Automation: The Lingua Franca of IT Security
There are two words that can elicit fear from enterprise executives like nothing else: security breach. Yet, despite this, CISOs have all but resigned themselves to knowing those words are likely to come at some point during their tenure.
The challenge is simply that CISOs can’t seem to find a way to reduce the number and severity of cyberattacks. And for good reason: Cyberattacks are growing increasingly intelligent and relentless and without integrated solutions that can communicate with one another, the situation poised to get worse.
To counteract, many organizations are trying to throw money at the problem to protect their systems and infrastructure as best they can. In fact, according to Gartner, worldwide spending on enterprise security will reach $96.3 billion in 2018. But these new technologies are not making things easier, with reports finding less than 5 percent of security incidents flowing into security teams every day are able to be examined. The problem is not based on resources, but a lack of effectiveness when it comes to today’s cloud scale.
There is no chance that human operators, no matter how many are at your disposal, can cope with the scale, complexity and speed of modern IT environments—a fact that needs to be acknowledged industrywide. The age-old saying rings true: Work smarter, not harder. And at cloud scale, enterprises need to consider security automation to adhere to that adage.
Integration Problems
Today’s market is oversaturated with security solutions, with large enterprises often deploying up to 20 different solutions to help protect their infrastructure. They choose the best solution for a particular security issue and create a strategy piecemeal.
Yet, despite heavy investments, security departments are still struggling to keep up with the pace of attacks. And as CISOs invest more and more into various security solutions and platforms, IT teams struggle to integrate the new while managing existing technologies. Many of the platforms and solutions do not integrate with each other and, as a result of uncoordinated security approaches, may only address the symptoms, not the underlying cause of security issues.
One of the primary problems with today’s IT security is a lack of industrywide and commonly adopted standards. Some of the proposed standards for integrations (such as CYBOX, OPENIOC and YARA) are not widely used and are already being replaced with new proposals before they even got off the ground. Any integration that does exist is typically only between solutions offered by the same vendor or by specific products offered by two vendors that have a temporary marketing joint effort. The odds are, these integration efforts are not likely to be adopted by the whole security industry—and, if it does happen, it will be in the distant future.
Without integration, any security solutions in place may not be enough to protect the corporate environment and the lack of orchestration is going to be apparent as the threat landscape grows even more hostile. Think of it in terms of physical security: It’s like trying to protect a building by installing security cameras, security guards and guard dogs, but the security guards don’t look at the cameras and the dogs are let out at random times. There is no cohesion; therefore, if it’s not ineffective, it is definitely not efficient.
Enter: Automation
While DevOps methodologies have been implemented successfully in mindset and practice in many organizations, there is a still a massive mismatch between the speed and agility that DevOps dictates versus how slow IT security operations are delivered.
Imagine how much more effective a security defense would be if your intrusion detection system could talk to your security information and event management (SIEM) solution, which could to talk to your enterprise firewall and so on. IT teams could then be able to coordinate an automated security response across all these solutions.
Security orchestration and automated response (SOAR) solutions, as Gartner calls them, can meld different security solutions for a much more efficient and effective strategy. And, according to Gartner 84 percent of organizations are already investing in or evaluating security automation, although by many accounts, current SOAR solutions are complicated to use and rarely deliver what they promise. For example, if you need a Python developer who is also a security expert to operate a SOAR solution, then that solution is likely dead on arrival due to the combination of skills required, which are difficult to find in the market, and the complexity in writing and maintaining the automation workflows.
What’s needed to drive industrywide integration and make SOAR a reality is an automation layer with specific, unique characteristics.
- First, the automation layer would need to have a wide range of integration points with many different types of security solutions on the market. And to do that, it would have to have a modular and very flexible integration mechanism.
- Second, the language used by the automation layer would need to be exceptionally easy to learn, write and maintain while the automation layer itself would need to be exceptionally easy to implement and manage. Adoption is constrained by complexity. And here we are talking about something that must be implemented by the entire security industry to be effective.
- Last, the solution would need to be open to contribution and improvements by any stakeholder, either security vendors or end user organizations, so that nobody could control the agenda.
With these qualities, automation could become a universal integration layer for IT security and significantly increase the effectiveness of existing security solutions.
Just the Beginning
Cyberattacks aren’t slowing down, so an organization’s defenses can’t either. Security automation and orchestration is just the starting point for a whole new way of taking on these challenges.
I envision that once orchestrated security solutions are mainstream and organizations have entire portfolios of solutions that are fully automated, a layer of intelligence can be added that doesn’t even exist today. For example, if for any given attack there are four, five or even 10 different methods of remediation, AI could help instantaneously weigh what remediation is the most efficient. With synchronized security, AI can discover remediation X blocks the attack in three minutes, whereas remediation Y blocks the attack in 30 minutes. This is where CISOs could really gain the upper hand when it comes to security and adapt at a speed to match future attacks.
There remains a lot of skepticism about automated security, so rather than implement what’s available today and work together to make security automation and orchestration solutions better over time, security professionals tend to stay away from the “great unknown.” However, at cloud scale, organizations don’t have any other choice than to automate security. Automation has the potential to do for security what it has done for so many other areas of IT and can finally be the change in cybersecurity that organizations have been searching for.
