When security teams are challenged with how to mitigate risks, they often look to technology for solutions. Yet sometimes investing in new products can create more issues in the greater security ecosystem of their organizations.
In practice, not all tools and technologies can work together. In many cases, organizations already have dozens or hundreds of different tools and technologies and are often not even aware of all the technologies they are running, let alone what their capabilities are, according to Stephen Cavey, co-founder of Ground Labs.
"It's not uncommon for organizations looking down the barrel of a skills shortage to scratch their heads and wonder how they are going to overcome that," Cavey says. "Using technology to overcome that problem is very attractive."
So how can organizations manage expectations and establish a clear and effective path for moving forward with the promises of security orchestration and automation?
Over the Crest and into the Trough of Disappointment
The idea of security orchestration and automation is itself "the shiny new thing on the block," Cavey says. However, investing in more technology to solve the problem of disparate tools not working in orchestration is not a silver bullet.
Keeping infrastructure and data secure across the entire organization requires staffing, which is one reason why Cavey says he anticipates a number of failed implementations on the horizon. Many companies have unrealistic motivations when they are investing in these platforms, he says.
Those motivations are coming from the pain points an organization is feeling, according to Cavey: "There's incredible pressure coming down from the board for these security teams to be able to say, 'Tell us you have this; tell us we are in good shape. We have an interest in IT security and knowing that we as a company are not going to be the next headline.'"
Take data loss prevention (DLP), for example. When introduced nearly a decade ago, DLP's promise to the average CISO was its implementation would protect data and prevent it from being stolen, Cavey explains. "Yet the reality that organizations quickly learned was that they can't just install the solution and have it achieve what the marketing people promised," he says. "There's a lot more devil in the detail."
For those large, complex infrastructures with lots of different platforms, data sources, and processes that need to be looked at in different ways, one multisuite solution isn't going to provide a quick fix.
"It wasn't until 10 to 12 months after purchase that companies started realizing DLP wasn't perfect. There were caveats to every marketing promise that was made," Cavey says. "I think we are looking at a repeat of that in this new space of security automation."
Can Security Tools Work in Harmony?
What many organizations need most is trained engineers who are able to run the programs in today's complex environments, says Lamar Bailey, senior director of security research at Tripwire.
He agrees that when struggling with staffing resources, many organizations look to technology solutions. Even solutions from the same vendor may have different user interfaces and workflows that are common across a suite of products, he says.
A potential solution that can help address staffing challenges while also ensuring a cohesive environment is to look at software-as-a-service (SaaS) or managed services, Bailey says. "These services help solve the skills gap because the vendor is supplying the manpower and expertise needed to run the services, and the customer can work with them to define what they want delivered."
Another solution is to look for products with robust APIs to allow for these integrations, says David Vergara, director of security product marketing at OneSpan. "Modern security platforms utilize common APIs like REST that provide the ability to leverage broader third-party data for fraud analysis," he says.
Open architected, centralized, cloud-based platforms improve visibility across digital channels, such as online and mobile. In addition, many companies will also offer apps or professional services to create and support the needed integrations.
Because static, binary authentication security simply doesn't cut it anymore, Vergara advises the level of security be aligned with the level of risk. "Authentication technology and methods with orchestration dynamically utilize the right authentication method for the associated transaction risk," he says. "When this occurs, businesses meet security, user experience, and also regulatory compliance goals."
Managing Orchestration Expectations
The best security orchestration is completely invisible to the end user, according to Vergara. Take the example of a mobile banking transaction that is regularly repeated. In time, it becomes a normal behavior and the risk is low.
"If any variables change, such as transaction amount, location, unknown device, jailbroken/rooted phone, etc., the risk increases," Vergara says. "For the low-risk transaction, user authentication can be seamless -- i.e., fingerprint scan; however, as the risk increases, additional authentication steps can be required -- i.e., face recognition, PIN, behavioral biometrics and others)."
Several technologies are working in the background to make this work. Risk analytics generates an accurate risk score, mobile security assesses risk of the device and mobile apps, authentication methods, and orchestration based on the level of risk, dynamically execute a precise authentication workflow for each unique transaction. As a result, "the exact level of security is applied to each transaction," Vergara explains.
In order to achieve this level of security orchestration using automation, Vergara says companies should begin with an honest evaluation of what works and doesn't work across the security ecosystem. "Look at what tools cause friction for business customers, partners, and vendors, as well as those that decrease visibility in key channels, like mobile," he says. "Identify lower efficiency, such as those that require manual fraud review or produce increased false positives."
What an organization first needs to have, according to Ground Labs' Cavey, is a set of mature, establishes processes. Doing a true assessment of where orchestration and automation can realistically help the business and add benefits will help to identify the actual processes that can work.
"If you take it in bite-size chunks and be very realistic about what you can achieve at the outset and not allow the vendor to promise the world, I think you are in for a much more positive experience as you go on this orchestration and automation journey," Cavey says.
- A Security-First Approach to DevOps
- How to Create Smarter Risk Assessments
- Frank Taylor: Better Processes Lead to Tighter Security
- 6 Ways Mature DevOps Teams Are Killing It in Security
Image Source: Elnur via Adobe Stock