Based on the current global macroeconomics construct, there is little sign that budgets will rise during H1 2021. That said, ever increasingly complex automated attackers are identifying new vulnerabilities and activating new enterprise breaches. Automating enterprise cyber security and cyber artificial intelligence (AI) have, for many, seemed desirable rather than mandatory but this will simply not be the case moving forward.
Cyber security executives are now separating the wheat from the chaff in the automation solution search. Finding a provider with demonstrable results is a must. CISOs are taking a collaborative proactive stance in responding to the current and conceiving of the coming threat landscape.
Automation imperatives
The universal imperative is reducing business risk by ensuring cyber security executives are spending time actually securing the enterprise. Automation offers the promises of increasing efficiencies and reducing costs across the enterprise. With an influx of threat intelligence technologies and feeds available to the organization, it is quite easy to get bogged down in non-actionable information.
The key is to focus cyber security humans on only high-impact actionable information. Thus, automation should be responsible for collecting data, correlating information, identify meaning and suggesting proper actions.
Focus
Cyber Security Hub reserach has found that two in five executives list SIEM and SOAR automation technologies as solutions that have been the biggest priorities in the last 6 months:
28 SIEM + 11 SOAR = 39 percent (61 percent other)
Roughly three in ten in the Cyber Security Hub community have taken advantage of Security Information and Event Management (SIEM) to date. However, current detractors of the technology note that SIEM systems only shed unnecessarily detailed information on the issue without solving the problem. This means that cyber security analysts now have to wade through volumes of white noise as opposed to focusing on actionable information.
SIEM VS. SOAR
Many see SIEM technology as a precursor to Security Orchestration, Automation and Response (SOAR) systems. The “And Response” part of SOAR suggests the automation of responses. That is the goal; gaining actual intelligence from information to orchestrate automatic remediation. Unfortunately, the true effectiveness of SOAR technologies is still conceptual for a large part of the industry.
While SIEM and SOAR technologies are in focus, there is a suggestion from the cyber security community that the technologies themselves could stand to be improved. DBS Bank’s VP Information Securty, Santosh Kamane shares: “Automation right now is meant to find out: 'where are these violations to my policies? Who is violating my standards?' There could be hundreds of logs created from the tools, but the tools are not very easy to read, or easy to understand as they are very technical.”
7 Security Policy Automation Questions
- Does it improve people or process efficiency?
- How can it be measured?
- Does it result in greater consistency?
- Can it be quantified?
- How does it reduce risk?
- Are research skills aligned to achieve the defined objectives?
- Does it save the company money?
Tim Woods, FireMon
Promise vs. actualization
Beyond the industry looking for improvements in the technology, executives would also like to see more accuracy in the messaging around solutions.
“A lot of vendors at the moment have marketing around AI and machine learning and how those fits into the automation piece. I think some companies are doing good things in this space, but there is still a way to go as far as automated responses to threats,” notes CISO at Horizon Power, Jeff Campbell.
He suggests that where automation solutions are concerned, there is an industry disconnect between solution promise and solution actualization.
Resourcing
There are executives at very large institutions that are confident in the results of SOAR technologies and capable of resourcing those solutions from an internal- already employed- analyst perspective. Thus, those executives are very pleased with the solutions they have acquired. For others a key focus may necessarily be on a more direct Phishing Protection or Email Filtering solution based on the lack of elasticity in current staffing numbers and a shortage of the specific skills needed for automation technologies within the current staff.
“A lot of vendors at the moment have marketing around AI and machine learning and how those fits into the automation piece. I think some companies are doing good things in this space, but there’s still a way to go as far as automated responses to threats.”
Jeff Campbell, CISO, Horizon Power
Automation inhibitors
There are innumerable inhibitors to cyber security automation. Processes are never perfect. A human though, can institute a workaround for a process and potentially catch vulnerabilities when those processes run at human speed. When automating a broken process, the results of that broken process are realized much more quickly. That means unfound and potentially exponential vulnerabilities can be exposed and not realized until a breach occurs.
The issue of automation itself is just one inhibitor. A lack of standardization around automation processes and solutions means global cyber security executives are not singing off of the same hymn sheet thus laying the groundwork for further vulnerabilities. While standardization is a goal, so is customization. The complexity of cyber security systems demands a fair amount of customization around automation technologies. Customization of technologies exposes weaknesses as well as lengthens the time and cost associated with implementation.
Lack of standardization
The move to a primarily distributed workforce has destabilized any standardization. While cyber security executives have undertaken a herculean feat to optimize remote environments, work still needs to be completed. Thus, compatibility of legacy systems with newer off premise tools is not ideal. Without optimal compatibility and interoperability of systems-standardization is challenging. Without standardization, rules-based automation is difficult.
Difficulty with customization
“Finding a technology that understands your environment, understands what normal is, identifies that anomalous behavior, and then executes an automated response to that anomalous behavior is elusive.”
Jeff Campbell, CISO, Horizon Power
Time
One of the key promises of automation is to save cyber security teams time. However, systems that work for a particular environment need to be found, proven to work within your environment, rolled out, fully implemented, tweaked and resourced. Even in ideal circumstances, where there are no other impediments to the project, this is at least a six-month process.
Skill
The search for and rollout of an automation tool is simply the foundation of automated insights informing cogent security decisions within the enterprise. CISOs are realizing that no matter how much a technology partner points to the low-code or no code nature of the technology, internal scripting and coding must occur to get the most out of automation systems.
"There are organizations right now that are using a threat hunting methodology to find and evict threat actors before they actually have a long-standing persistence. The trick is to do it manually once, then automate. You can then focus on new types of threat hunting or playbooks, thereby making your staff way more effective without necessarily increasing your staff or risk."
Kayne McGladrey, IEEE
Cost
Even though the promise of saving money through efficiencies warrants action and potential spend, the actual spend is hard to outlay for many at this moment.
Five questions to help gain certainty from automation:
- What is the provider going to do to guarantee ROI?
- What does the internal team need to do to guarantee ROI?
- Can the provider cite real world evidence of achieve ROI?
- What is the true investment on security dollars?
- Where will return be seen (consistency, efficiency, improved posture, improved security)?
Tim Woods, FireMon
Automation controls
With automation responsible for collecting data, correlating information, identify meaning and suggesting proper actions, the question becomes what other controls can be automated. When asked, the Cyber Security Hub community provided a myriad of opportunities where automation can accomplish the principle of increasing efficiencies and reducing costs within cyber security.
These include:
- Identifying vulnerabilities
- Running penetration testing
- Engaging an ethical hacker, to run automated tools and manual scripts
- Finding the remediation
- Expediting the reporting
- Finding patterns in the trending data
- Engaging data analytics to build something meaningful out of your logs
- And acquiring analysis of enterprise behavioral patterns
Santosh Kamane, DBS Bank
Remediation and workflows
"Remediation, with the caveat that it works well in the IT space but not so well in the OT space. Within OT, it’s all about availability. Apart from remediation, automation can assist workflows around incident management and automating some of those workflows. Automation can integrate into a ticketing system, which will then raise an alert with your SOC team to action. So, identifying your use cases, building a workflow around the use case and automating the workflow."
Jeff Campbell, Horizon Power
Multiple technical controls can be automated including:
- The traditional process around identity and access management
- Data loss prevention (DLP)
- Threat hunting and response
- Ingestion of threat intelligence feeds
- Endpoint Detection Response (EDR)
Kayne McGladrey, IEEE
Security at the Speed of Change
"The reality of today’s problem is that business is moving faster than our ability to secure it. The controls that we are putting in place just are not honoring the speed of business. To get ahead of this, we need to think about how we will automate firewall operations and network security policy enforcement."
Tim Woods, FireMon
Automation talent
The goal of automation is to reduce the burden on the people who have less time to execute more and more tasks. However, automation is most valuable when the in-house team is responsible for coding ensuring seamless integration and interoperability of all of your systems. The abundance of talent needed in DevSecOps foreshadows and overlaps with the abundance of talent needed in automation.
Also read: DevSecOps report
Different skillsets
Automation, particularly in the AI and machine learning (ML) space, requires a good understanding of mathematics and algorithms that support mathematical response to anomalies. So, finding good mathematics people that understand the computer science domain will always be a challenge, because there are very few individuals that actually have a real, really deep passion for mathematics.
Jeff Campbell, Horizon Power
Platform vs. defense-in-depth
The advantage of going with a platform-based solution is that it does 90 percent of what you need and typically all of the tooling is integrated. That reduces implementation time and reduces the amount of learning time. Every time we bring in a new tool into the organization...learning it takes time away from daily duties. You cannot just learn a tool while you are fighting a fire. That is not how the world works.
Kayne McGladrey, IEEE
Finite time and talent can be expanded
Whether you look at a number that says 69 percent of organizations have understaffed security teams or 350,000 unfilled positions in the industry, it is clear that the resources that we have are getting stretched too thin. As an industry, we are making compromises in our security profile, and when we make compromises, bad things happen.
Tim Woods, FireMon
Expanding current skillsets
The current talent issues within the cber security industry are certainly around coding and scripting. While some solutions will be upfront and honest about those kinds of requirements, I think there are a lot of solutions out there that try and minimize the coding needed to be done within ‘low-code.’
They say that they have already built the integrations and you do not need to be expert in coding. From my understanding, you need to have those skillsets to really be successful in this space. You can do some of the basics, and certainly that should not stop people from moving ahead. But, if you are truly looking to automate a lot of the workflows you have in place, then you really need to have those skillsets. That is typically not something that you will see within a standard operational team.
Iain Lumsden, Denver Health
Current automation budget
Bolstering security around the infinite perimeter, while part of short- and long-term budgets before the pandemic, is now a more acute line item in the budget. We asked the Cyber Security Hub community about where current funds are going along with what’s in the way of automation.
Distributed workforce support and monitoring
Definitely, there is more focus on remote work because that is where we see most of the threats. How do you monitor all of the remote work activities? How do you continue to get a handle on the behavior patterns? We must ensure that everything that happens remotely happens under our control.
The second thing would be zero trust architecture. How do you build a true zero trust network? The third thing would be technically developing yourself to mitigate any vulnerabilities in any of these areas, especially the open source.
Santosh Kamane, DBS Bank
IAM and PAM
Automation would play a really nice part for Identity and Access Management (IAM) and particularly around Privilege Access Management (PAM) and dynamic allocation of roles and responsibilities based on movement of identities within an organization's structure. I think IAM and PAM need to come together around automation threat intelligence.
Secondly, we have so many threat feeds now. Automating some of the responses to some of the threat feeds so we only surface the ones on which my analysts need to focus would be largely beneficial. The ultimate goal would be adding Security Operations Center (SOC) automation and developing the orchestration behind the SOC response.
Number three is a tie between automating some of the threat around mail gateways and the way they respond to phishing attempts and endpoint and the Automated Detection and Response (ADR) component of endpoint.
Jeff Campbell, Horizon Power
Cloud evolution
Cloud is still a huge one for us. From a cloud access security broker (CASB) perspective, this is something that we are looking to mature and grow. I think data loss prevention is another one, especially with the changing barriers when it comes to cloud. We have been very centric on-premises and we have great controls there, but changing and adapting from there is the goal.
Finally, tying identity and access management into those different systems. I think automation certainly has a place in that as well.
Iain Lumsden, Denver Health
Also read: CISO startegies for threat prevention
FireMons' Woods notes that while budgets are tight, cyber security executives are going to have to find a way to invest in some sort of automation to simply keep pace with change.
Future automation budget
Ever increasingly complex automated attackers are identifying new vulnerabilities and activating new enterprise breaches. Cyber security executives are thus in a position where it is imperative that automation is introduced to operations but a dearth of monetary resources with which to execute.
We asked the Cyber Security Hub community how to best to spend limited resources available on automation or what how they might spend newly found funds.
Proof of concept (POC) use case
We tested a solution that captured 11 percent more spam than our existing solution. The solution flagged detonating malware loads for suspected phishing emails, identified them in the background without the user even knowing would detonate the message and found out what the payload. It then took actions around that based on the intelligence that it now had.
Jeff Campbell, Horizon Power
Automated action workflows
Automated action workflows. Workflows that take an automatic action or will notify an analyst who has to approve that block before it takes place.
Iain Lumsden, Denver Health
SOAR Framework
I would definitely use found funds to build my preventative controls to mitigate risk. I would begin to customize SOAR. SOAR is more about taking your vulnerability management to next level and then creating the playbooks on this.
Then, I would automated the remediation, going beyond information security and relies on multiple business units working together. This is where I would focus more on how I can build that robust SOAR framework.
Santosh Kamane, DBS Bank
SOAR and threat hunting
SOAR or threat hunting. I say SOAR because that ingest process means your analysts are focusing their limited time and attention on those events that are most interesting and possibly the most dangerous.
I would also invest in the automation of threat hunting because it is a force multiplier. Running a threat hunt once is no good because if it you run one on Thursday and not on Friday, you do not have good sense of what has changed in the past 24 hours. In our world of persistent engagement and/or defending forward, it is so necessary to have that continuous ability to detect and evict.
Kayne McGladrey, IEEE
Three principles of budgeting
Focus on better security hygiene
Extend visibility across your hybrid real estate
Engage proactive compliance
Tim Woods, FireMon
How do you conduct change management initiatives in your company? Let us know in the comments below.