The “Non-Trend” of “Full Automation” Workflows in Cybersecurity: A Reality Check
By Oren Koren, CPO & Co-Founder of VERITI
It’s no surprise that there’s been a shift to automated workflows in the past decade. Initially, automation seemed straightforward: detect malicious activity, eliminate it, and prevent future occurrences. However, this binary approach to cybersecurity soon proved inadequate as the complexity of threats and the environments they target expanded. With the average cost of a data breach costing $4.45 million dollars in 2023, organizations demanded more nuanced solutions, leading to the development of Security Orchestration, Automation, and Response (SOAR) platforms. These systems promised to streamline the incident response process by automating tasks based on various inputs, i.e., logs, events, and alerts, thereby transforming the manual processes of Security Operations Centers (SOCs) and risk teams.
The adoption of SOAR technology by Managed Security Service Providers (MSSPs) and Managed Detection and Response (MDRs) services marked a significant milestone in scaling their offerings. Yet, as the market grew, so did the realization that the promise of complete automation—”let the system handle it”—did not fully align with customer needs. Trust, or rather the lack thereof, in fully automated systems to make critical decisions without human oversight became a glaring issue. But even more so, the question of accountability in the event of a mistake by an automated system loomed large – does the blame fall on the vendor, the security team, or perhaps a developer?
Balancing SOAR in a Dynamic Cyber Landscape
Implementing SOAR solutions presented inherent complexities, largely due to the need for continuous adjustment to meet the vast and evolving cyber challenges organizations face. From new partners and security solutions being added to the organization, not only does the threat landscape expand, but so does the way in which automation responds to these new adjustments. This begs the question then: How do you keep an up-to-date security posture if you don’t have full insight into the inner workings of your business environment?
With this skepticism towards full automation, a nuanced market emerged, one that prioritizes security solutions capable of identifying gaps beyond mere log analysis. Modern expectations extend to automation driven by machine learning, offering not just step-by-step playbooks but also the flexibility for customers to engage directly with the remediation process. This approach must be intuitive enough for security analysts to navigate effectively, blending automated efficiency with human judgment.
Rethinking Automation and Building (Human) Trust
The distinction between “automated remediation” and “automatic remediation” has become central to understanding market dynamics. Customers are looking for solutions that provide the scaffolding for automation but leave room for human intervention and decision-making. Furthermore, the demand for open systems, accessible via API for those with the technical prowess, underscores a desire for flexibility and control over automated processes. The key here is adding in some sort of human element because without that automation can’t be fully trusted.
The narrative around full automation in cybersecurity has often been romanticized, painting a picture of a self-sufficient, self-correcting system capable of managing security threats without human intervention. However, this overlooks a fundamental aspect of technology adoption: trust. Trust in technology is not a given; it must be earned and maintained through transparency, reliability, and the ability to intervene when necessary. As we move forward, the challenge for vendors and cybersecurity professionals will be to continue refining these technologies, ensuring they are not only effective and efficient but also trustworthy and adaptable to meet the organization’s needs and the threats posed.
About the Author
Oren Koren is the Co-Founder and Chief Product Officer of Veriti. Oren brings 19 years of experience in cybersecurity, advanced threat analysis, and product management. Prior to founding Veriti, Oren was a Senior Product Manager at Check Point Software Technologies, where he led AI-based innovations and advanced data analytics projects redefining threat hunting and SIEM applications. Before Check Point, Oren served for 14 years at the prestigious 8200 unit and was responsible for different cybersecurity activities and research. Oren won the Israeli Security Award and 3 MOD awards for cutting-edge innovations in cyber security. Oren can be reached at our company website https://veriti.ai/