Automation has long been one of the Holy Grails of the security industry. Efforts have included IBM’s attempt to move the industry towards “autonomic computing" and “network access control” – but neither of these options lived up to the billing or were widely adopted.
Now with ChatGPT at the forefront of everyone’s mind, we again wonder how far AI and automation can take us. Will we ever get to a “set it and forget it” security? Could the fears of Skynet and AI Robot actually come to fruition, an AI-powered and automated future where businesses are protected by an ever-watching defender?
Probably not, or at the very least not in the foreseeable future. While it’s fun to play the game of “what if,” we can easily get ahead of ourselves. Today, organizations are struggling to implement automation effectively. The Department of Homeland Security (DHS) developed a plan in 2012 to roll out its Continuous Diagnostics and Mitigation (CDM) program no later than 2017. That quickly slipped to 2022 and now in April 2023, DHS will require civilian and federal agencies to perform automated weekly security assessments. How does a plan to implement automation take more than a decade to complete?
Cynics may think: “Well that’s the government for you,” but having worked in this industry for some time, I can say federal agencies aren’t alone in their challenges. Businesses of all sizes also have considerable challenges setting up automation.
So where to begin? Here are four strategies:
Adopt a SOAR platform: Security orchestration, automation, and response, or SOAR, consists of a set of security tools and processes that let security teams automate security operations, incident responses, and vulnerability management. SOAR uses artificial intelligence and machine learning to assist security analysts and threat hunters in security operations centers. For example, threat intelligence feeds and security alerts can automatically trigger incident response playbooks for security operations centers (SOCs), depending on what type of anomaly gets detected.
Teams can use SOARs to generate a security alert, enrich it with findings from other intelligence feeds, and pass it through a risk analysis engine to generate a threat score. Then they can flag the threat as a false positive or pass it on to a human analyst for further study. Such automated orchestration greatly reduces the time needed for analysis, collapsing the window from many minutes down to just a few seconds.
Embrace DevSecOps: With DevSecOps, security teams foster automation by building security tests directly into the software development lifecycle. We need to automate all application security, especially with so many tools available for automated security checks within the continuous development and delivery pipelines. Many elements of DevSecOps are ripe for automation capabilities.
Manage Infrastructure-as-Code: By enforcing secure workloads throughout an entire lifecycle, organizations can substantially reduce their attack surface. A growing trend for Infrastructure-as-Code lets SOCs manage both physical and virtual computing systems automatically through predefined, machine-readable definition files, rather than through physical or manual processes. These virtual environments offer exceptional event logging and continuous monitoring of all infrastructure. Whenever the team needs to change a specification, it can provision a new set of infrastructure based on the updated requirements, thus taking the previous infrastructure quickly out of service.
Focus on identity management: Ensuring that all users, devices, and systems have access to only the resources and data they are entitled to requires the authentication of all individuals and machines to grant them the appropriate levels of access. Identity management offers many opportunities for automation because authentication and authorization are highly repetitive processes. We call this essential approach to automation role-based access control.
Provisioning resources to users and managing their access levels remains challenging because of complex on-premises and cloud environments and applications. For instance, many identity-related processes are still siloed within business units. Therefore, centralizing identity systems, integrating them with human resources systems, and defining access levels and user privileges according to specific job roles can improve automated provisioning, ongoing management, and de-provisioning.
Deploy software assistance to support human efforts
Organizations succeed with automation by finding ways where automation can take over the repetitive tasks and free the security teams up for creative problem solving. This means SOC teams should deploy more automation tools to monitor, detect, and prevent security threats. When security alerts are correlated with data about threat intelligence and vulnerability management, these systems can automatically determine which alerts are low-risk, or they can escalate a response when conditions appear more threatening.
Before embarking on this automation journey, organizations should make a comprehensive review of their overall security environments. In this way, they can prioritize the most critical areas for automation strategies that will free up their staff from mundane tasks while increasing security efficiency.
We all know cyberattacks will only continue to grow in sheer numbers and complexity in the future. Meanwhile, security teams will still face a shortfall of qualified talent. We can close this gap by automating repetitive security processes so that analysts and researchers can focus their time and energy on the most pressing threats.
Rob Jenks, senior vice president, corporate strategy, Tanium
