Fran Howarth, Practice Leader Security, Bloor Research, January 2022
Security is something that should never be left to chance. It requires a coordinated approach that provides organisations with the protection that they need without requiring an army of personnel to first set the rules and then to ensure that they are working. Autonomous security addresses this by making informed decisions according to events that are seen from knowledge and experience gained from previous events. It builds on automation, but takes things a big step further, enabling decisions to be made based on real risk. It is an ideal choice for any organisation looking to regain control.
The need for automation
In IT security terms, automation refers to the use of technology to reduce reliance on manual processes and human intervention that are time consuming and prone to error. Not only does it make security teams more productive, but it helps to ensure that an organisation can maintain a better security posture, reducing risks to the business overall.
Automation has benefits for entities of all sizes, but can be particularly beneficial for midmarket organisations that generally do not have a security operations centre that can be manned around the clock. Such firms often have limited personnel, sometimes with just one person given responsibility for security, and even then that may only be part of their remit.
Automated vs autonomous
Yet, despite all the benefits of automation, recent developments have seen wider recognition of the need for autonomous security. In short, automated security is guided by the infrastructure that is in place, whereas autonomous security can understand the environment without the need for such infrastructure.
In practice, what this means is that automated systems are based on a set of parameters that have been well-defined, with decisions made automatically according to rules that have been set. This helps to remove human error from the equation since decisions and actions taken are out of the hands of humans. Autonomous systems use machine learning artificial intelligence to make sense of data that they ingest in order to make decisions and take actions with a high level of efficiency and efficacy that could not be achieved by humans in dynamic, complex and unpredictable environments such as those that characterise most computing estates today. As such, autonomous systems go beyond those that are automated since they are able to identify anomalies for which automated response rules have not been written, and can assess them in order to determine the best actions to take.
Use of autonomous systems
Much is made of the use of autonomous systems for vehicular control in the form of self-driving cars that combine the use of sensors that provide information regarding the environment surrounding the vehicle, combined with control systems that can interpret the information supplied by the sensors to guide the vehicle on an appropriate path without the need for human decision-making. Self-driving technologies, along with robotics and artificial intelligence, are also used for security robots that perform surveillance and security tasks such as detecting and investigating intrusions. And there are numerous other situations in which the use of autonomous systems can and will be advantageous.
In cybersecurity, DARPA, the Defense Advanced Research Project Agency, has been promoting the use of autonomous systems since 2014. Its aim was to show that, through the use of autonomous security, defenders can move faster than their adversaries by finding new vulnerabilities and stamping them out before damage can be done.
There is great need for autonomous cybersecurity owing to the rapid evolution of threats and attacks, and their increasing sophistication, speed and scale that makes detection a gargantuan task for humans alone owing to the complexity.
The role of UEBA
Whilst it is true that some threats can only be detected at a network level, the role of end users and endpoints in security incidents has been increasing and continues to do so. For attackers, user credentials—and especially those that enable privileged access to sensitive data—are a goldmine. Insiders, whether inadvertently or with malicious intent, may also abuse their access rights, perhaps even leaking information for their own personal gain.
User behaviour and entity behaviour analytics (UEBA) is a class of technology that has been developed to address problems such as these. Deploying machine learning, it analyses data generated by user and device activity to identify behaviour that is out of line with what is expected. Machine learning works by building a picture of patterns of behaviour that constitute normal according to, for example, a particular role, or those that could be considered to be anomalous—even where the activity detected is performed by an authorised user who has been granted entitlements to do so. Risk scores can be generated for behaviours observed so that only those that exceed a certain threshold need to be investigated further.
Putting it all together
UEBA is most useful when it is included as part of an integrated set of capabilities built as a platform. An example of such a platform is Censornet’s autonomous integrated cloud security platform. It covers many of the bases, incorporating email and web security, multifactor authentication and cloud application security, including UEBA.
The fact that it is autonomous—built on technology that incorporates machine learning—makes it easy to use, yet provides a very high level of security that prevents corporate resources from being misused. It shares information regarding anomalous behaviour and attacks to assess the risk related to each user and device and is vital in the fight against scourges such as phishing and ransomware, which are problems that almost every organisation faces.
Based in the cloud, with no implementation or maintenance required on the part of the user organisation, it is ideally suited for the needs of midmarket organisations for which larger, traditional suites are out of reach. Priced within the reach of such organisations, it provides and effective way of guarding against attacks to ensure peace of mind so that the organisation can carry on with the business at hand.