The WannaCry and Petya ransomware outbreaks damaged enterprise networks around the world and struck fear into the hearts of IT and security chiefs everywhere. And for every enterprise, particularly those in financial sector, it’s not a matter of ‘if’ they will get attacked, it’s ‘when.’
The sheer number of outbreaks and the financial and brand damage they can inflict is putting immense pressure on CIOs and CISOs in financial services and other market sectors to ensure their cyber security policies and procedures are up to date. For some, the opportunity to automate daily IT security management tasks is one that is too good to pass up.
IT chiefs gathered in Sydney recently to discuss how they are automating their cyber security management tasks in this complex global threat environment and the challenges that automation is helping them overcome.
James Sillence, senior manager of systems engineering at Juniper Networks, says that for some time, cyber attacks have been machine-generated and automated.
“If our response to that kind of attack requires human intervention, it becomes inevitable that at some point we will succumb to an attack. In today’s internet, what’s imperative for a robust cyber security posture is a machine-based, automated response to a machine-based, automated attack,” said Sillence.
Robert Kingma, CEO at ICT Networks, adds that the focus on the automation of security event management and incident response is driven by an ever increasing volume, velocity and complexity of attacks against networks plus a ‘very real’ lack of affordable skilled security professionals.
“The speed of today’s security environment means that if a human is involved, an event will have moved past [network] security and is now a forensics case,” he said.
“Automation globalises attack identification, machine learning defines defence stances and instantly updates defences,” Kingma added. “Defences are implemented against pre-defined security policies blocking traffic, diverting traffic or perhaps quarantining and infected device. Automation promises to release skilled security professionals from event management and incident response duties to focus on policy development and compliance.”
Ben Lyons, head of information technology at chartered accounting group, HLB Mann Judd, says his organisation has invested heavily in reducing the variability of end user devices. A ‘minimalist standard operating environment’ – managed through software deployment tools and analysed using a behavioural profiling platform – has provided some valuable insights.
Lyons says the company expects to automate more security management processes in the future as vendors either include automation or become more open to third-party integration for external management.
“We are already seeing an information overload from the helpdesk, monitoring tools and the various security platforms. Automation is key to ensuring alerts are triaged and where appropriate, action is taken quickly,” he says. “Our greatest focus is to protect the data at its source by limiting access to a ‘need to know’ basis.”
He adds that the introduction of real-time user and document access analytics and exception reporting by its document management system provider will also identify threats and potentially reduce data misuse.
David Russell, chief technology officer at DirectMoney, says that although the marketplace lender doesn’t currently automate cyber security management tasks, the organisation is looking at automation options to strengthen its DevOps processes, which include security automation.
“One of goals is to improve the frequency of deployment cycles. Doing so can reduce the risk of each deployment, deliver new features into the market sooner and respond quicker to market insights or production issues,” Russell says.
“Automated scripts are critical in achieving this as they provide rapid feedback at each stage of development and deployment, and reduce the time a feature spends in rework or waiting for manual intervention.
“However, to take full advantage of an automated delivery pipeline, we also need to consider how work is prioritised and resources aligned to minimise bottlenecks and maximise our most effective resources. The combination of deployment automation and process improvement is where we are focusing right now.”
Cloud a ‘wake-up call’
Enterprises of all sizes are moving an increasing number of IT services to third-party cloud providers. During the luncheon, attendees were asked if the move to cloud has changed their security posture, particularly given that they are now sharing security information with a third-party that is serving the needs of many organisations.
Juniper Networks’ Sillence says that for companies that have always had a robust security posture, moving workloads to a cloud service provider is just seen as an extension of their policies.
“The delineation between ‘on-premise and off-premise’ workloads should be indiscernible from a security perspective. On the other hand, for organisations that have relied on relative isolation of their private data centre to protect themselves, the cloud is a wake-up call," he said.
“This is not because the cloud is inherently less secure but because an organisation’s secure perimeter now extends beyond its four walls and significantly increases their attack surface,” he added.
HLB Mann Judd’s Lyons said: “The days of on-premise ‘security by obscurity’ are well and truly gone. However, due to regular online data breaches, there is still a hesitation for many to move to the cloud.”
But Sillence concluded that although organisations have been reluctant to share security information ion the past, attitudes are now changing as some move their services to the cloud.
“As defenders, we are beginning to understand that information sharing is really important in terms of building threat intelligence, and we are seeing more information being exchanged. However, as developing threat intelligence is only part of the solution, providing the mechanism to consume that intelligence – which can then be applied to your automated event response – is critical.”
A possible answer to the skills gap?
Attendees agreed that security automation will go at least some way to addressing the shortage of people with cyber security skills at least in the short to medium term.
The ‘detect and remediate’ posture relies on Juniper having security analysts on staff to deal with potential security breaches, said Sillence.
“These personnel are highly trained, expensive and generally a rare breed but organisations often use them to deal with the mundane,” he said. “As the number of incidents increase, the only way to scale this posture is to employ more security analysts, which you probably can’t for budget or scarcity reasons.
“The only logical way to break the impasse is to employ a posture that relies on automation to deal with the noise – 95 per cent of your security incidents – and free up your security team to deal with the things are really going to hurt you,” Sillence said.
Charlie Yan, head of IT security at BNP Paribas Australia says the investment bank is having difficulty finding people with the right security skills. The organisation also needs to hire more experienced professionals to train staff so they are familiar with automated processes and tools, he says.
HLB Mann Judd’s Lyons, adds that as an SME, the firm is not the natural choice for an aspiring cyber expert to seek employment. It relies on a small internal team complemented by specialist partnerships to fulfil its needs.
“Security automation is critical to achieve efficiency and reduce human error especially when third-parties are involved,” he said.