The Case for Security Automation

TEKnically Speaking – Automation, Part 3

 

We live in an inordinately distracting world. Applications we use both professionally and personally clammer for our attention. Every new email, Tweet, post, chat, or message comes with its unique chime calling us. Our professional lives blur into our personal lives with our smart phones functioning as a mini-office complete with email and other business applications that we routinely check after the workday is “done.” Conversely, our personal lives creep into our professional work as we pause to check Twitter, LinkedIn, Facebook, and other social media sites. With a 24/7 news cycle, a global pandemic, our employees confront an endless array of distractions that keep detailed, focused work at bay.

 

These distractions are serious business. Studies suggest that our attention spans now pale in comparison to goldfish and are no longer measured in hours or minutes, but seconds–estimated at just eight seconds. The sky-is-falling science behind these studies warrants a double click, but there is no denying that distractions undermine our ability to think carefully about critical issues and concentrate on detailed topics.

 

This dynamic has critical and dangerous implications for our security programs and the work we do to protect our organizations. Bluntly, if we do not automate mundane, error-prone tasks and implement procedures to validate these functions for fidelity and effectiveness, we will keep seeing daily news feeds on yet another data breach and/or a successful ransomware attack. Automating and orchestrating security functions can change the status quo and make us more resilient and secure. So how do we get there? Security automation.

 

Security automation is a journey that begins with understanding core functions that are currently manual and by extension error-prone. Cases in point: include configuration validations (e.g., hardening guidelines, firewall rules, ACLs, patching, etc.), log and event reviews, and key areas of incident response and evidence gathering (e.g., PCAPs, memory scraps, machine images), email header analysis, evaluation of indicators of compromise (IOCs), and integrating the same with threat intelligence. Automating mundane, day-to-day security tasks frees security teams to focus on those projects that require creative insight and the human touch. Automation also ups the game when responding to adversaries who have largely automated many of their attack techniques and leveraged highly efficient tooling to find and exploit weaknesses in our environments. If adversaries operate at network speed, we must do the same.

 

Modern security architectures based on sound enterprise architecture principles – should focus on resiliency, integration with security applications and tools, and inherently integrated operations using APIs and other network-speed operations. Vigilant, well-engineered automation and orchestrating responses to defined security risks allows security programs to be laser-focused on real “signals” versus the infinite “noise” we typically confront.