RCA
> Is it more automation?
Well, more automation with poorly understood failure modes is exactly what brought us to the current status.
my personal Root Cause Analysis : The whole security thingy has been so fu**ed up in 3 simple steps:
1) Deploying knowingly insecure Windows OS to run critial systems - I'm in this industry since 1991 and I never understood how you can select any incarnation of Windows since then to run server workloads.
2) Trying to "fix Windows Security" with layers over layers of 3rd party AV/EDR snake oil that depends on high-frequency updates and introduces its own bugs and attack vectors, AI, Machine Learning, whatever to somehow remediate just the known Win security problems
3) Create general rules like PCI DSS, NIST, etc., that codify the resulting over-complex mess and make it mandatory for everyone, even those using sane operating systems. Note this is usually named "compliance", not "security", for obvious reasons ...
Result: A wrong update of a major EDR company in 2024 can take out a good part of the commercial Internet servers over night.
Not only Windows, Linux, too.
So we tried to minimize Risk A (Windows Security) by creating Risk B (DOS by EDR), which is more probabable, more severe and escalates easily to an international, industry-wide scale.
And it does not even really fix the original problem - Windows security.
Rethinking this might be a very good approach.