Automation: Moving from Detection to Enforcement

As organizations rush to embrace automation and the benefits they are expecting to reap, it is crucial to remember that any automation journey should include cybersecurity.

Security automation does not start and end with detection. While it is true that the first step for many organizations is implementing automation tools to detect anomalies and potential intrusions, it is simply not enough on its own. The next, and perhaps even more critical step, is to enable automatic enforcement as well.

Where to Start

Enterprises today have many different security tools deployed—often from multiple vendors—all with differing levels of automation capabilities. Attempting to activate all capabilities immediately, and simultaneously, is simply not practical. Before diving in, start by reviewing existing security policies and updating network diagrams, server diagrams and infrastructure diagrams. This will ensure all tools and technologies are clearly identified and mapped to inform the approach to automating an enterprise’s security architecture.

Once you understand what is in place, it is easier to identify potential tasks to automate and which tools are the best fit to carry out the job. Look at tools that cover the broadest base and have the best ability for integration via vendor support or API integrations. This provides two key benefits:

  • Reduces the number of management consoles required for the network.
  • Provides the most holistic, cross-solution view of security and the ability to deploy changes to multiple solutions automatically from a single platform.

Making the Most of Automation Tools

To truly maximize the benefits of automation tools, move beyond automation and into orchestration. But orchestration between solutions is only possible with integration, making it essential for an enterprise’s automation platform to integrate with as many third-party vendor solutions as possible.

Orchestration provides the broadest view of everything happening in and on the network, meanwhile, allowing the security team to leverage all available data to provide the best insights for creating automated security policies.

While automation helps identify anomalies and alert security personnel to potential risks, orchestration ensures that automated decisions are being made with access to the maximum amount of security and network data available. As these two capabilities integrate, it becomes possible for an enterprise to fully maximize the return on investment from automation tools.

Prioritizing Automation Tasks

There is no single most important task to automate. Instead, organizations should be looking across several areas that are key to successful security automation, including:

  • Blocking of users and devices: Automation can block abnormal users and devices substantially faster than a security engineer. Time is of the essence when suspicious activity is detected, making automatic blocking a key way to contain a threat and limit potential damage from a security breach.
  • Escalation into SIEM: When a security incident occurs, it is likely that identification only happens when several seemingly unrelated actions collate and become a risk. This is where SIEM creates a powerful funnel for multiple security and non-security solutions for monitoring the normal security posture. If the SIEM has a well-defined set of security rules, it can automatically perform automated intelligence actions – such as reputation scoring – and, if necessary, escalation to a security engineer.
  • Assignment of tasks: It is equally important to be able to efficiently route tasks to an appropriate resource in the security team. Consider automating task assignment to drive faster incident resolution.

These are just three examples of important tasks to automate, and certainly not a comprehensive list that will result in completed automation. While the priorities of any given enterprise vary depending on business goals and security posture, with these items in place, it will become clearer how to focus more complex tasks and increasingly automate security enforcement features.

Automation, from detection to enforcement, is not a one-size-fits-all solution. Do your due diligence and do not skip out on the important preliminary steps. This will set you on the right path and help guide the rest of your automation journey.

Laurence Pitt

Avatar photo

Laurence Pitt

Laurence Pitt is Global Security Strategy Director at Juniper Networks. He joined Juniper Networks in 2016 and is the security subject matter expert for the corporate marketing team. He has over twenty years of cyber security experience, having started out in systems design and moved through product management in areas from endpoint security to managed networks. In his role at Juniper, Laurence articulates security clearly to business and across the business, creating and having conversations to provoke careful thought about process, policy and solutions. Security throughout the network is a key area where Juniper can help as business moves to the cloud and undertakes the challenge of digital transformation. Prior to joining Juniper, Laurence was director of Global Solutions Marketing at Symantec. Previously he was product management director of Managed Security at NTT and Endpoint Computing at Novell.

laurence-pitt has 1 posts and counting.See all posts by laurence-pitt