<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=314913&amp;fmt=gif">

Ready, Set, Automate Security Response!

Matt Reid
October 1, 2018

Not so fast.

First let me say that I am an accomplished lifetime angler, deeply connected with the technical requirements, science and art that apply in various types of fishing. I have fished in over half of the country, instructed clinics, built rods, crafted lures, tied flies, and been published. And I feel that if tasked, I can out-fish a machine. I realized this ridiculous notion while shopping online recently…I came across a product called the “automatic fisherman.” The main point of this winter ice fishing apparatus is a spring loaded “hook set.” A human has to set up the stand, deploy the bait down the hole vertically, bend the rod down and affix to a trigger. When the bait is taken, the rod snaps back, setting the hook and now the human needs to respond and reel in.

Kinda cool, but the use case is very narrow and, in my opinion, would only be an enabler with the right scenario and several units deployed. And It immediately reminded me of the timely challenge that organizations are facing today, to automate more security process and day-to-day incident response. Despite the hype and buzz, an inquiry into automating more security process often results in an open admission that they are “not there yet.” More interesting, those who have the vision and intend to automate are often not organizationally ready.

I’m an old-school guy: I like to fish with basic tactics and “practiced” human judgment, but leverage modern technology to gather context and intelligence about my environment: The depth, the bottom structure, and ideally where the fish are. I am a firm believer that humans are key to getting a fish’s response because they are very moody. Current weather and annual behavior habits provide us with varying opportunity, and knowing what to do and when comes with much experience.

A terrific example of technology enhancing anglers is where seashore fisherman use drones to take baits way out beyond the breakers. Beyond what any human can accomplish in a conventional cast, even with the specialized gear and techniques. While I don’t like the idea of surfcasting art and physics being lost, using a drone to take the offering far into the sea is an appropriate enabler. Add a camera view to the drone, and things just became ridiculous for targeting coastal big gamefish migrations.

That said, unlike the automatic fisherman, security automation has great potential and limitless use cases.

The ongoing people problem.

Unfortunately, there are way more recreational and professional fisherman than security practitioners. Fishing license sales reflect this in the numbers, as do the research firms and industry analysts (Ponemon Institute, Gartner, Forrester, etc.) who frequently publish studies and surveys that show where organizations stand on the people problem.

Overall, companies have not historically invested in specialized cybersecurity training. Many have the clear expectation that their teams are not expanding to solve the growth in workload. Within the current role and skill gap, the SOC analyst is among the top three positions in demand. Even when the team is made up of skilled and trained people, I frequently hear about security analysts operating outside of their true responsibilities, bleeding efforts into remediation assignment and tracking. In some cases performing the tasks themselves, when they should be purely operating in distinct areas of the response framework and leveraging Networking, Infrastructure, and others to be accountable for remediation activities. We have no choice but to improve the efficacy of this process.

Last push to maximize protection technology.

IT already had a problem with tool standardization, and then the security tool shock-and-awe of the last decade completely blew that up. But in the previous two years, organizations have turned the corner with detection and protection tool maximization. Enterprise coverage, namely cloud expansion, has expanded the ground somewhat. But, to take advantage of multi-directional integrations, you must fully deploy the toolsets, and respective feature sets to your truly prioritized control points and needed outcomes. If you can implement a repeatable process for effectively remediating “inconvenient” malware, you can free people up to better hunt ATPs, and develop better phishing workflows that exercise a full stack of protection, isolation, and education. This cycle of improvement can repeat itself for some time.

The process is our next priority.

If your toolsets are fully deployed and maximized, hopefully, you’re ready to address process, especially as it pertains to asset exposure and structuring day-to-day incident response. Given the newsworthy breaches in the last 24 months, it’s fully recognized that they were attributed to a lack of dynamic and accurate inventory, or not properly processing key signals amongst the fog of alerts from tools. How many times do we have to hear about basic security controls? I am a firm believer that if we didn’t leave the doors unlocked and windows wide open, we wouldn’t need infra-red scanners, death rays and sounds that kill. The toys and tools have always gotten the attention, but we now have to shift focus to how we are doing things with these tools, and weaving the CIs and people together while improving the process.

Automation’s simple beginnings.

An impressive example of automating judgment is Google’s AlphaGO, and how it beat the world’s human GO champion Ke Jie in a three-game series in 2017. GO is a two-player board game that originated in China, over 2000 years ago. The rules are simple, but the game is relatively complex, similar to chess in that the objective is to surround your opponent and remove their pieces (stones). The game’s basic rules were input, and the AI was able to study plays across the game’s history. This brought unconventional moves that were resurrected from the past that were much different than Ke Jie’s, which were based on previously observable AlphaGO moves. The AI beat the human three out of three. While not by a significant margin, the goal was to win- not to accumulate points or territory gains, but instead maximize the effectiveness of each move.

It will be some time before machines are doing the majority of our work and our role is reduced to tending to them, but people are, in fact, the “boot managers” for automation. Leading organizations that have the vision are leveraging triggered workflow to aggregate and refine for more organized investigations. And even more mature groups are using automation horizontally across the NIST CyberSecurity Framework itself, assigning tasks to the appropriate people, driving efficiency and accountability.

Our next move is to automate not only gathering of information and assignment of tasks but the tasks themselves. Two years ago I felt this was in the somewhat distant future, but today I think it is at the door and waiting for us to open it. But for now, the automatic fisherman will exist only in my Amazon search history.

You may be ready to automate if:

  • Low value/repeatable tasks are burning a lot of human cycles
  • Can't afford more people, and accept that process improvement is a viable route
  • You recognize the value of workflow to assign and drive accountability across teams
  • Your CMDB maturity is moderate, and want to improve it even further

You may not be ready to automate if:

  • Your goals/roadmap are not clear for a “modern” SOC
  • Your key detection/protection/correlation/vulnerability tools are not maximized
  • Your processes and tasks are not well defined
  • Your CMDB maturity is low, and are currently unable to address it

New Call-to-action

Subscribe by Email