Why You Can’t Take the Human Out of Cybersecurity

I’ve been thinking a lot about how the industry defines detection and response. I see more and more detection and response (EDR/XDR/NDR) tools on the market that claim to fully automate detection and response. Layers are an important concept in cybersecurity. All security frameworks advocate for effective prevention, detection, and response layers. Prevention tools create an important first layer. Let’s take antivirus (AV) and intrusion prevention systems (IPS) as easy examples. 

What does AV do? It detects the presence of malicious code via signatures, heuristics, or machine learning and auto-responds by killing it. There is little to no need for human intervention when it works correctly. 

What does IPS do? It detects malicious inbound network activity and auto-responds by blocking the IP/domain. Similarly, this requires no human intervention when it works, and we widely regard it as a prevention tool. The detection methods have gotten more sophisticated, but when the response to detected activity is automated, this is prevention. However, out of fear of erroneously blocking important traffic, most organizations deploy their IPS in detect-only mode, making it an intrusion detection system (IDS). IDSs focus exclusively on sounding an alarm — but require someone to determine which alarms are true positives, the extent of the issue, and what to do about it. 

On the endpoint, AV tools have merged with endpoint detection and response (EDR) tools to provide a similar split of responsibilities: AV for prevention and EDR to log and surface potentially malicious activities where automated blocking would be too risky. Extended detection and response (XDR) tools extend this further by going beyond endpoint data. In line with this, the rhetoric around automated detection and response grows. However, if detection and response could be completely automated, why not just prevent it? The truth is, many suspicious activities will continue to require human validation and intervention. Knowledge of the business, industry and systems is required to determine good from bad. While our goals should be to shift more threats into the prevention zone, automation’s primary role should be to help humans appropriately adjudicate and rapidly respond to the threats that aren’t prevented. Detection and response tools wouldn’t have fancy user interfaces and other bells and whistles if they could be installed as a black box. Many of these tools also have manual response capabilities that a human incident responder can leverage for this very reason. Despite the claims of many vendors, the need for human-powered detection and intervention remains. 

Prevention tools are leveraging much more sophisticated methods and have become measurably more effective over time. However, we know prevention will never be 100% effective. This concept was the genesis for detection and response technology, to begin with. The promise to automate end-to-end detection and response, removing the human, will remain unfulfilled as long as attackers are evolving. Automation is a helpful force multiplier, but true detection and response must leverage human expertise. Every automated system, no matter how sophisticated, can be circumvented by a persistent human adversary. Human threat hunters outperform artificial intelligence (AI) when it comes to analyzing the trail of breadcrumbs left by those threats. Human intelligence is the only match for human adversaries. If all your detection and response is automated, how do you detect when the automated controls fail or leave a gap? If an automated system doesn’t recognize and identify a threat — as they sometimes don’t — then chances are you won’t either until it’s too late.

If you’re one of the many organizations that are unable to staff an in-house team to fill the gaps left by tools, a managed detection and response (MDR) service may be right for you. Learn more about MDR in our eBook: 5 Things to Consider When Choosing an MDR Vendor.