The biggest cybersecurity challenge in enterprise remains keeping ahead of the “bad guys.” As fast as security gaps are plugged, new vulnerabilities appear and are targeted for the next attack. Criminals have been using automation for some time, leveraging tools like AutoSploit to automate internet scanning and exploitation, or Sentry MBA for credential stuffing by harnessing proxies to conduct attacks. We have also seen hackers use automation tools to infiltrate networks and gather data or create user accounts for future plans. As their tools mature, the volume of automated attacks will increase, and we will see more and more successful breaches being carried out by software. It’s time to look seriously at automation as the next line of defense in keeping up with the attackers.
Well deployed automation – a combination of orchestration tools, data leveraged for analytics, machine-learning and artificial intelligence – can provide an edge for an enterprise in today’s ever evolving 24/7 threat landscape.
Security automation architecture uses a variety of technologies to improve organizations’ security postures in several ways, including performing repetitive tasks accurately, augmenting human intelligence in areas such as log-file analysis, and replacing human intervention altogether in the identification and containment of cyber exploits or breaches. However, as powerful as all this technology can be it is not a silver bullet solution to security problems. In fact, many enterprises struggle to implement the right security automation architecture.
There are many factors to consider when deciding how, when and where to implement the right automation capabilities in order to improve productivity, reduce costs, scale to support cloud deployments and ultimately strengthen the security posture of an enterprise.
• Get buy-in at board level. Security automation is complex, it will affect how security is managed across the entire enterprise. The first step in the project is to secure senior-level management buy-in to prevent future roadblocks from occurring. It will also be important to keep senior management fully appraised during the rollout – not just of the successes but also failures and challenges.
• Take a holistic view of security. Enterprises looking to move towards a solid automated security architecture would be wise to take a holistic view of their posture and consider the entire network before determining the necessary tools and partners to successfully move forward with automation. Are there any current integration issues or disparate technologies that should be kept in mind? Once the current security posture is understood, it’s easier to determine areas of over- or under-investment or identify serious risks. Too often a security project will look for negatives and risks, such as unmanaged IoT, when actually this is a chance to see how it might be possible to make any connected device a part of the architecture – for example creating dynamic security policies to deploy access control lists thus enabling a non-security device to become a part of the detection and enforcement.
• Start small. Too often, organizations bite off more than they can chew when it comes to implementing automation tools by either mis-deploying them or deploying more than they can fully take advantage of. This unnecessarily adds costs and extends the deployment timetable. One of the most repetitive daily tasks that a security engineer undertakes is monitoring log-files across devices to spot potential risk. This is a great place to start with automation. While a security engineer scanning the same log files each day could miss something, an automated process for the same task will get it right.
• Build. Once IT departments gain experience and familiarity with automation technologies and tools, they can take the next step and start automating more complex tasks. Consider threat hunting, event-driven automation and other proactive measures beyond forensics and log data correlation. IT teams have been traditionally hesitant to remove the human element from processes, but automation means giving IT teams time back to focus on more strategic security actions to better protect the enterprise.
• Continual testing. All projects need ongoing testing, but security automation touches many different areas of the business making testing even more important. A user error in a script may run once before it is discovered, the same error in an automated process could have run hundreds of times.
• Invest in your people. Automation allows security teams to be proactive and do human-necessary tasks, focusing on the jobs they were actually hired to do. Automation can only be truly successful when combined effectively with the necessary human skills. If the skills gap is a concern, consider training existing employees to fill those gaps and become more familiar with automation technologies and tools. It is also essential to develop an ongoing training program for employees to make sure that their skills are kept up to date.
Until recently, cybersecurity experienced a proliferation of different products protecting everything from documents and hardware to IoT but this has left enterprises with an overwhelming management burden and only marginally more secure. What enterprises need now is a way to leverage data and network infrastructure for a better security posture. Automating security architecture is the first step. It’s a complex undertaking, but, when well deployed, will help keep the good guys ahead of the bad guys.