David Goeckeler, executive vice president and general manager of networking and security at Cisco, was speaking with a room full of journalists at the recent Cisco Live 2018 show when the topic turned to network segmentation and automation.
"Software-defined access is all about automating segmentation in your network," Goeckeler told the group. "Why are you automating segmentation in your network? Because that's how you're preventing lateral movement in a cybersecurity posture. Once somebody gets in your network, the big problem is you don't want them to go all over the place, so you segment your network. It's a well-known technique for a long time now. The problem is that it's very difficult to implement, so that's what we're automating. And it's very important in an IoT environment."
It was part of a larger message the company not only was pushing at the show but also has been over the past several years: At a time when businesses are increasingly transforming into digital entities and corporate networks are under near-constant cybersecurity threats, the pace at which changes to be made is accelerating and automating the network -- and its security capabilities -- is the only way for enterprises to keep up. (See Hands-Off Security: Automating & Virtualizing the Enterprise Network.)
Throw in the issues of a growing skills gap in IT security, budgetary constraints, greater mobility and such trends as the Internet of Things and BYOD, and the need for automation becomes obvious.
"The overall threat landscape continues to evolve, and IT can't hope to keep up," Brajesh Goyal, vice president of engineering at Cavirin, a cybersecurity firm in Santa Clara, Calif., told Security Now in an email. "This is compounded with the move to the hybrid cloud, IoT, increased reliance on mobility, and the increasing sophistication of attacks. I’m sure you’ve heard of hacking-as-a-service. Automation, deployed within IT or as part of a cloud offering, is a critical response."
"Today's malicious actors utilize sophisticated techniques that frequently evade current preventive security controls," Roy Katmor, co-founder and CEO of San Francisco-based automated endpoint security vendor enSilo, told Security Now, adding:
To address these new fast evolving threats, organizations are forced to apply a multilayered security strategy that will enable filtering of known infiltration attempts while hunting already infiltrated attacks and respond in respect. This new reality of manual threat hunting and response derives a new altitude of security operation costs, long breach response time (aka dwell time), not to mention the uncapped product cost of ownership. Automation is needed to address precise real-time prevention, protection and response initiatives, while allowing business continuity with a capped total cost of ownership security defense.”
Companies that are attacked see multiple ripple effects because of them. According to Cisco's 2017 security report, 49% of organizations experienced public scrutiny because after a breach, 22% lost customers and 29% lost revenue.
In addition, the vendor found that 44% of security alerts weren't investigated.
"The security industry is struggling with managing security at scale on a large amount of devices and at the necessary speed to address problems as they occur," Chris Morales, head of security analytics at Vectra, an automated threat management vendor from San Jose, Calif., told Security Now. "It is becoming impossible for manual process to achieve the scale and speed necessary to keep up with modern enterprises. It is very important to automate those tasks which are repetitive and tedious."
Security policy automation is taking both a proactive and reactive approach, according to Rishi Bhargava, co-founder of Cupertino, Calif.-based Demisto, a security automation and orchestration provider. On the proactive side, "automated playbooks are scheduled to check all network ports and endpoints, identify any policy expirations and anomalies, and take the appropriate response measures to address them," Bhargava told Security Now. "On a reactive front, security incident response playbooks usually involve reconciling attack behavior with existing security policies, as well as updating those policies to prevent future attacks from slipping through the cracks."
New tech: automation, AI, machine learning
Automation essentially will help up and down the stack, according to various experts. That includes everything from workload segmentation and security configuration of workloads and devices to pattern detection, behavior-related baselines and even the developer arena.
"Automation's biggest contribution is in executing repeatable, low-level tasks that -- while important -- take away valuable analyst time while attacks continue to manifest on target networks," Demisto's Bhargava said. "These tasks include IOC [indicator of compromise] enrichment, data correlation across sources, extracting user and policy details, malware analysis through sandbox detonation, ticket management, email communication to relevant stakeholders, and more."
Emerging technologies such as artificial intelligence (AI) and machine learning also are playing an increasing role in network security automation, touching on everything from threat analysis, identification and remediation and proactive alerting to failover, according to Timur Kovalev, CTO at Untangle, a network security provider for SMBs based in San Jose.
It also can help security teams sort through the massive amounts of data that are coming at them every day.
"AI and machine learning are playing a crucial role in driving automated security policies initiatives," enSilo's Katmor said. "The ability to train and replay manual processes with machine learning models allows [security teams] to drive processes faster and in a scalable manner."
Companies are getting the message.
Vectra's Morales said that he is seeing "a large uptick in enterprises exploring their options for automation, in particular in cloud environments that already are largely automated for system management and have a large footprint of dynamic systems that scale based on performance needs (those that can be created, changed, moved, and deleted frequently)." (See Cisco: Companies More Proactive About Cybersecurity.)
While automating network security will continue to be important for businesses, security experts cautioned that doing so doesn’t mean removing humans from the equation. Automated systems detect patterns, analyze data and drive policies faster than humans, but it's humans that need to make decisions based on that information. In addition, according to Morales, "a human analyst needs to monitor and verify that automated tasks are functioning as expected."
No automation without people
"With security policy, it's vital for humans to be involved in the loop, oversee policy definition, validate important steps in the automated workflow, and retain a manual fail-safe option to complete actions in case there are any errors in the automation," Bhargava said.
As enterprises grow the use of automation for network security, there are a few things to remember, according to security experts:
"Enterprises need to ensure automation policies are based on awareness of the environment and these policies can adapt and react to changes in the environment in real time," Morales said. "It is also important to ensure automation tasks are not manipulated and cause unintentional harm to the organization, such as stopping mission critical apps from functioning due to network configuration errors. This is where AI and human analysis can assist automation tasks to ensure they function as intended."
— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.