that may be taken in the environment. It’s an imperative that we provide more transparency not only to help organizations get comfortable with relinquishing some control in favor of allowing these complex systems to help them secure their environments, which is why we’re in this industry to begin with. Vendors simply can’t throw out terms like “autonomous security” and think their work is done. This is going to be particularly difficult for less technical marketing teams so this is a call to arms for product teams to work closer with marketing as well. If this doesn’t happen, the term “autonomous” is exactly the garbage term that says nothing about what the product does that many in this industry are afraid of.
So What Is The Promise of Autonomous Security?
We’ve been dealing with the burden of poorly integrated point solutions requiring manual processes around solutions such as SIEM to help centralize visibility across our security infrastructure for 20 years. We all recognize that there’s got to be a better way. Working at Palo Alto Networks, I’m seeing autonomous security as seeking to combine real-time asset inventory and management with threat detection and response.
Imagine having real-time attack surface visibility combined with orchestrated processes for enforcing policy on newly discovered assets where part of this policy enforcement would add these newly discovered assets as log sources to an analytics engine where detection rules are managed by the company selling you the product instead of leaving that burden on internal teams or outsourced service providers. The final piece of the puzzle requires the ability to respond using native XDR or SOAR capabilities, automated in specific environments to whatever level the deploying organization is comfortable, but still enabling single click remediation. I think this is all good, and it’s something a lot of organizations are building piecemeal, but we too need to get better at providing clarity into the analytics and decision making that we are asking our customers to accept. Autonomous security is only an outcome if it can be understood and accepted by the stakeholders whose job it is to secure their environments.
*I really hope the Dr Strangelove reference here doesn’t make me a boomer. :)