The Danger of Overreliance on Automation in Cybersecurity

Automation is critical in enhancing cybersecurity efforts, and speed is one of its key benefits. Most cyberthreats spread quickly, such as ransomware or worm attacks, and automated systems can detect and respond to them much faster than humans can. AI also ensures consistency because it can do repetitive tasks with high accuracy. However, it’s easy to rely too heavily on automation to provide cybersecurity. The volume of logs, alerts and incidents is multiplying exponentially, and automated tools can analyze vast amounts of data without getting overwhelmed.

This can be a double-edged sword, though. Companies should have a healthy balance of tech and human talent when keeping systems safe.

Automate with care

Overreliance on automation in cybersecurity can introduce several risks and challenges to organizations. It can aid in addressing the vast number of threats companies face daily, but a balanced approach is crucial. Here are some dangers of being overly dependent on automation in cybersecurity:

• False sense of security: Believing that automated systems will catch every threat can make organizations complacent.
• False positives/negatives: Automated systems can generate false positives, which can desensitize security teams if they happen frequently.
• Lack of context: Automated systems lack the human intuition and context needed to evaluate the risk and importance of a particular alert.
• Bypass and evasion: Cyber attackers are innovative and can devise methods to bypass or evade detection systems.
• Overhead and complexity: Implementing, maintaining and updating automated security tools can introduce additional complexity into a system, potentially opening up new vulnerabilities.
• Reduction in human expertise: Over-relying on automation reduces the need for human experts, which means an organization might have fewer experts who fully understand the system.
• Stagnation: Automation, by its nature, follows known rules and patterns.
• Interoperability issues: Integrating multiple automated tools can be challenging.
• Inability to handle zero-day threats: Automation tools rely on known signatures or behaviors.
• Cost implications: The initial and ongoing costs of implementing and maintaining advanced automated solutions can be significant.
• Data overload: Automated tools can generate vast amounts of data.
• Reliability concerns: Like any technology, automated systems can fail.

No system is perfect, and new, unforeseen threats are always emerging.

Conversely, false negatives, where a genuine threat goes undetected, can have severe implications.

A seasoned security expert can differentiate between a benign activity that looks suspicious and a genuine threat.

Companies that are overly reliant on automation might miss these threats.

This can be dangerous if things fail or are compromised.

Overreliance can cause organizations to be reactive rather than proactive.

They may fail to keep pace with evolving threat landscapes.

This can lead to gaps in security coverage if not managed correctly.

Zero-day threats, which are previously unknown vulnerabilities , can go undetected.

Overreliance without an accurate cost-benefit analysis can lead to resource allocation issues.

It can overwhelm security teams and systems if not properly managed, causing them to miss critical alerts.

Overreliance without redundancy can lead to exposure when these systems experience downtimes.

Cybersecurity and AI go hand in glove

Automation can handle routine tasks for employees , freeing up cybersecurity professionals to focus on more complex and strategic activities. Intrusion detection systems (IDS) and intrusion prevention systems (IPS) analyze network traffic for suspicious patterns, flagging or blocking malicious activities faster than ever. Cybersecurity professionals can also use automation to rapidly contain a threat. For instance, automation can immediately isolate a compromised system to prevent further spread. Automated scanners can check for known vulnerabilities, ensuring organizations know potential weak points.

Other uses of AI in cybersecurity include:

• Patch management: Automation can help identify missing patches across the infrastructure and sometimes even enact them.
• Risk assessment: Automated tools can assess an organization's risk posture by analyzing configurations, permissions, and other factors against best practices and standards.
• Log management and analysis: The automated collection and analysis of logs can help identify suspicious activities and provide forensic evidence in case of an incident.
• Red and blue team exercises: Automated tools can simulate attack scenarios, or red teaming, and defense strategies, or blue teaming, allowing organizations to test their cybersecurity readiness.
• Phishing simulation: Automated tools can educate users and assess the organization's susceptibility to such attacks.
• Threat intelligence: Some platforms can aggregate information about emerging threats from multiple sources and disseminate it within the organization for proactive defense.
• Backup and recovery: Automation ensures that backups occur regularly and can also support rapid recovery processes after a security incident.
• Orchestration: Security orchestration, automation and response (SOAR) platforms allow different security tools to work together seamlessly, coordinating their actions and sharing information.

They can also guard against form-jacking, a type of cybercrime that attacked more than 4,000 websites each month in 2018.

Balancing automation with human oversight

The future of cybersecurity isn’t about choosing between humans and automation—it’s about integrating them effectively. Human experts bring intuition, decision-making skills and adaptability. They can see patterns and think outside the box. Automation can process vast amounts of data quickly, provide rapid responses and ensure consistent application of policies. Overreliance on automation for cybersecurity can introduce vulnerabilities and sometimes result in significant security incidents.

One real-life case study that underscores this point is the 2017 Equifax data breach. Equifax, one of the three major credit reporting agencies, was attacked and exposed the personal data of 147 million Americans. The compromised information included names, Social Security numbers, birth dates, addresses and driver's license numbers.

One of the contributing factors to the breach was a missed patch. Equifax failed to patch a known vulnerability—CVE-2017-5638—in its Apache Struts web application framework. While the specifics of Equifax's internal processes were not fully disclosed, many organizations rely heavily on automated scanning tools to identify and sometimes patch vulnerabilities in their systems.

Companies can benefit from several takeaways in this incident:

• Layered defense: Organizations should not solely rely on automation for their cybersecurity defenses.
• Human oversight: Automation can significantly improve efficiency and coverage, but human oversight is essential for context and to catch anomalies that tools might miss.
• Regular review: Systems and tools should undergo regular reviews to ensure they function correctly and catch the vulnerabilities they are supposed to detect.
• Patch management: Patching should be prompt, especially for publicly known vulnerabilities.

There should be multiple layers, including automated and manual processes.

A structured process can help ensure problems are addressed promptly.

Adding the human touch to automated cybersecurity

Breaches and their aftermath serve as cautionary tales about the dangers of over-relying on automation in cybersecurity. These tools play a crucial role in today's security landscape, but they should be part of a holistic approach that incorporates human judgment, manual validation and regular review processes. _{This feature originally appeared on the ISA Global Cybersecurity Alliance blog.}