Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

12:15 AM

Moving Safely From Detection To Automated Action

Companies that fail to make the most use of automation put themselves at risk, yet doing it wrong can lead to business disruptions

Many companies remain cautious of automating their security systems, leery of the possible business interruptions that could happen when a mistake gets propagated across their systems.

Yet, the complexity that the average information security manager or chief information-security officer has navigate means that automation is no longer an option, but a mandate, say security experts. Adding up the threats that need to be tracked, the vulnerabilities that must be mitigated, and the users that need to be cared for results in a stark calculus for the defenders, says Mike Lloyd, chief technology officer of RedSeal Networks, a network-management firm.

Companies that do not focus on automating their monitoring and response to incidents are likely missing threats to the their business, he says. While worries over automation are natural, they are placing defenders at a disadvantage because attackers have no qualms about multiplying their impact with automated programs and systems.

"The attackers have moved up to automated weaponry, while the defenders are still using bows and arrows," Lloyd says.

The distrust of automation is so pervasive that, despite the commoditization of intrusion prevention systems over the past decade, many companies continue to use their appliances to merely detect threats, he says.

Yet, automation done wrong can be worse than the threats. Bad things can happen when automation ends up propagating an error. Take the March incident that downed Internet load-balancing service CloudFlare for more than an hour. The company analysis of an on-going attack resulted in an odd router rule. Despite the fact that the rule attempted to filter out packets that could not exist on the Internet, an analyst pushed out the rule to every edge router. Making matters worse, the rule crashed the routers.

"What should have happened is that no packet should have matched that rule because no packet was actually that large," the company wrote in a March 3 post. "What happened instead is that the routers encountered the rule and then proceeded to consume all their RAM until they crashed."

Greater efficiency means more time for defense
Companies should start their automation efforts by looking for workflows that generate few false positives or errors, and automate those first. While such efforts may not directly result in a greater likelihood of detecting attackers, they will free up defenders to pursue other analyses and investigations, and so indirectly will strengthen defenses, says Dan Kuykendall, chief technology officer and co-CEO of NT OBJECTives, an application security firm.

"It is not just about automation, but about efficiency," he says. "If you are in a scenario where your scanner tells you that you have 20 or 30 vulnerabilities, sitting down and hand-writing filters is generally out of reach for most people. Having that automated piece is very efficient."

[With a federal agency deadline for Federal Information Security Management Act (FISMA) compliance reporting through the new automated tool already past, security experts believe the government still has a long way to go. See Continuous Monitoring Still A Long Way Off For The Feds.]

Overall, the degree of automation should depend on the accuracy of the detection systems: If the system produces a lot of false positives, then automation will likely be error-prone. In that case, having a human--or more than one expert--in the loop is necessary. Vulnerability scanners can automatically generate rules that can then be added to a network firewall or a Web application firewall, but the system's manager should review the response.

"When you observe something, you want to see that the accuracy is very high before automating the response," says Chris Petersen, chief technology officer and co-founder of log management firm LogRhythm, warning that "other security alerts, such as those resulting from behavioral analytics, are not going to be as concrete as that."

The level of oversight also depends on the action take in response. Blocking access to a public Web server is a serious measure, so a manager should sign off on the change. Responses to other types of alerts, such as disabling the account of a user from which suspicious activity has been detected, could be done automatically, says Petersen.

"The impact of a disabled account is relatively minor--the user may be unproductive for a couple of hours," he says.

Standardization is needed
Another road block to automating the response to threats is that detection systems and response systems do not typically speak the same language. Vulnerability management systems will likely list issues in the Common Vulnerability and Exposures (CVE) format, while intrusion prevention systems generally have a proprietary way of expressing vulnerabilities in terms of signatures, says RedSeal Networks' Lloyd.

"The industry is letting their customers down by not integrating their products well," he says.

Companies that are planning to tie systems together to better automate them should look at the Security Content Automation Protocol (SCAP), a standard developed by the U.S. National Institute of Standards and Technology for allowing interoperability between security devices.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/18/2013 | 11:21:31 PM
re: Moving Safely From Detection To Automated Action
Hi Robert, thanks for the insightful article. While many companies are hesitant to automate their security systems because of possible business interruptions in the event of a problem, the benefits of automatic security measures, such as identity and access management (IAM) solutions can save companies a lot of time and money associated with manually managing network security. Companies that manually monitor security measures are more likely to miss important threats and waste internal resources that could easily be taken care of with an automated solution.

Companies are starting to realize that it is not ok to be out of compliance 364 days of the year. Annual access certification is marginally better than doing nothing at all.
However, this approach can create a false sense of security by creating the illusion of compliance. Embedding controls into the business process, thereby preventing inappropriate access grants from occurring in the first place, creates a culture of continuous compliance and mitigates the burden of access certification.

With federal regulations like FISMA that require automated compliance reporting, companies should already be moving towards finding ways to automate IAM processes, even if they are hesitant to do so. These proactive steps can cut down operating costs and increase protection against noncompliance and other potential threats. IGd be interested to hear your thoughts on our approach: http://n8id.com/our-company/ov...
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I like the old version of Google assistant much better.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...
PUBLISHED: 2021-01-21
Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass. - The snapshot-controller crashes, ...
PUBLISHED: 2021-01-21
Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executi...
PUBLISHED: 2021-01-21
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typicall...