Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Security Automation Revisited: The Rise of the Machines

In 2013 I wrote a Security Week column on how security automation and orchestration was a vital and foundational feature in a cloud

In 2013 I wrote a Security Week column on how security automation and orchestration was a vital and foundational feature in a cloud world. In data centers specifically I stated that, “In order to unlock the benefits of cloud computing, lower costs and accelerate IT agility, enterprises need a way to rapidly deploy relevant network security services in lock step with the fluid virtual compute layer, with full automation and orchestration among virtualization, networking and security elements.”

It’s taken three years but, in 2016, security automation and orchestration is finally front and center. Technology, like network virtualization, has enabled the ability for native isolation of different types of traffic, and for security services to be automatically inserted into application workflows. Automation and orchestration has also gained traction beyond the cloud world. FireEye recently acquired a security automation company called Invotas, allowing prevention policies to be pushed to any security product. This is a big competitive step up and, more importantly, an enabler for a faster response when advanced attacks are found.

Rise of the MachinesWhat’s next for security automation?

One security area that is ripe for disruption is the current manual process of validating security risks. Security leaders have for many years struggled—with little success—to quantify their current state of security. They are now fielding questions from the executive board who are asking, “How secure are we?” and “Can we be breached?”

Being able to properly understand and quantify your risks and whether your existing investments are paying off is critical. This knowledge allows organizations to understand where to focus limited resources and preemptively remediate issues before they are exploited. Breach after breach the message is not that we are lacking from tools, but that we are falling down because our priorities are wrong. As Gartner states, “Prioritized and managed remediation based on business context is the holy grail of security operations.”

Existing technologies like vulnerability management systems are too noisy to provide an accurate view of risks. A recent article from The Register highlighted the results from a series of vulnerability scans across 100 companies by an information assurance company. The scans found 900,000 security-related red flags, and a false positive rate of 89 per cent in some industries. Security Information and Event Management (SIEM) tools collate information from multiple sources but their view is limited to tactical data.

As a result, the typical organization has turned to specialized humans such as security consultants, ethical hackers and security red teams to try to address this challenge. Security consultants with specialized skills have been the traditional way to validate security on an annual, bi-annual or quarterly basis. But with the constant changes in risks from new users, endpoints and applications, a periodic snapshot of risks only gives a limited view of security risks.

The practice of hiring hackers to “test your own systems” isn’t new either, but whether you should do so or not is, according to the IEEE, a very polarizing question. On one hand ethical hacking provides a unique hacker’s perspective of how you are viewed as a target; but most projects are limited to a very narrow focus where only very specific security use cases (typically external threats) are validated due to sensitivity and concern about data being exposed. Your findings are also dependent on the skillsets of the hacker.

Crowdsourced bug bounty programs are an attempt to solve this by throwing more people at the problem, but this again can pose challenges as in the case of the infamous Facebook versus researcher conflict, when companies don’t agree on the severity of a vulnerability, or the specific breach methods that have been used.

Another option for organizations is to build an internal security red team. This seems to be an ideal option. After all, an internal team that understands your business and which assets are critical can do a better job securing your environment. But the ability to put together an internal red team is limited to larger organizations; it requires the difficult ch
allenge of recruiting security professionals with very specific abilities to think “offensively.”

Existing technologies and specialized services have many shortfalls, and these challenges mean that the next wave of innovation in security will be—must be—in security validation and response automation. Let’s flip things around and pit machines against hackers so we’re not at a disadvantage. If we can automate how we validate our security risks today, we can shift focus from the easy challenges and onto the important things. Let’s use an automated platform that enables us to “act and play the hacker” in order to better address our adversaries’ behavior. Let’s use continuous validation tied to change control processes, with an evolving playbook of breach methods and with visibility across the entire kill chain.

As RSA’s Amit Yoran has said of the cybersecurity industry, “Let’s do things differently; let’s think differently; let’s act differently—because what the security industry has been doing has not worked.”

It’s time to take that advice. It’s time for the rise of the machines.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...