In the complex corporate security environment, automation is increasingly the “go-to” answer for organizations lost in a sea of alerts, logs and data. But there is a danger in putting too much faith into security automation and orchestration alone.
Visit - https://www.siemplify.co/
2. Introduction
In football, planning every move down to the smallest details is everything.
Any coach worth his or her salt has a playbook of strategies and every move, as
impulsive as it may seem, has been carefully calculated with perfect “If this,
then that” precision, before it ever took place. Yet, although every play has
been pre-charted, effective execution relies on the adaptability of players in the
moment and a keen understanding of the adjustments
3. When it comes to the security of corporate data, it’s not all that different from
football. In order to be ready for anything that comes your way, all aspects
need to be planned and mapped out beforehand, automated with a
predetermined course of action – in the vernacular, “IFTTT”. This security
playbook is called security automation and it’s an imperative part of keeping
all parts of a security operation workflow moving together in precise and
accurate motion.
Security Playbook
4. In the complex corporate security environment, automation is increasingly the
“go-to” answer for organizations lost in a sea of alerts, logs and data. But there
is a danger in putting too much faith into security automation and
orchestration alone. Organizations often turn to automation looking for a
technological cure-all for their security woes, but while they are very good at
what they do (at least theoretically), many security professionals are wary of
handing off their most critical processes to a black box that cannot make up
for the human intellect element.
Automation
5. Machines are not people and as such, do not waiver from their predetermined
playbooks, sometimes to the detriment of the goal at hand – that of keeping
corporate data secure. As Gartner security analyst Anton Chuvakin points
out. “There is – at this stage of security technology development, at least –
GOOD AUTOMATION and EVIL AUTOMATION. Longer term, we will
certainly see more automation and more domains of information security
(cybersecurity, if you have to) covered by automation, BUT I’d be willing to
bet anything that the profession of a security analyst will never be full
automated.”1
Technology Development
6. In Forbes, Courtney Nash writes:
“From a security standpoint, automation provides infrastructure security, and
makes it auditable. But it doesn’t really increase data/information security (e.g.
this file can/cannot live on that server)–those too are human tasks requiring
human judgement.”
Often, just like football’s receiver has to make a moment’s call and adjust
strategies, relying on automation and orchestration alone is too rigid. To be
truly useful, orchestration must become far more flexible and include people
in those processes.
What To Learn From Football
7. Semi-automation, in which team’s impact processes, creates the opportunity
to define and refine the playbook’s rules. Teams know their own organization
better than any template ever could, so orchestration needs to be a dynamic,
malleable entity to be effective, with people influencing and overseeing the
process. Chuvakin also states that: “To mitigate its “evil effects” while
preserving the benefits, look at “semi-automated” or assisted mode with
human influence in the loop where the automation gathers all the information
and then a human makes one simple call with all available data.”
Flexibility in Automation
8. When incorporating flexibility into the automation process, a typical scenario could go something like this:
Within Automation
9. The automated process and human intellect work together to create a
dynamic, adaptable security infrastructure. Properly implemented the right
balance of man/machine mix help validate the relevancy of alerts – allowing
analysts to close/eliminate cases more quickly and make sure analysts only
look at cases that actually matter while getting rid of the “noise”.
Because maintaining varying degrees of flexibility is in part dependent on the
ability to navigate effectively across the security infrastructure, teams need
tight integration with other security tools – the tighter the integration of all
tools from end to end, the greater the ability to traverse between automation
and human investigation.
The Automated Process
10. Finding the perfect balance between human intellect and predetermined
moves is a bit of an art form, just like in football. Flexibility within
automation, with the input of those people who know their processes best, is
the key to complete security.
Conclusion