Twitter official says ‘Automate or die’

At a recent Open Web Application Security Project (OWASP) meetup in San Francisco, Twitter Trust and Info Sec Officer (TISO), Michael Coates put it bluntly, “Automate or die. This is the biggest thing I stick by in this day and age.”

As security teams grapple with a deluge of data, alerts and the constant threats, it’s table stakes to automate critical parts of the security team’s functions. Security Week reports, “It’s taken three years but, in 2016, security automation and orchestration is finally front and center”.

Gartner analyst Lawrence Pingree has stated that “In the past, security professionals have been fearful and skeptical of automation. This, however, is changing, because organizations are acknowledging that a human response cannot react fast enough, which is compounded by the fact that there are not enough security practitioners in end-user organizations to perform manual human responses to threats.”

The international standard for security management ISO/IEC 27001 lists 114 security controls in 14 separate groups. Where do you begin? Sean Convery, vice president and general manager at the ServiceNow Security Business Unit, points out that you can’t automate what you don’t understand. “Establish baseline metrics for security postures you can track over time, and develop an incident response action plan that addresses an organization’s unique business services and IT architecture.”

Gartner states that “prioritized and managed remediation based on business context is the Holy Grail of security operations.”

Improved collaboration with automation: According to Intel Security research, organizations with more than 5,000 employees conducted an average of 150 security investigations in a given year. That’s three incidents each week! The authors write that when it comes to incident detection and response, time has an ominous correlation to potential damage—the longer it takes an organization to identify, investigate, and respond to a cyber-attack, the more likely it is that their actions won’t be enough to preclude a costly breach of sensitive data.

Covery points out that “Security teams typically use emails, spreadsheets, phone calls and other manual processes to receive and analyze a steady stream of alerts from siloed security systems. More than 90 percent of the IT and security professionals confirmed that they rely on these on manual processes, even though they realize doing so limits their incident response effectiveness and efficiency levels.”

Automation can enhance knowledge and compliance: In his book “Beyond Cybersecurity” author and head of McKinsey’s cybersecurity practice, James Kaplan writes, “Too many companies try to manage Incident Response (IR) in a decentralized fashion. More business value can be destroyed as a result of poor response to a breach. Effective Incident Response (IR) should help improve any organizational relationships with third parties like forensic experts and breach remediation.”

As automation tools rise, the alignment of teams is bound to occur. Despite organizational politics, silos and finger pointing, automation tools can align the various forces in an IR scenario. The general counsel’s office, teaming up with the chief risk officer, CISO and the outsourced SOC can refer to the incident taxonomy, understand various roles and responsibilities, communicate effectively (on-site and off-site) with specific tools and build realtime playbooks.

What’s more, all these records can be shared for compliance and insurance purposes and can be stored effectively for post-mortem analysis, enhancing corporate knowledge base. In an AlgoSec survey of 350 C-suite professionals, 75 percent of respondents feel that automation will reduce audit preparation time and improve compliance. And 50 percent believe that automation will help deal with the IT skills shortage and reliance on experienced security engineers.

Augmenting your SOC: In a recent HP Whitepaper titled “State of Security Operations – 2016 report of capabilities and maturity of cyber defense organizations,” the researchers write that “The most capable and mature SOCs are bringing incident-handling responsibilities closer to the frontline of operations teams.”

A SOC is an extension of your internal team and can function with speed and agility as long as you are using the same tools for collaboration and automation. The HP whitepaper further states that orchestration of duties before, during, and after a breach can reduce the cost of the breach. “Hybrid organizations must pay special attention to escalation and shift turnover processes between insourced and outsourced functions. Strictly defined and followed processes ensure that all relevant information is passed between groups and allows for the best capabilities at identifying and isolating breaches.” Indeed, as virtual SOCs come into play, the necessity of centralized repositories for communication and coordination gain importance.

[ MORE AUTOMATION: Changing the approach to security automation and cooperation ]

Not everything can be automated: We have yet to see meaningful leaps in automation in vulnerability scanning and static code analysis. “Most tools suck – it’s mind boggling,” says Kyle Randolp, principal security engineer at Optimizely. “Key and credential management areas have the potential. But auto scanning tools are a negative ROI.”

The Register recently reported that vulnerability scanners generate anywhere from 50% to 89% false positive. Chris Steipp, senior security engineer at Wikimedia Foundation, adds that while automation is critical, static code analyzers have identified “only two legit issues in five months, having scanned over 25% of our code base.”

Despite such limitations, the promise of security automation can scale any CISOs defense posture. Yet we know that not everything can be automated. Nor will we ever be fully secure.