Security touches every aspect of an organization's infrastructure and influences most of its processes. That’s a lot to cover, and it seems like there are never enough people to handle the work. Even with budgets increasing by an average of 10% annually over the last 5 years, the recent increase in remote work and cloud adoption is stretching security teams even thinner.
The Way You Do It Today Works, So Why Change It?
All areas of security would want to use that 10% budget increase to hire new staff. People only have so much time in a day, after all and your team might well be at capacity already. Then say, your CISO wants a new UEM rolled out this quarter. There is a constant stream of security events that have to be researched just to get the details necessary to even ask if they are real security events. That’s time-consuming in and of itself, not to mention the time that it takes to find the root cause of the important events.
In this scenario, each security team will make a pitch to use some of that 10% to increase their staffing, since they think that’s all they need to do to fix their backlog. So let’s say that the company decides to give the entire budget increase to the team that looks like it needs it the most, and the money goes to hiring two new people in the Security Operations Center (SOC). They gave the money to the SOC because the newly distributed workforce makes everything a little bit more complicated, and all of the new attack surfaces and VPN connections have drastically increased the number of events being generated. This leaves the other teams that work with the rest of the infrastructure – like the network, servers, data integrity, and end-user devices – with no new resources or staff. Their backlog isn’t going away, and their best chance is to become more efficient in performing their current tasks.
Meanwhile, the SOC grows from 8 to 10 people, which is fantastic – but a 25% increase in staff isn’t enough. They get 5,000 events per week, and each person can only resolve 400 of those events in a good week. Even with the new staff, their backlog of events is growing by 1,000 per week. So do they get ignored? Does everyone get stuck working overtime or having to miss vacations? If only some of the tasks necessary to resolve each event could be sped up!
The new distribution of users also affects other teams. What about the team that is responsible for endpoint protection, which includes pushing security patches to end user devices? They still have the same number of devices to manage, but a lot of those devices are now distributed thanks to the new work-from-home policy that looks like it isn’t going anywhere. Distributing updates has a higher failure rate, meaning that it takes manual effort to read each error message to see if the patch just needs to be tried again or if the error needs to be escalated to an incident. If only there was something that could look automatically for “network timeout” issues that just need to be added to the retry queue instead of having two people devote an entire day to reviewing logs after every patch!
Automation of Security Tasks Is Possible
Yes, automation is a double-edged sword. Every technologist working today knows that it can make things run smoother, but the amount of time that it takes to make things run smoother can seem overwhelming. Dealing with the sheer number of people, processes, and technologies that are involved in day-to-day operations, not to mention the challenge of tying them all together, is a massive undertaking. Honestly, it seems like you would need to dedicate an entire team to just trying to put all of the automation in place.
But would you?
The goal of every security automation solution is to make life easier (or at least it should be). These solutions should automate the mundane in order to give security analysts and SecOps engineers time to focus on creating strategic value. They should free up time so that teams can not only focus on the latest high-priority project or critical event, but also work on projects and tasks that help put their organizations in better positions and eliminate some of the technical debt that continues to pile up. Imagine having the time to be able to keep all of your security tools up to date and get the latest features and improvements!
Automation Is Here to Help
But, given all of the problems outlined above, how can you do that? It’s a big job, and who has the time to work on it when they have a list of high-priority tasks that need to be done today?
The thing is, security automation isn’t too big to attempt if you think about it the right way. It's all about picking at little pieces and then stringing them together over time.
Think about it – how many people use a coffee machine that automatically brews their coffee in the morning? Making a cup of coffee only takes 10 minutes, so why use the machine? Well, after an initial investment of about 20 minutes to learn how to set the timer, it should only take about two minutes before bed each night to add water and coffee, saving you eight minutes every day. That’s eight minutes that you can use to do more valuable things like play with your puppy before you go to work.
Where to Start Automating
As we mentioned above, small tasks are the best place to start. With security touching so many systems and processes, there are lots of little things that can be done to make life easier. These tasks may only take a couple of clicks or a simple reference of data between two systems, but why can’t they be done faster? Why can’t they just take one click? Why can’t the data be pulled from that other system automatically and already be attached to the notification?
It doesn’t matter if the tasks you’re thinking of automating are request-driven, like adding a new user or allowing a specific IP to access a service in AWS, or if they’re response-driven, like needing to quarantine a host when a new open port is detected on a public-facing server.
It’s wise to be tolerant of risk as you roll out automation until you’ve achieved a level of comfort with your tooling and its capabilities. You should:
- Start with simple tasks that have immediate results. For example, you might aggregate all of your security groups into one or more AWS accounts and then format a report.
- Next, you can move on to tasks with multiple steps that are a little more involved and time-consuming. For example, enriching the data from a security event such as the detection of a nonstandard open port could involve gathering system details about the virtual machine in question, retrieving the security group it’s in, using the virtual machine’s “created-by” tag to find out who to contact, adding a deny rule to the network security group, and publishing all of that information as part of the event notification in Slack. All of these tasks are simple, but if you can have them run before you’ve even been notified about the event, you will save significant time and effort.
- Then you can get into tasks that need to be scheduled, or tasks that can run for a while. This includes things like validating that all employees in the corporate Slack account are also active in Active Directory, or validating that all public-facing firewall rules only have ports 80 and 443 open.
Security and Automation Are Made for Each Other
Now that more and more routine tasks can be automated, you can use them as building blocks for assembling full workflows to streamline your security operations over entire cross-sections of your organization. The latest generation of security automation solutions makes all of this possible. Their API support and pre-tested integrations with leading technologies and players like Slack and AWS mean that they’re nothing like the older automation tools that made you define everything yourself. This generation aims not just to save you time by reducing the number of mundane and monotonous tasks you perform every day, but also to simplify the creation and management of those automations.
Vince Power is an Enterprise Architect with a focus on digital transformation built with cloud enabled technologies. He has extensive experience working with Agile development organizations delivering their applications and services using DevOps principles including security controls, identity management, and test automation. You can find @vincepower on Twitter.