Using Security Automation to Stay a Step Ahead in these Challenging Times

Written by

One of the fundamental principles of any security program is a focus on reducing the attack surface. Not only are threats getting more sophisticated, but they’re also getting more aggressive, especially as most of us have been forced by the pandemic crisis into new modes of working.

While cloud environments have proven to be instrumental amidst this rapid digital transformation, if not maintained properly, this can create a host of new security challenges. Therefore, being proactive and responding to these challenges requires focus on the most critical security tasks.

While human defenders will always be a necessity, purely manual processes simply cannot keep up with increasing security needs – thus, automating as much as possible can help teams scale to better manage this monumental shift.

Here is how your organization can use automation throughout security efforts to better focus resources and build assurance into security controls and operations. These techniques are based on industry best practices, meaning you can leverage them for your organization – agnostic of what cloud providers you use or where you are in your own cloud journey.

Why Automate Security?

Before implementing security automation, it’s important to understand its benefits – the first being improved predictability. Automation is attractive because it’s predictable, unlike manual processes which tend to operate differently from one another. With automation, you can better predict outputs with a given set of inputs.

Security-by-design is another important component. For far too long, companies have bolted on security as an afterthought, however, embedding security from the start of the lifecycle will not only save time and money but also reduce risk. What’s more, this will enable engineering and operations teams to focus on what they do best, building great products and features, versus having to focus on security tasks.

Implementing Automation

Once you’ve established the need to automate security controls, there are several principles that should be observed to automate effectively:

Standardization – Simply put, you cannot automate what you don’t have control over. Policies, procedures, and standards must be in place for proper execution. Look for commonalities across environments and flag anything that’s out of line - taking action where needed before implementing automation.

Information gathering – Rather than buying additional unnecessary tools, organizations should look to existing tools for process flows. For example, most native cloud providers have logging services that are beneficial to tap into, as these built-in reporting tools are typically more accurate than third-party tools. Gathering infrastructure configuration can also help identify whether policies and standards are being adhered to. Furthermore, teams must know who to contact for technical resources to establish proper reporting and communication flows.

Constant communication – Service quality and customer experience could be at severe risk if changes are made without consulting with the proper owners. Strong communication channels should be established by building a coalition of people who care about security outside of security teams.

Determining what to automate – Look at previous issues and evaluate the root cause of failure, going beyond the basic manual mistake and asking what enabled that to happen within the environment. You’ll also want to review tooling from start to end and ask what can be automated – from onboarding or scanning of new assets all the way through the remediation processes. Team members play a key role in mapping these out, helping determine what automation can look like.

Creating workflows – As part of automation, there are event-driven workflows, where detection and action are taken. This is where you’ll want to ‘shift left’ as much as possible, helping ensure compliance is enforced at the resource provision level. Teams should also determine whether robust logging is built into workflows to ascertain whether service management and product teams should temporarily pause automation to properly act.

Validation – You cannot set and forget automation. Your team must periodically conduct “smoke tests” to compare automation expectations with actual results. In these tests, you also want to time how long it takes for these issues to be resolved as there might be unexpected latencies needing to be tightened up. Making time for audits is vital before auto-remediation is even considered as mistakes in this area can be detrimental.

Enforcement and remediation – This final phase is fundamental to helping ensure the desired security posture. The event-driven workflows are transitioned from audit and alert to making changes or enforcing the desired state. It’s no longer enough for organizations to simply have clear visibility and quick determination of potential security gaps – enforcement of desired state or policy is required to reduce risk and scale security across the business long-term.

The Risks and Limitations of Automation

Automation doesn’t come without risks and limitations. For starters, a security program that centers solely on automation would result in an asymmetric warfare – automation is continually changing, meaning you need capable humans who can help evolve your automation to counter innovative intruders.

There also needs to be robust exceptions showing how each business application works, or else the security automation workflows could block or deny required business applications. You’ll need to develop a system that can ingest, review, and take action that has proper documentation beyond basic emails or shared documents. You need a formalized system in place. Tracking these exceptions via email or via shared documents is not effective.

Finally, automation can incur false positives, which can be detrimental to business operations. You’ll want to ensure that each area of automation is working the way it’s intended and establish ways for product teams to communicate any issues.

All in all, investing in security automation for multi-cloud environments is worthwhile, not only because it enables enhanced response against threats, but also provides clear escalation and recognition into where problem areas may lie as these environments become more sophisticated over time.

Automation provides more than just ease of mundane tasks, it reduces risk and cost, and increases overall engineering productivity. Automation is a requirement for continued migration to dynamic environments and infrastructures that easily adapt to future innovations.

What’s hot on Infosecurity Magazine?