Security automation takes planning for success. At Kudelski Security, we have assisted many clients through a variety of use cases and integrations with automation. In many of these cases, clients begin with a broad strategy of “Let’s Automate.” This is a fantastic strategy to have from leadership, however it is difficult to get that strategy moving in a positive direction without some tactical goals. In the first part of this series, the discussion will be around how Kudelski Security has been successful with our current clients, mainly with understanding these three things:

The Problems

First let’s look at common problems companies try and address using automation.

A Lack Of Experienced Personnel

How do you do more with less? The entire cybersecurity industry is dealing with a lack of qualified and experienced personnel. This leads to security teams spending the majority of their time responding to incidents, not being able spend time developing and documenting automated processes that can protect business goals. Even with the growth in DevOps culture, finding qualified security-focused individuals that understand SOC operations and can help security teams automate their processes are still in very short supply.

Along with the shortage of qualified security personnel with automation, and the shortage of automation developers with security skills, is the challenge of shifting the culture of security teams and programs to embrace automation. Also, many times automation is perceived as a threat to a security team member and their job security, and can work to derail automation strategies to reduce the perceived job impact.

Alert Fatigue

How do you reduce the noise to get the real issues in front of experienced security analysts? With enterprises having 50+ security vendors on average[1], the noise generated from these products puts unneeded pressure on security analysts to decide which alert requires more attention. This leads to alerts that may be really important falling through the cracks more often, increasing the probability of a larger event happening.

Moving Past Short-Term Needs 

How do you shift workloads from teams that are already over-committed? With the lack of experienced personnel, and sifting through the alert overload, the largest problem is how to allocate resources away from running day-to-day operations, to work through the tactics of the automation strategy. These resources may currently automate to facilitate some short-term needs or projects, but require leadership to be on board with having an automation strategy and plan to allocate the needed resources.

[1] http://www.investors.com/news/technology/cisco-eyes-security-acquisitions-in-crowded-market/

The Environment

After defining the problem, it is key to understand how bad that problem is in your environment.  Here are two facets to that challenge.

Metrics

One approach to problem scope is to analyze metrics that are already in place. For example, use ticket resolution metrics to determine how much time and resources are being spent on specific tasks. If usable metrics are not available, you can rely on managers and operations team leads to identify the pain points and bottlenecks within their groups. Questions that can help understand the impact with automation include:

  • How long does this process take?
  • How often does this process happen?
  • How many resources does this process require?
  • How many technologies are required to be utilized?

Dealing With Misconceptions

How do you keep automation in check? Many security programs deal with the misconception that automation is designed to replace the human factor in their environment. Anxiousness from leaders and employees who believe that automation will replace their work, can have a less energetic mindset to allowing automation to work in their environment. Automation is designed to play a supporting role in your environment, with employees developing the mindset that automation can:

  • Reduce the time spent on repeatable tasks
  • Increase ability to accurately log and collect metrics
  • Augment, not replace, current employees workflows

The Framework

Security Program Maturity

After identifying and quantifying the problem(s) in your environment, you need to decide if your security program is mature enough for automation. It’s critical to build automation on a solid foundation in order to succeed. Frameworks allow a collection of ideas to organize thoughts, strategies, and tactics to build that foundation upon. If your security program already has a solid foundation, taking another look at the framework that it is built on with the viewpoint of automation. Using the Capability Maturity Model Integration (CMMI) [2]model as an example, here are a few questions that should be answered to allow automation to thrive:

  • Are there defined, repeatable processes, that are now being handled manually?
  • Are the security and business objectives mapped and aligned?
  • Are the security processes being monitored?
[2] http://cmmiinstitute.com/capability-maturity-model-integration

 

Applying The Framework

Applying the CMMI to security programs, the figure below represents the levels of maturity of security programs and illustrates the levels in a security program’s lifecycle. For example, a newly minted security program initiative may lack defined processes that can be designed from the onset, easily transitioning to automated processes. With security programs that are already established, the figure illustrates ways to ensure that automation can thrive. As an example, if there are already defined processes and workflows, how to take those, and properly monitor and measure those process. This allows proper insight into the value that automation can provide, and how the processes can help align the security program with business objectives.

Up Next

In the next part of this series, we will  look at how to build a cybersecurity program to thrive with automation, and provide a more efficient security team, able to handle more requests and drive the security strategy for the organization.

October is Cybersecurity Awareness Month, a time traditionally focused on empowering individuals and organizations to adopt more safer practices online. But October should also provide a moment for honest reflection among the professional security community about what is – and isn’t – working in our security arsenals. IT teams are being asked to do more with less, and security concerns can become squeezed in the process.  Find out more about how our customizable Automation & Orchestration solutions can help streamline your IT and security operations, while reinforcing security at the same time.

Blake Dobbs

Blake Dobbs

Cybersecurity Solutions Architect at Kudelski Security
Blake Dobbs is currently a Cybersecurity Solutions Architect at Kudelski Security. Blake's primary focus is automation integration within enterprise environments. Blake spent the last six years working and leading a solutions team for a cybersecurity research laboratory at the Georgia Tech Research Institute. While at Georgia Tech, Blake worked on and led multiple projects designed to bring automation to the forefront of the laboratory's long term strategy. Blake currently holds a Security+ certification, and is on track for his CISSP.
Blake Dobbs

Latest posts by Blake Dobbs (see all)