Automation is now No. 1 for SecOps: How to put it to work on your team – TechBeacon

Security automation has become a top concern for many organizations as they struggle with a growing number of cyber threats fueled by new attack vectors in the cloud, and with proliferating endpoints created by the Internet of Things.

That trend was revealed in a recent survey of 300 CISOs, CIOs, CTOs, architects, engineers, and analysts across a variety of industries by the threat detection and hunting company Fidelis Cybersecurity.

More than half the professionals surveyed (57%) said that a lack of automation is their top concern for their organizations.

Here's how to improve your overall security operations with automation.

[ Explore the challenges and opportunities facing SOCs in TechBeacon's new guide. Plus: Getthe 2019 State of Security Operations report. ]

Automation is rising on the priority list because organizations arerealizing it's a way to reduce risks, gain greater visibility into their networks, and get the most from their security stacks.

One of the biggest risks automation can address is human error. When an engineer is asked to repeat the same task every day, looking for needles in the same haystacks, eventually they will make a mistake,said Laurence Pitt,strategic security director at security and performance company Juniper Networks. "Computers will not do this. Once set to a task, they will get it right every single time without failure."

Automated and orchestrated processes can also reduce risks by allowing threats to be detected and addressed faster, said Joseph Blankenship,vice president and research director for security and risk atForrester Research.

"Automated policy orchestration also helps reduce risk by ensuringthat policies exist and are effective, reducing the risk that systems and the data in those systems can be breached."Joseph Blankenship

There's an opportunity to incorporate automation to reduce risk at all stages of security, saidRani Osnat,vice president for strategy atAqua Security, acloud application security provider.

This can startwith automated scanning for vulnerabilities, flaws, malware, and configuration mistakes, and includeautomated profiling of allocation behavior for whitelisting and anomaly detection. Other security areas ripe for automation aredetection of and response tobreaches and attacks.

As good as automation is atreducing human error, it can't eliminate humans entirely.

"Computers can spot patterns, alerts, and bad actions on the network or on connected devices. Humans can spot the unexpected."Laurence Pitt

That's why security automation is so important,he added. "It gives time back to the engineers to do what they are good at."

Integration of security solutions is another area where automation falls short and can actually create risk, said Joseph Carson, the chief security scientist at security tools vendor Thycotic. "For many organizations, this tends to be time-consuming and complicated and can introduce risks when done incorrectly."

[ Effective SecOps requires staying one step ahead.Get up to speed with thisWebinar coveringUEBA and MITREATT&CK]

Automation can help security engineers by noticing patterns inside the millions of alerts sent to them daily. Automation can "spot the ones that actually need to be of concern and either act on them, or flag them for an engineer," Juniper'sPitt explained.

Automation using machine learning can give system defenders greater insight into network operations, too,saidShreyans Mehta,co-founder and CTO ofCequence Security, amaker of automated digital security systems.

"By observing network and application traffic, machine learning can help model how good users behave on a web application. The same models can then be used to identify bad actors with malicious behaviors and intent."Shreyans Mehta

Automation can also help organizations get more from their security stacks. Organizations are "overwhelmed"by the volume and velocity of alerts generated by their security systems,saidRaphael Reich, vice president of product marketing at CyCognito, maker of an attack surface analysis platform.

"By leveraging automated, intelligent prioritization of risks. Organizations can ensure their security resources are focused on addressing the risks that, when eliminated, provide the greatest ROI."Raphael Reich

A majority of organizations surveyed in the Fidelis report admitted they are not using their stack to its full potential. Just 6.54%of all organizations surveyed believe they are using their security stack to its full capability.

The good news, the report said, is that most organizations realize that this is a problem, with 78% of respondents replying that they already have, or are planning to, consolidate their security stack.

One approach to maximizing stack utilization is to create a standardized data ontology that represents the structure and flow of information between the components of the security ecosystem.

"This creates a common language that facilitates communicationnot just between human stakeholders but also between the systems that comprise the security stack," said Syed Abdur,senior director of products at therisk analytics firm Brinqa.

"Of course, when you automate, it means that the resources you have can do so much more, and you can get more value out of your solutions."Joseph Carson

While automation can address some of the concerns organizations have about risk, visibility, and utilization, it needs data to work effectively, said Blankenship. "Automation is only as good as the analytics technologies that exist. Automation can't do anything without good data."

One reason for the lack of automationthus far is that the legacy systems in many organizations depend on signatures to function. These systems, unlike machine-learning-based systems, require constant writing and updating of manual rules and require manual feedback, which does not support automation,said Cequence's Mehta.

That's especially true in security operations centers (SOCs). Most organizations have very manual processes in their SOCs due to the wide range of technologies analysts work with, the need for human intelligence to identify threats, and the lack of automated tools until about four years ago,said Forrester's Blankenship. "Automation is still relatively new to security operations professionals."

Brinqa'sAbdurexplained that a lack of standardization within security programs themselves can also be a barrier to automation.

"There can be significant differences in how the same cybersecurity program may be designed and implemented across different organizations. As a result, a 'one size fits all' approach to cybersecurity process automation does not work."Syed Abdur

In addition, he said, while it's possible to automate large parts of the vulnerability management process, to do that an organization needs an authoritative, accurate, and complete asset inventory.

A surprisingly large percentage of organizations lag behind in implementing foundational controls like asset management effectively, which makes it difficult to incorporate automation further downstream,Abdur said.

While security professionals say they'reconcerned about thelack of automation, some of that sentimentmay be a bit hypocritical. "At least in part, lack of automation is due to resistance to relinquishing control to automated systems," saidAqua Security'sOsnat.

That's especially true when it comes to preventive controls or response to threats thatcan block processes or applications. In those situations, practitioners can be overly concerned about automation creating false positives that can be a time suck on the development process.

"Unfortunately, sometimes the speed of attacks, which themselves are often automated, requires an automated response if they are to be thwarted or contained in time," Osnat said.

Juniper Networks' Pittagreed that the accuracy of existing automated systems can make security pros nervous. "This leads to solutions being deployed in the 'least automated' mode," he said.

A classic example of that is information intrusion, Pitt said.

"Everyone has the technology, but many run it in detect-only mode rather than risk falsepositives," he said. "So what we have is a lack of fully deployed automation."Laurence Pitt

That's typically the situation in SOCs. The tools are available from vendors,Blankenship said, but many SOCs dont have them implemented or fully implemented.

"Many SOCs lack automated tools to do the grunt workof security, like running searches and collecting data. They also lack the ability to take automated action on identified threats."Joseph Blankenship

Organizations also lack automated tools to do things such as patching and policy management,Blankenship added. But as environments grow increasingly complex, the ability to automatically push out and enforce policies in multiple environmentsincludingon-premises, cloud, multi-cloud, and hybrid"becomes critical."

[ Find out how to take control of credentials privilege in your organization in this Oct. 31 Webinar. You'll learn best practices, more.]

Go here to read the rest:

Automation is now No. 1 for SecOps: How to put it to work on your team - TechBeacon