Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/20/2018
10:30 AM
Dan Koloski
Dan Koloski
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
0%
100%

Improving the Adoption of Security Automation

Four barriers to automation and how to overcome them.

IT has always added value through automation, but its penetration into security practices historically has been lower than in other functional areas. For example, in the just-released Oracle and KPMG Cloud Threat Report 2018, only 35% of respondents said that "Our company is committed to security automation and actively investing in solutions," even as the survey revealed that a fundamental aspect of protecting the cloud-enabled workplace is the challenge of keeping pace at scale.

Automation should be an essential part of the IT toolkit, enabling organizations to massively scale and remove effort, but it currently isn't widely adopted in most enterprises. To attack this problem, it's important to understand automation's barriers to adoption and how they can be overcome.

Barrier 1: We're Not Confident in Our Decision-Making
It's striking how often customers tell me they can't automate remediation because they aren't sure enough of their analytic conclusions to know if their automated remediation can actually help in a given scenario. This is a symptom of an upstream analytics problem, not really an automation problem. Overcoming this barrier involves improving the quality of upstream data and analytics with which to make decisions, and making the results of those decisions available to an orchestration/automation framework, which really means you need an analytics platform that can cope with the volume generated by a unified and comprehensive data and telemetry set.

Barrier 2: Not Everything We Want to Secure Is Easily Automatable
Platform choice matters, even though that choice is not always up to the security team. Now, more than ever, is the time for security teams to advocate that technical platform choices for upcoming projects must be automatable and ideally be as autonomously self-securing as possible. At any enterprise, there is a wide spectrum of cloud, on-premises, and hybrid scenarios that are evolving at different rates, so it's never "too late" for the platform conversation. It's important for security experts to be informed about which platform choices can lower an application's risk posture and for them to share that information with their colleagues in application development, actively and frequently.

Barrier 3: We're Arfraid of Losing Control 
This one is cultural and understandable. Security runbooks have been manual since the dawn of computing, and analytics have historically under-delivered actionable insights, so many experienced analysts are naturally distrustful of both of them. Here it pays to start small. Instead of beginning with automation of full-life-cycle remediation, perhaps begin with automation of forensics and lightweight remediation – say, a portion of the investigative runbook of your analysts and a simple remediation action, such as turning on one-time multifactor authentication (MFA).

If the analytics algorithms identify anomalous behavioral patterns from users on one system, a good next step could be to automatically aggregate similar user behavior across other systems and slow down the process with an MFA challenge delivered via text to users' smartphones. This sort of process isn't taking the full remediation step of account suspension, but it does automate some of the investigative runbook as well as an initial preventative step.

Barrier 4: We Have Dueling Automation Frameworks (Security vs. DevOps)
The industry trend for automation over the last several years has favored the developer, with DevOps automation ubiquitously increasing the pace of bringing innovations to market. There is a natural disinclination on the part of developers and line-of-business executives to allow a second set of automation that might slow or break the DevOps pipeline. In this case, it's time for security to partner with development and operations … in other words, DevSecOps!

DevSecOps requires a level of cross-team collaboration, joint instrumentation, and automation that is possible when organizations standardize on the same underlying data/analytics/automation regime for development, security, and operations. Modern solutions that offer different "skins" for development, security, and operations users (but are really the same platform underneath) can provide the shared factual understanding that is required to begin to bridge the historical divide between these roles.

Make a Difference
Automation is one of IT's oldest weapons. It represents the best opportunity for security efforts to match the speed and scale of today's attack surface and threat vectors, but most security teams are still underinvested in the area. A closer look reveals that automation's low level of penetration is largely due to factors that aren't about the automation itself — and each of these factors represents an opportunity for security teams to make a difference.

Focusing on better analytics, informing platform choices for new projects, overcoming cultural resistance in our own teams, and collaborating with other teams can all increase the adoption of automation, which ultimately will help us improve our security posture.

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

Dan Koloski is a software industry expert with broad experience as both a technologist working on the IT side and as a management executive on the vendor side. Dan is a Vice President in Oracle's Systems Management and Security products group, which produces the Oracle ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
nathanluise92
50%
50%
nathanluise92,
User Rank: Apprentice
6/27/2018 | 4:54:37 AM
More barriers
You mention only 4 barriers, but what if it is more than 4? Also it depends from the manufacturing issues and some addtional needs. What to do in such cases? Can you suggest any great examples of dealing with this problem? 
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16649
PUBLISHED: 2019-09-21
On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the...
CVE-2019-16650
PUBLISHED: 2019-09-21
On Supermicro X10 and X11 products, a client's access privileges may be transferred to a different client that later has the same socket file descriptor number. In opportunistic circumstances, an attacker can simply connect to the virtual media service, and then connect virtual USB devices to the se...
CVE-2019-15138
PUBLISHED: 2019-09-20
The html-pdf package 2.2.0 for Node.js has an arbitrary file read vulnerability via an HTML file that uses XMLHttpRequest to access a file:/// URL.
CVE-2019-6145
PUBLISHED: 2019-09-20
Forcepoint VPN Client for Windows versions lower than 6.6.1 have an unquoted search path vulnerability. This enables local privilege escalation to SYSTEM user. By default, only local administrators can write executables to the vulnerable directories. Forcepoint thanks Peleg Hadar of SafeBreach Labs ...
CVE-2019-6649
PUBLISHED: 2019-09-20
F5 BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, and 11.5.1-11.5.9 and Enterprise Manager 3.1.1 may expose sensitive information and allow the system configuration to be modified when using non-default ConfigSync settings.