Security Experts:

For Defenders, Automation isn't Automatic

I’ve written previously about how time to detection (TTD) is a key indicator in the measure of security effectiveness. As we improve our ability to quickly find and stop adversaries that have infiltrated our infrastructure in order to mitigate damage, adversaries are under pressure to accelerate their “time to evolve” (TTE). This is the time it takes for them to change their tactics, let alone adjust any malware they may be intending to utilize. 

Using automation, bad actors work nonstop to keep their tactics fresh, move with even more speed, and find ways to evade detection so that they can continue compromising users and systems for as long as possible. For example they use fast flux to rapidly change their IP addresses to quickly and easily mask their means of executing their attacks. They also use polymorphism to combine tried and true mechanisms with frequently changing file extensions and file content types to evolve how they deliver and hide malware. Automation is integral to their ability to shift tactics constantly.

Unfortunately, when it comes to automation, most defenders are operating at a deficit. Automation isn’t a new concept in the cybersecurity industry. We’ve been talking about it for years. So what’s holding so many enterprises back from incorporating automation in their security programs? There are three main factors.

1. Complexity: Most organizations face a daunting amount of complexity stemming from multiple, disparate point solutions that don’t, and often can’t, interoperate effectively. Because they aren’t integrated they can’t automatically share and correlate information and activity across networks and systems. Each solution issues its own alerts and security teams can only investigate a fraction of them. Such a complex web of technology, and the overwhelming number of security alerts, is a recipe for less, not more, protection. As more security tools are added, traditional solutions designed to harness these alerts often don’t have the scale to ingest and store all the security telemetry that a company may have in their network. 

2. Talent Shortage: Limited budgets and a lack of talent make hiring sprees unlikely. Various reports put the global cybersecurity talent shortage at one million climbing to one and half million in two years. Automation isn’t a matter of pushing a button and walking away – it is a continuous activity. It must change with your environment and the threat landscape, and this requires humans and technology working in combination to ensure it adapts and remains relevant.

3. Lack of Trust: Even though various groups within the organization are on the same team with the same end goal – to defend the organization – they often have competing priorities. For example, the threat intelligence team finds an indicator and throws it over the fence to put it into production. But the network security team may not trust the intelligence nor have the tools or personnel to implement it quickly and follow-up on the new alerts that will result.

Automation is essential to defeating cybercriminals who change their tactics frequently to keep their malware strong and profitable. It helps you understand what normal activity is in the network environment faster and more easily, so you can focus scarce resources on investigating and resolving true threats. So how can you overcome these barriers that stand in the way of automation? 

Work with suppliers: To begin with, work with your suppliers and hold them accountable for compatibility, integration, and simplification. Some suppliers will embrace the challenge and work together. Consider replacing those that don’t, or simply can’t due to their own technology limitations and the way their tools are architected. An integrated security architecture with security tools working together in an automated way streamlines the process of detecting and mitigating threats. You will then have time to address more complex and persistent issues. And if you’re still finding you have a lack of bench strength, consider outsourced talent in the form of managed detection and response services that can add muscle to your security teams while also conserving budget. 

Align metrics: Use a common agreed set of metrics for internal teams and move away from traditional ways of measuring IT success. The ROI for IT is often measured in two- or three-year periods, whereas security ROI is shorter and evolves quickly. Aligning metrics and time frames will encourage communication, collaboration, and the use of automation as everyone works jointly towards shared measures of success. Involve your suppliers in these metrics too. Allow them to have input and hold them jointly responsible.

Engender trust: Establishing trust takes time and open communication. Individuals, technology, and processes need to build a reputation for reliability. By demonstrating success at points along the way and measuring the efficacy of automation over time, teams will begin to trust each other – and the automation.

In this complex landscape of rapid evolution, where bad actors have embraced automation to accelerate their TTE, human expertise and point solutions are not enough to identify and respond quickly to threats. Operationalizing people, process, and technology in an integrated way that allows for automation is essential for improving TTD and ensuring swift detection and remediation when infections occur.

view counter
Ashley Arbuckle, Cisco’s VP of Security Services, is responsible for the oversight and global delivery of the Cisco portfolio of Advisory, Implementation, and Managed Services, bringing a pragmatic approach to helping Cisco’s clients solve their most complex security challenges. Arbuckle started his career in security consulting at PwC working with Fortune 500 customers. After PwC he joined PepsiCo where he led enterprise security and the strategic planning process for PepsiCo’s IT budget of over $2 billion. He has a BBA in MIS and Accounting from the Rawls College of Business at Texas Tech University, is a CPA, and holds a CISSP and CISM.