By Bret Hartman, Vice President and CTO, Cisco Security Business Group
During RSA 2016, I led a Peer2Peer discussion titled Is Automation the Answer for Security in the Digital World? My goal for this session was to gain insight regarding different ways the automation of security operations might improve defenses—as well as the benefits, risks and limitations of those approaches. A number of analysts and industry experts have suggested that automation can help improve security effectiveness. That being said, when considering how to introduce automation across your security architecture, there are many elements to contemplate and questions to pose.
During the session, we engaged in a candid and open discussion about challenges and solutions. Attendees agreed that with today’s attacks, we are less able to scale. The level of attack sophistication really does mean that automation must be considered and used to answer at the speed and scale needed to make a difference.
Faster Remediation, Prioritizing Responses and Improving Productivity
One of the ways that session attendees indicated that automation can help was in remediating threats faster. As an industry, we have made tremendous progress in detecting threats. The overall time to detect is shrinking, yet remediating attacks is a much harder, slower and more manual process. In our 24x7 global business world, shutting down processes to address an outbreak can mean mean the loss of hundreds of millions of dollars. Leveraging automation to reduce the time to remediate can help to minimize these damages.
Additionally, automation can also help to prioritize responses to events and attacks. It is often the case that when attacks are happening, people are aware of the attack but might not necessarily know what to do about it—or know how to prioritize which events and/or attacks to address first.
One attendee in the session described a scenario where automation significantly helped a government agency reduce false positives and improve productivity. This organization was dealing with many tens of thousands of alerts per day. Before automated controls were put in place, it took anywhere between 10 minutes and 11 hours to look at a mere 65 notifications per day. When automatized activities were implemented, this translated into the ability to assess tens of thousands of alerts per day at speeds of between 0.1 and 1 second each. This freed up the higher tiered practitioners to perform more specialized work.
Potential Challenges with Automating Security
In addition to ways automation can help, we also talked about some of the risks and challenges with automating security. Attackers are using automation to attack much more effectively than defenders are using automation to defend. Additionally, while enterprise IT environments are becoming better equipped, Internet of Things (IoT) environments are less well prepared. Environments where IoT factors in are growing faster than the defenses that are being implemented. For instance, in the medical device industry, the issue of compliance certification and regulation for medical devices is very important. These regulations can impede security automation because they may require recertification for any software change. Regulations can, in fact, reduce security effectiveness because they do not permit systems to adapt to keep up with the threat
Several practitioners acknowledged that while automation is necessary to cope with the dynamic threat landscape, there is fear of letting go of manual control of security controls and activities. One attendee suggested setting up models where practitioners can increase automation levels over time by varying degrees that align with their comfort levels. By giving people options to apply automation at varying levels, they become more comfortable using automation to improve their defenses.
Conclusion: What’s Most Important is Effective Security
While there are multiple schools of thought regarding best practices for applying security automation, the practitioners who attended all agreed that what’s most important now is improving security effectiveness. To defend against a growing number of organized and well-funded adversaries requires a better approach.
Automation is one of the fundamental pieces in improving the effectiveness of security and enabling professionals to leverage security to accelerate business success.
As the Security CTO, Bret Hartman defines the security technology strategy for Cisco. He has more than 30 years of experience building security solutions for major enterprises. His expertise includes cloud, virtualization and web services. He speaks regularly at security events on distributed systems security. Prior to Cisco, he was CTO of RSA and an EMC Fellow, where he defined the security technology strategy and drove many acquisitions. He has also worked at several startups and began his career as a U.S. Air Force officer assigned to the U.S. National Security Agency. He holds a B.S. in computer science and engineering from Massachusetts Institute of Technology and an M.S. in computer science from the University of Maryland.