Insights
INSIGHTS
All Topics
Automating security processes can save charities time and money
06 Oct 2020by Paul Rubens
Artificial intelligence, machine learning, and other techniques can help keep charities safe from hackers with minimal human intervention
Cyber security teams in charities and other organisations are often overwhelmed by alerts from their security systems: they ignore almost three quarters of the warnings generated by these systems because they don’t have the time or manpower to respond to them all, according to research by ESG.
What kind of alerts? These could be anything from warnings that a user has logged in from a new location, to an unknown application accessing the organisation’s data, to a failed login attempt due to an incorrect password, to an application running on a server which has a known vulnerability and which needs updating.
The problem is that many of these alerts may not be important. The recent rise in staff working from home and blended working means that people are bound to be logging in from new locations, and it is not uncommon for staff to enter the wrong password. But these may also be the first signs that a cyber criminal is trying to hack into the charity’s computer systems from abroad.
No human intervention required
Security automation has the potential to be hugely important for charities’ cyber security. That’s because by automating certain security processes, charities can analyse alerts and prioritise the ones which need the most urgent attention without any human intervention. The most important alerts can then be passed on to cyber security staff so they can take appropriate action. In some cases, security automation goes further by taking the appropriate action automatically so that the entire security incident is dealt with quickly without taking up any staff time.
Most charities already use a form of security automation in the endpoint security software running on their computers. When this type of software detects malware in a file or on a malicious web page it automatically blocks the malware from running without any intervention from the user.
Benefits of automating security functions
There are a number of benefits of security automation including:
- Faster response times: security alerts can be triaged almost as soon as they are generated so that the most important ones can be acted on with minimal delay
- Time savings: security staff do not have to wade through huge numbers of alerts to try to spot the most important ones, freeing them to do other things
- Money savings: automating security may enable charities to maintain the same level of security with fewer staff
- Increased productivity: alternatively, since security staff have more time, they can work on new security initiatives including increasing automation
- Better security: automation can reduce the number of errors or incorrect security decisions made by staff due to inexperience, lack of time, or carelessness
Related Articles
Automating incident detection
As well as helping security staff keep on top of alerts, security automation can be used to interpret data to detect security problems. Two of the key technologies which underpin this type of automation are artificial intelligence (AI) and machine learning (ML).
These technologies can be useful because some cyber security systems (such as security information and event management – or SIEM systems) generate vast amounts of security data. Often the sheer amount of data is overwhelming, so cyber security staff miss vital clues about next generation threats and security incidents which are occurring because they are hidden in midst of less relevant data.
The ways that AI and ML can be used include for security automation include:
- Anomaly detection: systems that have been "trained" from historical data captured by SIEM systems can spot when new or unusual (and therefore suspicious) patterns of data emerge, or where data patterns emerge which previously indicated that a security breach was in progress.
- Cluster analysis: similar to anomaly detection, cluster analysis works by spotting groups or clusters of behaviour such as people working from home, or people working in many different locations. In some cases, the clusters may not have obvious meaning and would therefore be unlikely to be identified by humans. If a new cluster is identified, this could indicate a new set of behaviours due to a new work practice, or it could be indicative of something more sinister.
- Classification: Machine learning systems can train themselves on data which has been pre-divided into categories, such as applications which are legitimate, and ones which are malicious. They can then be used to look at the behaviour of new applications that they encounter and decide whether the applications are legitimate or malicious. This can be particularly useful to spot variants of certain types of malware such as ransomware.
- Recommendations: AI and ML can be used to analyse particular security incidents and the typical responses that security staff take to these situations. They can then recognise these specific type of incidents if they reoccur – often before security staff become aware of them – and recommend the appropriate response.
- Automating remediation: the holy grail of security automation is automatic remediation where AI systems make the appropriate security responses to a cyber security attack without any human intervention. However, many organisations are reluctant to let automated systems take certain actions such as shutting down computer systems without any human oversight.
How to start with security automation
For most organisations, including charities, the idea of implementing security automation can seem daunting. But it is important to remember that you don’t have to automate everything at once. A far better plan is to start small, and then build from there.
Before deciding where to start, it is important to take some time to examine security pinch points and to identify which problems that could be solved by automation are the most pressing. For example, do security staff have trouble handling the number of security alerts they receive? Do they struggle to make sense of SIEM data? Or perhaps the right staff are not always on hand to make the correct security response decisions?
Depending on the answers to these questions, as well as your charity’s security budget and in-house cyber security skills, the best way to proceed may be to:
- Write your own software to automate selected cyber security procedures. These could include basic security functions such as running vulnerability scans, and this approach is known as robotic process automation (RPA).
- Purchase existing software products such as Skurio which can automate some of cyber security procedures. The most commonly used product for security automation is a security orchestration, automation and response (SOAR) product.
SOAR products include:
Siemplify Community Edition (free)
Splunk Phantom (free and paid editions)
- Use a managed security service provider to automate some of your security procedures from the cloud. If your charity already uses a cloud-based managed security service then this likely to be the best option.
More on this topic
Recommended Products
Our Events
Charity Digital Academy
Our courses aim, in just three hours, to enhance soft skills and hard skills, boost your knowledge of finance and artificial intelligence, and supercharge your digital capabilities. Check out some of the incredible options by clicking here.
© 2022 Charity Digital Trust. All rights reserved
