Network security automation uses machines to programmatically execute security tasks. Typically, network security automation is used to manage the low-complexity, high-volume aspects of detection, investigation, and mitigation. For instance, automation can be used to separate false alerts from true threats among the 10,000 alerts every enterprise receives on an average day. But automation can (and should) be used in a much more strategic manner, strengthening the organization as a whole rather than solely focusing on streamlining tedious processes in understaffed, overworked security operations centers (SOCs).
On a practical level, automation is often perceived to consist of scripts written by administrators to relieve some of the burden of manual labor associated with specific tasks. That is certainly one way to use automation, although it tends to present many of the same problems as manual processes, such as errors that create vulnerabilities or the need to kick off the automation manually (which means the automation isn’t truly automated). None of this should be surprising: despite its wide adoption in the enterprise world, automation is still an emerging technology that many organizations haven’t yet mastered.
3 Reasons Most Organizations Fail at Automation
The number one reason most organizations miss out on the benefits of automation is that they never get started. According to the FireMon State of the Firewall 2019 report, 65 percent of organizations are using no form of automation at all to manage their network environment. It’s hard to understand why this is the case when so many security teams are understaffed. Sixty-seven percent of organizations FireMon surveyed reported that the skills shortage has increased their security teams’ workloads, but 38 percent are still relying on spreadsheets, emails, and other outdated tools to manage as many as 99 change requests each week. These organizations seem to be setting themselves up to fall behind, not only in the daily tasks conducted by their SOCs, but in their competitive arenas, as their more technologically-advanced competitors become more secure, agile, and digitally transformed.
Organizations that have already embraced automation still face some common problems. These arise from two sources: the structure of IT teams and a lack of an organization-wide automation strategy.
IT teams frequently work in silos that are intended to foster laser-sharp focus. But the result instead is costly redundancy and inefficient one-off approaches to security. Enterprises end up baking in a “hero culture” that sets up employees to fail when they write automation scripts that don’t solve an issue because their authors lacked a holistic understanding of the entire infrastructure, organizational priorities, and user needs. Organizations end up with a spotty patchwork of automation scripts that support neither cybersecurity nor business continuity,
Businesses should spend time understanding how automation can support their overall business strategy. Instead of saying, “This dull task can be done by a machine,” they should be asking, “How can we use automation to help achieve our strategic directives?” The answers to that question can be used to determine what should be automated, in what order, and to what extent. On a tactical level, processes should be stood up to ensure scripts are tested, reusable, and documented in a central location.
True automation can accomplish far more complex and strategic work when it is applied with the organization as a whole in mind. Now that every company is a software company, that needs to include DevOps. Now that regulations are changing rapidly, that needs to include compliance. And now that hackers are using automation to conduct attacks, that definitely needs to include cyber security.
Benefits of Cybersecurity Automation
End the Friction between DevOps and SecOps
Developers are under pressure to continuously improve efficiency and enhance usability. They are stereotyped as not caring much about security, but that’s not true. The reality is that they care, but they lack the skills to incorporate gold-standard security into the applications they write. This isn’t a knock on developers: they aren’t trained to be security professionals, just as security professionals aren’t trained to write applications.
A benefit of automation is that it can organically support both development operations and security operations, eliminating the friction that can exist between the needs of these groups. For instance, developers can spin up a new development server and the change can automatically be ingested into the infrastructure map. Or an organization can make security part of the software development lifecycle (SDLC) by building testing automation into the process instead of tacking it on at the end of the cycle.
Planning for automation requires both teams to work together and understand the priorities of the other, leading to better communication—for the automation plan and beyond.
Always-On Compliance and Fear-Free Auditing
Almost every change to an infrastructure can affect an organization’s state of compliance. For instance, misconfiguring a firewall or failing to apply a patch are common mistakes that can throw an organization out of compliance. In today’s complex environments, those types of errors are so pervasive that it’s unlikely any organization is ever truly in compliance at all, and won’t be for the foreseeable future. Gartner says that between now and 2023, 99% of firewall breaches will be caused by misconfigurations, not firewall flaws,—something automation helps prevent.
Another challenge is the rapid pace at which regulations are changing. California kicked off a flurry of legislative activity in states across the nation after it instituted the California Consumer Privacy Act on January 1, 2020, and a federal privacy law is currently under consideration in Washington, Organizations that have already overhauled their data systems to comply with the EU’s General Data Protection Regulation (GDPR) understand the pains they will face trying to comply with 50 more sets of regulations as the various states and the District of Columbia start to roll out their own laws. We recommend that organizations try to get ahead of the coming wave by anticipating the tasks and policies that will be expected of them and start implementing and testing the appropriate software tools as soon as possible.
For example, one smart step businesses can take right now is to remove manual configuration and administration tasks from all business processes that involve sensitive information, consumer privacy issues, and cyber security concerns. Instead, use automation to continuously monitor the infrastructure for compliance.
Getting ahead of regulatory requirements delivers the added benefit of a faster return on investment (ROI), as the time and costs currently spent configuring policies and ensuring readiness to meet complex audit demands are reduced. For example, some of the ways network security automation supports compliance are by performing ongoing network risk analysis; recertifying existing rules and policies; scoring and trending IT risk posture; and generating standardized reports.
Your Enemies Use Automation. Your Defenses Should Too.
“Hackers today—they’re not even hacking. They’re using automation tools,” says FireMon’s Tim Woods, Vice President of Technology Alliances.
Hackers plan their attacks by using automation to gather intelligence about their targets. They scrape information from company websites, third-party websites, employees’ social media, publicly available presentations, and any place else a company or one of its employees has shared information online. For instance, they might write a script to scrape IT message boards in search of usernames associated with a targeted company’s employees. From those employees’ technical questions on the message board, the hackers may learn a great deal about the network environment they want to breach. Or they may create structured profiles of their targets that can be put to use in spear phishing and business email compromise (BEC) wire fraud attacks. But the malicious use of automation goes beyond the research phase. Hackers use automation in every stage of their attacks.
And hackers don’t have to be computer geniuses to deploy automation maliciously. In one attack, a malicious actor used automated hacking tools to find public webcams with a view of a Swedish harbor and was able to monitor and identify submarine activity in the port, including lengths of deployment, range of travel, and possibly destination of travel, This attack was simple enough that almost anyone could have conducted it.
The automated hacking tool used in that and many other attacks was most likely purchased on the dark web. Tools can cost as little as $50. These marketplaces are also host to sellers of stolen credentials. Malicious actors don’t need the skill to steal credentials on their own – they can just buy them for a dollar or two each. Then they can drop the credentials into an automated tool they’ve purchased and conduct an attack without ever having written a single line of code.
When criminals are exploiting the benefits of automation, security teams have to use automation to outpace them. To attempt to do so manually would be pointless – it would be impossible to keep up.
Using automated systems against hackers has another benefit – besides just stopping attacks, automation frees up SecOps teams to anticipate and proactively develop rules to protect against hackers— leveraging the human creativity and critical thinking that successful crime prevention entails.
Automate Your Business, Not Your Tasks
A happy marriage between DevOps and SecOps, continuous compliance, and the ability to manage a sophisticated and volatile threat environment are solid advantages of automation. There are probably other use cases in your organization as well, which will be exposed when you start thinking about how to apply automation in a way that supports your entire business instead of just streamlining low-complexity, high-volume tasks.
FireMon can help you find these opportunities. FireMon Automation delivers a comprehensive blueprint of security policy automation capabilities that drive smart security process automation to effectively address your unique use case, infrastructure, or compliance requirements. Our multi-level approach to security automation drives efficiency, agility, and efficacy by aligning automated tasks to your specific requirements across your on-premise, hybrid, and multi-cloud environments, while giving you flexibility to manage your automation journey at your pace and confidence level.
Ready to use automation to protect your team? Request a demo of FireMon Automation today.