Coordinating Automation and Human Intervention in Security

  • All Posts
  • 6 months ago
  • 3 min read
coordinating automation 2 1024x576

Just as digital transformation has brought automation into the day-to-day operations of developers, marketers, and data-driven professions generally, parallel developments of cybercriminal capacities have also capitalized on emerging technologies. In the last two months of 2021, slightly more than half – 54% – of detected cyberattacks were web application attacks employing automated tools.

The Conundrum of Automation in Cloud Security

Although automation is an established staple of network defense technologies like intrusion prevention systems (IDSs) and security orchestration, automation, and reporting (SOAR), automation solutions have lagged on the side of human interventions required by the alerts these systems generate. Attacks are becoming both more frequent and technically adept inside environments – like multi-cloud architectures ­– that are inherently anomalous in any case. Consequently, the analysts who monitor, triage, and investigate alerts have become increasingly tasked with fighting automation with rote manual effort, increasing alert fatigue throughout the industry.

At the same time, the push for increased automation in security processes often expects automated monitoring to capture and interpret malicious activities – frequently designed to mimic legitimate processes – that only stand out when analyzed in a broader context that reveals causal connections between discrete events. In other words, current network security practices tend to charge human analysts with exactly the sort of tasks in which automated processes excel – sorting large volumes of data according to predetermined rules ­– while trying to apply process automation to nuanced interpretive problems for which the human mind is far better adapted.

Let Robots do Robot work, and Humans do Human work

Solving for the misalignment of strengths and weaknesses in processes governed by human and automated capabilities requires a fundamentally new and unprecedented approach. Using a lightweight probe into eBPF, Spyderbat exposes in real-time the totality of activities – system calls, network connections, user sessions, and privilege escalations – throughout the entirety of cloud and multi-cloud environments.

Spyderbat automates the linking of system activities based on causal relationships to establish a Universal Causal Graph (UCG). The UCG generates a contextualized visual stream of events for analysts to observe. The Spyderbat Platform continuously observes individual causal sequences, called traces. Traces connect otherwise disparate suspicious or anomalous events, providing early and accurate detection of an attacker’s activities within fast-moving cloud workloads. With the causal context automatically generated by Spyderbat, engineers can apply their skills and experience to precisely the tasks in which they excel – identifying nuance, pattern, and most importantly intent.

Give your blue teams and DevOps teams a chance to demonstrate and hone their skills with Spyderbat’s Defend the Flag Challenges. To learn more and see what Spyderbat can do in real-world scenarios, contact Spyderbat today.

Write a comment

Inline Feedbacks
View all comments


Use cases