The sad truth is that the security practice lags behind pretty much every other IT discipline when it comes to automation.
• Need to spin up compute power? Give me a few seconds. A new virtual server may even be spun up automatically when the workload requires it.
• Need a new database? Take a 5 minute coffee break – it will be ready when you get back.
• Need a new firewall rule? Need alerts analyzed? Need access to new system? Sure, what does your schedule look like after Labor Day?
You get where I am going with this. But hyperbole aside, security practitioners have long had a love-hate relationship with automation, and for good reason. There is certainly a “damned if you do, damned if you don’t” phenomenon when it comes to automation:
Automate – and you may suffer the repercussions of a bad decision made by the automated tool. Good luck trying to explain to the CEO that he can’t access the CRM system because the IPS solution falsely flagged “malicious” traffic.
Don’t Automate – and you will suffer the repercussions of slow response to both business needs and security threats. Look no further than the recent well-publicized Target breach. The alarms were triggered, but the process of reviewing them was manual. By the time security teams (who like everyone else, are extremely busy) got around to looking at the information, 40 million credit cards have made their way to the hands of the attackers.
Yet recently, I firmly believe the scales have tipped in favor of automation. There are several trends that lead me to this conclusion:
• Better technology – tools, such as IPS for example, have become more accurate with fewer false positives. This increased reliability provides peace of mind for the security teams that use them.
• Increasing pace of change – the number of changes security teams have to deal with is increasing. This increased rate can be attributed to the changing threat landscape, application overload (which I wrote about in a previous post), network evolution such as cloud computing and more. In a recent State of Network Security Survey, 64% of organizations reported they remain hampered by time-consuming manual processes.
• New Security Infrastructure – Organizations have deployed many new technologies to address new threats and enable new business models (Advanced Malware Prevention and BYOD platforms to name a couple) but in security, technologies rarely go away. This means we are still managing our old firewalls and AV solutions, alongside the latest shiny gadgets. · Strained resources – the constant quest of the corporate world to “take cost out of the business” does not bypass security. It seems we all have to do more with less.
But this is not just a theoretical observation. I often see real-life examples where more trust is put in automation. One example is IPS/IDS – up until a few years ago, most of these tools were famous (And let’s face it, sometimes ridiculed) for being deployed in “detect only” mode. There is a strong shift to turning on the “prevention” switch. Another example is automatic firewall policy push. When this capability was introduced a few years ago in the security policy management space, most organizations shied away from it and would let software automatically push policy to the firewall, even if it was automatically analyzed and reviewed for any risk and compliance violations. Today, more and more organizations are opting for this capability to automate the entire change process.
Not everything in security is ripe for automation. Thankfully, There is still value in an intelligent human reviewing data and making decisions, not to mention setting policy and prioritizing security risks and investments. But here are a few recommendations organizations should follow when considering automation:
• Examine repetitive manual processes – are you taking the same decision based on the same data time and time again? If you can program this logic in a piece of software, it makes sense to do so. Chances are there may even be an off the shelf solution that already does this.
• Run limited pilot programs – If you are afraid of the repercussions of automation, try piloting the technology in live, but non critical parts of your business. This way you can limit the damage from “wrong” automated actions, or better yet, prove to yourself that the solution can be trusted and deploy it more widely.
• Ensure visibility into automation – you still need visibility into what the automated solution is doing. Imagine if the security infrastructure deployed by Target security team would have automatically blocked malicious activity and sent out an alert regarding its actions. The repercussions of being late to analyze that alert would have been much more favorable.
Related: Elevating the Human Element in Preventing Data Breaches