Security Automation: Reducing Friction and Increasing Innovation
By Tom Suder, Founder, ATARC
Despite the difference in their operational goals, security is handled in a surprisingly uniform fashion across both enterprises and federal agencies. To deal with external threats most of these organizations use a traditional security information and event management (SIEM) solution e.g. IBM QRadar or Splunk ES which, at the risk of oversimplification, spits out a relentless stream of real-time alerts to be reviewed by the staff of a security operations center (SOC). Unfortunately, these alerts can quickly become a flood.
CSO contributors Stacy Collett and Maria Korolov cite research from analyst firm Ovum to note that “many organizations, regardless of size, receive tens of thousands of security alerts from their monitoring systems every day. Some 37 percent of banks, for example, receive more than 200,000 security alerts a day about possible attacks.” Unfortunately, this is only the beginning of the challenge for security professionals employed in the enterprise and the federal government.
In addition to vigilance in the face of external threats, security professionals are expected to review applications purchased off the shelf or developed by internal teams to assess their vulnerabilities, among other tasks. This second responsibility frequently puts security at odds
with internal development teams facing pressure to deliver valuable applications and can result in friction between departments. The multiplication of assigned tasks, combined with the relative scarcity of cybersecurity professionals, results in an untenable situation. Security teams just can’t keep up with the demands on their time. Collett and Korolov cite a study by research firm CyberEdge Group finding that “security practitioners worldwide cited the ‘overwhelming cyber threat environment’ as the single biggest challenge facing IT security professionals in 2015 and 2016.”
To use an old adage, “necessity is the mother of invention” and cybersecurity is no different. In order to help ease the burden on security teams, and increase their agility, the last few years have seen the emergence of what has commonly come to be referred to as “security automation.” While the term has come to mean slightly different things in different contexts, “security automation” is typically used as a shorthand way to refer to automated processes designed to detect and respond to threats according to defined criteria.
Sophisticated organizations, public and private, are paying attention. A 2016 survey referenced by Infosecurity Magazine found that “80% of respondents believe that automation will increase the overall security posture of their organizations, while 75% think it will improve application availability, reduce errors and enable them to process security policy changes faster. And as a result, 83% of organizations stated that the use of automation for managing security processes needs to increase over the next three years.” However, at the time the survey was conducted, the implementation of security automation remained limited. According to the survey, “only 15% of respondents reported that their security processes were highly automated. Over 52% had some automation in place but felt that it was not enough, and 33% said they had little to no automation.”
That’s starting to change. This year analyst Jon Oltsik of Enterprise Strategy Group cited research from his firm showing that “19 percent of enterprise organizations have adopted security operations automation and orchestration technologies ‘extensively,’ 39 percent have done so on a limited basis, and 26 percent are currently engaged in a project to automate/orchestrate security operations.” Yet it’s important to note that the benefits of security automation are much greater than just improving the speed at which security teams can work. Indeed, the benefits extend beyond security teams themselves.
In addition to the increased adoption of security automation technologies by enterprises and federal agencies, the past few years have seen a shift in the way that IT and security are viewed by executives. These departments are not seen as just a cost center anymore e.g. line items on a budget that have to be paid out as a kind of ransom in order to keep systems running and reduce the risk of a cyberattack. Instead, executives are increasingly looking towards IT and security departments to drive innovation. But this can’t be accomplished without these two departments becoming allies instead of adversaries.
Earlier I noted that one common area of friction between IT and security arises during application development. Ask a developer to honestly state what they think of their colleagues in cybersecurity and they’ll say something along the lines of “security are the people that say ‘no’.” That’s because developers often see security professionals as the ones holding up their ability to deliver value with frequent security checks that inevitably last longer than necessary simply because overtaxed security professionals don’t have adequate time to devote to the process. It’s not that developers don’t understand the importance of security, they do, but they’re frustrated by the delays. This is doubly true at enterprises and federal agencies that have no choice but to hold themselves to the highest security standards possible. In many cases an application can even be discarded entirely after it fails to meet security standards.
Security automation offers a path out of this painful cycle by bringing security into the development and purchasing process. Automated security checks, such as through code scans to detect for code vulnerabilities, can resolve many issues on an ongoing basis throughout the development or evaluation process with no need for human involvement. This allows for security professionals to be held in reserve to handle the comparatively rare “grey areas” where their expertise is truly necessary. Further checks can be run in response to specified events after deployment, such as an operating system update.
The result is that IT and security are able to work more efficiently and harmoniously together and, by extension, deliver greater business value. To repurpose the title of Roger Fisher and William L. Ury’s 1981 classic, security automation helps security departments “get to yes.”
Visit ATARC in the TechXpo at the Symantec Government Symposium on Tuesday, October 30. Register now: https://www.symantecgovsymposium.com/register/