It’s time to pull the trigger on security automation

It’s likely that you already have a variety of security tools — intrusion prevention, network access control, endpoint security, mobile device management – that come with automation capabilities designed to quickly find and stop attacks.

But for a variety of perfectly good reasons, you’ve been reluctant to turn these features on. You may be worried about blocking legitimate business transactions by mistake, keeping employees from getting work done because their devices have been temporarily quarantined or risking the wrath of users when wiping remote devices.

Or maybe you’ve been so swamped that you haven’t had the time to set up these automation capabilities. “It takes time and skills to tune these products effectively in order to take advantage of their automation capabilities,” says Jon Oltsik, senior principal analyst at Enterprise Strategy Group. “Furthermore, automation usually depends upon integrating several security technologies together, which can be difficult,” Oltsik adds.

These are all legitimate concerns. Then there’s the one that nobody wants to acknowledge. As Olstik puts it: “There is the historical belief that security decisions must be guided by some type of human intervention.”

Like with self-driving cars or any technology that aims to take people out of the driver’s seat, there’s a natural reluctance to hand over something as important as security to an automated tool.

On the other hand, costly data breaches are on the rise, and finding experienced cybersecurity professionals is becoming more difficult, leaving security pros overwhelmed.

Now’s the time for security practitioners to take advantage of all the help they can get.

Momentum is building

“We are seeing an increase in the use of automation capabilities. The primary driver is that security professionals are overwhelmed by the number of alerts they face and the volume of threat intelligence data,” Oltsik says. “Therefore, they are trying to automate more basic actions to free the infosec team from pedestrian tasks.”

The biggest result of using automation is more operational efficiency, Oltsik says. “Cyber security today is more of an operations problem than a technology problem,” he says. “We don’t have enough skilled cyber security professionals and those we do have are overwhelmed by manual tasks. By automating cyber security processes for remediation, we can help our people work smarter rather than harder.”

Companies that are using the automation features of their security products are seeing results.

Sitecore, a provider of customer experience management services, is using network firewalls from Palo Alto Networks in all of its offices, and has them equipped with the vendor’s cloud-based WildFire malware analysis service. WildFire provides advanced threat detection and prevention throughout the networks, automatically sharing protections with all WildFire subscribers globally in about 15 minutes.

The company is relying on WildFire “to try and detect and stop intrusions into our network,” says Dylan Lloyd, global IT manager at Sitecore. It’s also testing Palo Alto’s Traps offering and mobile security manager for MDM “to strengthen our security and try to stop more of these attacks on the mobile and endpoint front,” he says.

There are multiple reasons why Sitecore is leveraging security automation features, Lloyd says. “One would be that we do have a limited security team here and we need to make sure we are utilizing our resources as much as we can,” he says.

Automation eases the burdens on the security staff “and makes it so we can feel safe that the company is protected by these capabilities,” Lloyd says.

Another reason for the increased reliance on automation is that security threats are growing, even against smaller companies. “As these attacks increase in volume and become more sophisticated, a human being cannot keep up with this, you need to employ these automated capabilities so the company can continue to run and be productive,” Lloyd says.

Without these systems in place, “we would be chasing down these threats, which makes it impossible for anyone to be productive in that environment,” Lloyd says. He also notes that with the amount of effort Palo Alto puts into threat intelligence, it makes sense to let the vendor’s systems protect Sitecore’s network.

Safer endpoints

The biggest benefit of automation so far is improved endpoint security. Sitecore has seen “a huge decrease” in malware and has blocked threats at the network before they even get to endpoint devices since implementing the firewalls and WildFire.

“This has made it so our malware infections have gone down to almost none,” Lloyd says. “I think we have seen about 10 malware infections on endpoints in an organization that has over 1,000 endpoints. That’s about 1% of our endpoints in three years. I have been in IT for about 15 years now and I have never seen something that works so well, and this is all before we implement Traps.”

There are challenges that come with security automation. “You always block some legitimate business traffic when you put these things into place, so yes we have hit some of these roadblocks,” Lloyd says. “There are times when a department launches a new SaaS tool which has been blocked by these tools, and we have to open that for them.”

+ ALSO ON NETWORK WORLD Using people to fight cyber attacks is like bringing a knife to a gunfight +

Still, there has not been resistance from management or end users, Lloyd says. “Working in a technology company, the majority of them understand we need to put these tools into place to protect our business,” he says.

Another company, Exostar, which provides online collaboration solutions for industries such as aerospace and defense and life sciences, is taking advantage of the automation capabilities inherent in tools such as Tenable’s SecurityCenter to support its intrusion detection, vulnerability management, and related efforts.

“Because the number and sophistication of attacks is on the rise, keeping pace requires a significant investment in time and labor,” says Rob Sherwood, director of security at Exostar. “By turning to security automation capabilities, we can stay ahead of the game and focus our resources on developing and delivering our solutions for our growing community of customers.”

Security automation is providing the company with much better visibility, “so we can see where we are potentially at risk and take proactive action accordingly,” Sherwood says. “There’s no doubt that using these capabilities has allowed us to prevent active attacks against our employees’ corporate devices. Perhaps more significantly, we’ve been able to extend coverage beyond our virtual four walls to actively prevent attacks against applications our customers use every day.”

At the same time, there’s a balancing act between automation and hands-on control, Sherwood says. “As our confidence in the performance of these security tools rises, we take another step in the direction of automation,” he says. “Because we serve highly regulated industries like aerospace and defense, life science and healthcare, where strong security is an imperative, our security requirements and tuning of security tools’ automation capabilities are highly aggressive.”

The keys to avoiding user pushback and potential productivity loss due to automation are obtaining executive-level support for a baseline security posture and having the flexibility to make controlled, limited, temporary exceptions when it’s necessary and safe to do so, Sherwood says.

Also using security automation capabilities is Queens College of the City University of New York. The college relies on the intrusion prevention feature of CounterACT from Forescout, which uses behavior to detect network forensics alerts or viruses and immediately blocks the user.

“Then we use the CounterACT captive Web portal to notify the user that there is a problem and to contact the help desk,” says Morris Altman, director of network services and Internet security officer. “This helped us back in the days when it was very common to have self-propagating worms running around your network.”

When that began happening, the college would have hundreds of computers getting infected, “and we’d have to manually take them offline by disconnecting and disabling their network ports, and going through firewall logs to detect those computers,” Altman says.

The college can now stop attacks proactively, instead of having a situation where hundreds of computers are blocked. “This made CounterACT a huge productivity and time saver for us,” Altman says. “We still see this type of infection today and they don’t spread.”

On the college’s wireless network, which is the client network for students, “we see computers come in with all sorts of problems,” Altman says. “We stop that stuff in its tracks so the student can either remediate it or come to our help desk for a fix. Now we’re starting to see viruses show up on people’s smartphones, so being proactive is key.”

Queens College has had instances when its security policies were more restrictive than necessary; for example, immediately blocking someone when Windows patches were not up to date, Altman says.

“Now we have a period where we warn users ahead of time and provide instructions on how to deal with the problem right there on the Web screen along with the help desk number,” Altman says. “We give them a week or so to get up to date. Then if they aren’t up to date after a week, we block their access. That’s a learning lesson to help us keep our community productive and safe at the same time. We’re playing the balance game between risk and productivity. The last thing we want to do is stop somebody from working, but sometimes the risk is so great that you have to.”

Violino is a freelance writer. He can be reached at bviolino@optonline.net.