In 2017, the industry saw the birth of security automation. As it continues to grow from infancy into something more robust, now is a good time to reflect on what it is and what operational impacts it is having on our systems.
Security automation is a broad attempt to speed up our ability to respond to threats/attacks, with higher accuracy and with minimal impact on our normal business operations. Below we briefly discuss the three broad categories of the automation process within the security vendor space.
The recently announced collaboration between Cisco PXGrid and Intel/McAfee’s open source project OpenDXL is a major step forward in this space. Many vendors have API calls that allow other vendors to talk with their own offering but that means sharing is limited to just their ecosystem. The PXGrid/OpenDXL venture is a major step in the right direction, allowing a vast range of technologies to communicate with one another without a dependence on just one vendor. This could translate to threats seen and stopped, intelligence from external sources, or new rules applied.
Machine learning support
We have previously discussed the rise of artificial intelligence (AI), and here we will focus on the wide range of security vendors who use machine language to speed up and grant additional intelligence to their own platforms. This has the effect of making their systems operate more accurately and at greater speeds of response. This in turn reduces the “time to resolution” of an attack and offers other clients of the same technology a proactive stance in their own networks. This can reduce the “zero day” attack window afforded to hackers upon which they depend on causing greater penetration/harm on a victim’s network. This should then reduce enterprise risk of the targeted network.
Automating human tasks
One of the more interesting aspects of the security automation space is the one built around automating incident response. In this space, scripts are written such that when a threat is identified within a Security Operation Center a series of baseline actions are taken automatically. Let us look at an example. We have received a suspicious file on the network. The automated response process will conduct a DNS Lookup, compare the file to sites like VirusTotal, check the reputation of the site from which the file originated…etc. The end result is that the system offers much more concrete proof that this file is a threat that must be dealt with, with far less human interaction. In some of these automated platforms that corrective action may also be conducted in an automated fashion once the threat meets certain threat scores and is identified as a certain attack type. This last capability is still very much in its infancy and will continue to be so until artificial intelligence becomes more mature and ubiquitous across the security landscape.
As a CISO I am encouraged with where security automation is headed, though it has some maturing to do. The more we can rely upon our systems to protect themselves at line speeds with less human interaction the lower our enterprise risk becomes. Additionally we can spend our precious human resources on those high priority projects that have been languishing for so long.