In 2013 I wrote a Security Week column on how security automation and orchestration was a vital and foundational feature in a cloud world. In data centers specifically I stated that, “In order to unlock the benefits of cloud computing, lower costs and accelerate IT agility, enterprises need a way to rapidly deploy relevant network security services in lock step with the fluid virtual compute layer, with full automation and orchestration among virtualization, networking and security elements.”
It’s taken three years but, in 2016, security automation and orchestration is finally front and center. Technology, like network virtualization, has enabled the ability for native isolation of different types of traffic, and for security services to be automatically inserted into application workflows. Automation and orchestration has also gained traction beyond the cloud world. FireEye recently acquired a security automation company called Invotas, allowing prevention policies to be pushed to any security product. This is a big competitive step up and, more importantly, an enabler for a faster response when advanced attacks are found.
What’s next for security automation?
One security area that is ripe for disruption is the current manual process of validating security risks. Security leaders have for many years struggled—with little success—to quantify their current state of security. They are now fielding questions from the executive board who are asking, “How secure are we?” and “Can we be breached?”
Being able to properly understand and quantify your risks and whether your existing investments are paying off is critical. This knowledge allows organizations to understand where to focus limited resources and preemptively remediate issues before they are exploited. Breach after breach the message is not that we are lacking from tools, but that we are falling down because our priorities are wrong. As Gartner states, “Prioritized and managed remediation based on business context is the holy grail of security operations.”
Existing technologies like vulnerability management systems are too noisy to provide an accurate view of risks. A recent article from The Register highlighted the results from a series of vulnerability scans across 100 companies by an information assurance company. The scans found 900,000 security-related red flags, and a false positive rate of 89 per cent in some industries. Security Information and Event Management (SIEM) tools collate information from multiple sources but their view is limited to tactical data.
As a result, the typical organization has turned to specialized humans such as security consultants, ethical hackers and security red teams to try to address this challenge. Security consultants with specialized skills have been the traditional way to validate security on an annual, bi-annual or quarterly basis. But with the constant changes in risks from new users, endpoints and applications, a periodic snapshot of risks only gives a limited view of security risks.
The practice of hiring hackers to “test your own systems” isn’t new either, but whether you should do so or not is, according to the IEEE, a very polarizing question. On one hand ethical hacking provides a unique hacker’s perspective of how you are viewed as a target; but most projects are limited to a very narrow focus where only very specific security use cases (typically external threats) are validated due to sensitivity and concern about data being exposed. Your findings are also dependent on the skillsets of the hacker.
Crowdsourced bug bounty programs are an attempt to solve this by throwing more people at the problem, but this again can pose challenges as in the case of the infamous Facebook versus researcher conflict, when companies don’t agree on the severity of a vulnerability, or the specific breach methods that have been used.
Another option for organizations is to build an internal security red team. This seems to be an ideal option. After all, an internal team that understands your business and which assets are critical can do a better job securing your environment. But the ability to put together an internal red team is limited to larger organizations; it requires the difficult challenge of recruiting security professionals with very specific abilities to think “offensively.”
Existing technologies and specialized services have many shortfalls, and these challenges mean that the next wave of innovation in security will be—must be—in security validation and response automation. Let’s flip things around and pit machines against hackers so we’re not at a disadvantage. If we can automate how we validate our security risks today, we can shift focus from the easy challenges and onto the important things. Let’s use an automated platform that enables us to “act and play the hacker” in order to better address our adversaries’ behavior. Let’s use continuous validation tied to change control processes, with an evolving playbook of breach methods and with visibility across the entire kill chain.
As RSA’s Amit Yoran has said of the cybersecurity industry, “Let’s do things differently; let’s think differently; let’s act differently—because what the security industry has been doing has not worked.”
It’s time to take that advice. It’s time for the rise of the machines.