• United States



Twitter official says ‘Automate or die’

May 31, 20165 mins
ComplianceCSO and CISOIT Leadership

Security automation and collaboration sounds cool. But where do I begin ?

twitter cages
Credit: Thinkstock

At a recent Open Web Application Security Project (OWASP) meetup in San Francisco, Twitter Trust and Info Sec Officer (TISO), Michael Coates put it bluntly, “Automate or die. This is the biggest thing I stick by in this day and age.”

As security teams grapple with a deluge of data, alerts and the constant threats, it’s table stakes to automate critical parts of the security team’s functions. Security Week reports, “It’s taken three years but, in 2016, security automation and orchestration is finally front and center”.

Gartner analyst Lawrence Pingree has stated that “In the past, security professionals have been fearful and skeptical of automation. This, however, is changing, because organizations are acknowledging that a human response cannot react fast enough, which is compounded by the fact that there are not enough security practitioners in end-user organizations to perform manual human responses to threats.”

The international standard for security management ISO/IEC 27001 lists 114 security controls in 14 separate groups. Where do you begin? Sean Convery, vice president and general manager at the ServiceNow Security Business Unit, points out that you can’t automate what you don’t understand. “Establish baseline metrics for security postures you can track over time, and develop an incident response action plan that addresses an organization’s unique business services and IT architecture.”

Gartner states that “prioritized and managed remediation based on business context is the Holy Grail of security operations.”

Improved collaboration with automation: According to Intel Security research, organizations with more than 5,000 employees conducted an average of 150 security investigations in a given year. That’s three incidents each week! The authors write that when it comes to incident detection and response, time has an ominous correlation to potential damage—the longer it takes an organization to identify, investigate, and respond to a cyber-attack, the more likely it is that their actions won’t be enough to preclude a costly breach of sensitive data.

Covery points out that “Security teams typically use emails, spreadsheets, phone calls and other manual processes to receive and analyze a steady stream of alerts from siloed security systems. More than 90 percent of the IT and security professionals confirmed that they rely on these on manual processes, even though they realize doing so limits their incident response effectiveness and efficiency levels.”

Automation can enhance knowledge and compliance: In his book “Beyond Cybersecurity” author and head of McKinsey’s cybersecurity practice, James Kaplan writes, “Too many companies try to manage Incident Response (IR) in a decentralized fashion. More business value can be destroyed as a result of poor response to a breach. Effective Incident Response (IR) should help improve any organizational relationships with third parties like forensic experts and breach remediation.”

As automation tools rise, the alignment of teams is bound to occur. Despite organizational politics, silos and finger pointing, automation tools can align the various forces in an IR scenario. The general counsel’s office, teaming up with the chief risk officer, CISO and the outsourced SOC can refer to the incident taxonomy, understand various roles and responsibilities, communicate effectively (on-site and off-site) with specific tools and build realtime playbooks.

What’s more, all these records can be shared for compliance and insurance purposes and can be stored effectively for post-mortem analysis, enhancing corporate knowledge base. In an AlgoSec survey of 350 C-suite professionals, 75 percent of respondents feel that automation will reduce audit preparation time and improve compliance. And 50 percent believe that automation will help deal with the IT skills shortage and reliance on experienced security engineers.

Augmenting your SOC: In a recent HP Whitepaper titled “State of Security Operations – 2016 report of capabilities and maturity of cyber defense organizations,” the researchers write that “The most capable and mature SOCs are bringing incident-handling responsibilities closer to the frontline of operations teams.”

A SOC is an extension of your internal team and can function with speed and agility as long as you are using the same tools for collaboration and automation. The HP whitepaper further states that orchestration of duties before, during, and after a breach can reduce the cost of the breach. “Hybrid organizations must pay special attention to escalation and shift turnover processes between insourced and outsourced functions. Strictly defined and followed processes ensure that all relevant information is passed between groups and allows for the best capabilities at identifying and isolating breaches.” Indeed, as virtual SOCs come into play, the necessity of centralized repositories for communication and coordination gain importance.

[ MORE AUTOMATION: Changing the approach to security automation and cooperation ]

Not everything can be automated: We have yet to see meaningful leaps in automation in vulnerability scanning and static code analysis. “Most tools suck – it’s mind boggling,” says Kyle Randolp, principal security engineer at Optimizely. “Key and credential management areas have the potential. But auto scanning tools are a negative ROI.”

The Register recently reported that vulnerability scanners generate anywhere from 50% to 89% false positive. Chris Steipp, senior security engineer at Wikimedia Foundation, adds that while automation is critical, static code analyzers have identified “only two legit issues in five months, having scanned over 25% of our code base.”

Despite such limitations, the promise of security automation can scale any CISOs defense posture. Yet we know that not everything can be automated. Nor will we ever be fully secure.

Mahendra Ramsinghani is the founder of Secure Octane, a Silicon Valley-based cybersecurity seed fund. He brings two decades of business and investment expertise to his work advising cybersecurity startups like Icebrg (backed by Madrona, Formation 8) Kryptnostic (backed by Index, Harrison Metal, Felicis) and Attivo Networks (Bain Capital). Mahendra is the organizer of Bay Area Security Startups, a monthly meetup with more than 350 members.

As managing director of First Step Fund, Mahendra led investments in more than 50 startups. He is the author of two books on venture capital and startups: The Business of Venture Capital (Wiley Finance, 2014) and Startup Boards (Wiley, 2014), which he co-authored with noted venture capitalist Brad Feld. He has published articles in Forbes and the MIT Technology Review and on Huffington Post.

As a frequent speaker on cybersecurity, venture capital and technology, Mahendra has delivered presentations at meetings of organizations such as Swissnex (San Francisco) and the Silicon Valley chapter of the International Information Systems Security Certification Consortium (ISC2) and at the IBF Venture Capital Investing Conference (San Francisco), the Cascadia Summit (Vancouver, British Columbia) and the Thomson Reuters VCJ Alpha Conference (Boston and San Francisco). He has also appeared on National Public Radio.

Mahendra's educational background includes a bachelor of engineering degree (electronics) and an MBA (finance and marketing) from the University of Pune in India.

The opinions expressed in this blog are those of Mahendra Ramsinghani and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.