All aspects of business are being automated to increase efficiency and reduce error. That's why we're exploring the pros and cons of implementing automation into cyber security.
We'll dive into which parts of an organisation's security can and should be automated with Incident Response Specialist, Andy Yeates.
Need Help With Security? View Series
Hello and welcome to Security panel brought to you by Celerity. The show that covers all the big topics in the world of cybersecurity. I'm your host, David Taylor. And in this week's episode, we're going to be talking about improving security with automation and to help me discuss this, I'm going to be welcoming back a great guest and IBM resilience incident response specialist Andy Yeates. But first, let's take a look at some of the recent cybersecurity news stories that have been grabbing the headlines.
DAVID:
First up in the news is that a ransomware taskforce has been set up in order to tackle the increasing threat of ransomware involving 60 plus members from the Commercial, Government and security sector. They've released 48 recommendations, which is going to help organisations tackle the persistent cyber threat. The taskforce is looking at alternative ways on cracking down on ransomware, arguing that ransomware attacks don't just affect individual organisations anymore, but are now a national threat of security now that they're targeting hospitals and schools.
Elsewhere, the Darkside ransomware group has changed tact and they're now actually approaching traders with inside information on companies who have been attacked. This would then allow the brokers to short sell stock on these breached companies before the information goes public.
And in the southern hemisphere. Australia's federal government has proposed a new curriculum that would increase security awareness training for children as young as five, part of the teaching would include teaching students not to give away personal information such their date of birth or their full name to strangers and also checking in with their parents before they put in their information online. We personally think that's a great idea and we hope that it spread throughout the world. Now let's carry on with the show and talk to our guest Andy Yeates about encryption security automation
Before we dive into security automation, it's probably worthwhile looking at some of the biggest headaches that security teams are going through at the moment. Can you shed some light on that?
ANDREW YEATES:
Yes, definitely. I mean, from my perspective and how we see it at IBM, fundamentally, we can categories that into four key areas. Firstly, we see there's a significant increase in the volume of attacks and the severity of those attacks, which causes huge headaches around now how organisations are fundamentally finding the needle in the haystack. Right. You know, those really important cyber security incidences that they need to focus on. And that's the first really key challenge that we see organisations faced with.
The second thing is not something that's new, but we've actually been facing for a long period of time. And that's the lack of skill within this industry, right? There are too many outstanding jobs in cybersecurity. Trying to acquire, retain and develop that talent is really difficult. And we're seeing a rotation of these staffs to be at an exponential rate. Right. And people moving on to new jobs within security operation centres every six months. And that further just exasperates a lot of that challenge around. Know how do you actually respond to a lot of cybersecurity threats effectively and in a consistent, repeatable manner?
The third is really about the growing regulatory landscape. So, again, you know, GDPR is nothing new we aren't going to spend a lot of time today talking about it, David. But fundamentally, when we look at regulations, they're a key driver for organisations in terms of their risk posture, how they approach cybersecurity. And that creates huge challenges because, you know, fundamentally they need to be able to demonstrate that they're prepared for a cyber incident.
And then fourth kind of really key challenge that I see in the industry is that a lot of the environment that we've got across our security IT estate these days is actually enormous. Why we've got 75 was at least 50 plus different security tools. I know that some organisations are up around sort of 75 platforms from 45 different vendors. And fundamentally, we're talking about heavily silo technology and in the context of cybersecurity, trying to actually automate these things or, you know, trying to get that end goal is to reduce that time to respond. Right. That's the business objective, because if we can reduce that time to respond, it means the threat actor has less time in the organisation. They have less chance to do something really severe to it. And we can actually help to improve the fundamental concept of that, you know, spotting that need or what is the really important incident that we should be focussed on. So those are the four key challenges, I think at least, that we're faced within the industry today.
DAVID:
You touched on about organisations having many, many, many security tools, you know, I think it reports around 50 plus sort of the average organisation. So with that said, you know, what kind of challenges does that present organisations?
ANDREW YEATES:
Yeah, that's a great question. Right. So, I mean, when we talk about all of these technologies, right. They all play a key role in terms of identifying or helping to respond or mediate a particular cyber threat. But they're fairly moot points when they're very siloed technology. Right. Because the key thing that organisations really need to get to grips with as a first point is how do they actually identify the cybersecurity threats? How do they actually know when is an appropriate time to pull in that data, intelligence, that information in the context of an investigation or response to an incident? And that's really the key challenge, right, is it's all very siloed. And without using that critical data to help contextualise an incident, it becomes fairly pointless in a way. Right. You know, you're going to use it for a very small proportion amount of the time that you're actually responding to cyber threats. And this is really the direction.
This is where security has got to evolve over the coming years. We need to move away. We need to evolve around just how many point solutions that fundamentally sits in a part of the organisation that provides the detailed information so the can organisation knows they've been breached. They know they've got a threat factor in their environment, but they're not doing anything with the data. And this is why we need to think about how do we then progress to actually integrate these solutions together, to then get a much higher level of accuracy to the incident. Again, improving that ability to respond much more efficiently and actually critically getting a contextualised incident. Right. Knowing this is a true positive and getting rid of the weeds, so to speak, in that context.
DAVID: Some excellent points there talking about security challenges as a whole, headaches that some of the teams have got. So let's jump into automation. So what are the areas of security where automation can be implemented?
ANDREW: Well, I mean, anything that provides intelligence to a platform that's going to help the investigation, right? I mean, a lot of the time when we speak to organisations, we have that kind of initial discussion whereby there's a predetermined, more preconception that the data they're going to need is going to come from an EDR platform or it's going to come from, you know, they're SIEM platform or some kind of nack on your network. It really is about any data that is going to be important or person to the investigation or response to it. So it could be about integrating with your LDAP. It could be, you know, integrating with a local CMDB to pull asset criticality data on some assets involved. You know, what's the criticality of that? And all of those components are really, really important when you start to look at automation, because fundamentally, when we're automating something, we need a really, really high level of certainty that what we're going to do to that particular machine or the action we're going to take has a high certainty that it is the right and appropriate action. And that's really, really difficult in cybersecurity.
So, you know, to be quite blunt about your question, David, in my approach to this, it's anything that you think is really, really important. Now, to kind of continue on for that kind of question, expand on a little bit and apologies as this is kind of laterally talking about the questions, but there's been an evolution around how we actually automate solutions over the last few years. Right. So, around the naughties. We integrate using a typical API integration. Right. And they work brilliantly for a very small handful of integrations. Right. So if you think about traditional saw platform or an IRP, an instant response platform, they're great, right. You're going to have maybe like five, 10 integrations. But what's difficult is when you try to scale that operation, that's when it becomes really, really challenging because scaling API integrations, if any, that changes the model schema changes. If an API no longer exists, it breaks the overall integration. So, you know, in the context of how we want to evolve and change security as we move forward, we need to think about a new way of how we actually approach the integration of these technologies. So API integrations have a point, but they're not going to work for fully getting the holistic point of view with all of these various different 50 plus technologies.
So that brings us onto the next option, which would be OK, well, let's think about consolidation of data. So organisations again, over the last 15, 20 years, you know, every organisation is pretty much gone towards the method of saying let's create a data lake and data lakes are brilliant, right. But the problem with data lakes that you do find, is that the ownership of that data doesn't suddenly change hands. Right. The people that probably own that critical data could be another team that sits in another part of the organisation and they own the updating and management of that data. Now, moving that data to then sit and reside within a data lake is hugely expensive because you got all the storage costs. You're probably not going to get a complete viewpoint of all that data. Right, because of how the data is potentially structured or potentially, you know, the ownership of that data and the impact of this that we actually get is that data lives. I personally refer to it becoming Data swamps, right. It's outdated. Data is hugely expensive. It's just not a great situation. And that's, I think, where organisations are starting to get to.
They're getting to that point where they start to realise that actually it was a really great concept, but it just doesn't work in practise in the context of cybersecurity. Not to say organisations are really there, but, you know, there's a better approach and said where we need to evolve to where cybersecurity and how we actually integrate with these solutions is thinking about it in a more federated way. Right. So keep the data where it resides. Let's not move it. Let's keep that in the original data point, keep it updated. It's being owned by the appropriate teams and then we can federate that search. We use data connectors like we do, for example, in cloud pak for security to actually then query those different platforms and bring about the benefit there is that we're not going to end up with huge data costs, data storage costs, or having to replicate that data into cloud pak for security. We don't have the limitation. We do have, as we have with APIs where something breaks or changes. That's going to have a huge impact on it. And we also don't have the issue of the data swamp. Right. The data is not going to become outdated because we're not moving it into different point. And so this from a strategic standpoint is really the direction of where automation in the context of how we integrate with those solutions needs to go. And hopefully, it makes sense that that's a bit of a long-winded answer.
DAVID: Yeah, there are some great points there. So I think it quite moves on quite nicely. You touched on a little bit about saving time and cost. So what else, what are the other business benefits to having some level of automation within security?
ANDREW: I mean, automation, right? If we think about a typical analyst role, there's a lot of mundane tasks, right? Yeah. Let's take an example of an IP address, when an analyst gets an IP address to investigate an incident. And the first thing he's going to do is this. This is what we refer to as a data certain task. This is a great example of something that we can automate. It's a really painful task because, you know, you're essentially asking somebody to do very repetitive work over and over again. Take that copy and paste that into a website, see what it comes up with, and then make a note of it with situations that automation can really improve your security operations in terms of employee satisfaction, preventing burnout, increasing the overall efficiency of your security operation. And, you know, see, there's the bigger impact, which is, again, you know, in connection to that reducing that time to respond, reducing your overall business risk. OK. And to me, that's the really key thing that we need to be thinking about when we do automation.
DAVID: No, I fully identify with that because I've previously worked with sort of data processing in the past and they copied and pasted and the spreadsheets and all that kind of stuff, you know, mistakes do get made and 100% you do get some burnout from that. So kind of moving on from that, kind of looked at some of the business benefits, are there any pitfalls to automation? Is there anything where things can go wrong or really badly wrong?
ANDREW: Yeah, definitely. I think this is a really important topic. I'm glad you asked question David. I mean, the problem with automation is that we can't really automate everything. Right. I think there's a lot of construction out there that a lot of organisations want to automate. Everything okay. They look at a saw platform where they look at something like Cloud pak security and think, brilliant, we're going to automate everything now reality. You can do that if you really wanted to, but it has to be in line with your risk appetite and said, let's take a particular scenario. Right. And this system and I always use as a great example, but you wouldn't fundamentally automate your remediation of a machine. Well, personally, I wouldn't recommend you do that because there's so many variables that are involved in what you're doing there. Right. What type of asset is it? Is it a development server? Is it, you know, related to transactions for your credit card system on your website? How do you approach those? Could be two completely different methods and you could end up with impacting your CIA or your confidentiality, integrity and availability model and put yourself in a very tricky situation with the regulator as a result of that. So, you know, the way that I really approach automations is this country buckets to go into it, right? You've got automation, which is, you know, where you have data certainty. We have an IP address. We're going to always want to query or it could be we MD5. We got a piece of malware we always want to send off to then to be sandbox makes total sense. Those are very easy, tangible things to understand. Where becomes more difficult is when we don't have data certainty and reality in cybersecurity. The majority of what we actually have to deal with responding to these cyber threats is uncertainty is a very complex investigation that we're kind of faced with typically. So this is where the concept of orchestration really comes from is and actually how Gartner kind of sees it is that automation is fundamentally a subset of orchestration. Orchestration is essentially leveraging the automation better in terms of going off, doing the action, putting back the data. But the question is, is how is it executed? What causes that automation to run orchestration puts the analyst in the picture. And if I think about traditional model of people, process and technology, technology is really the least important of the three right. Is Peagram process. That's the really effective components of that. The technology's just an enabler for the other. So, you know, when we think about automation and orchestration, you know, having the analyst, the intelligence to then be able to say, right, I've looked at this, I can understand that data we poured in. We federated search that data from Cloud platforms, security. We know what we're going to do. And I'm going to make a decision to then kick off this automation. That is really the key thing around what organisations need to think about as you move forward. It's not really about what they can automate. That's going to be very, very quick to kind of get to grips with and understand from a certainty standpoint if the orchestration where that's where you're going to see enormous gains in efficiencies is when we start to look at the orchestration piece. David.
DAVID: So it's automation's definitely got its place and it's going to take away some of the more mundane, repetitive tasks, but you say that people need to be right front and centre with sort of the security processes and, you know, ensuring that your cybersecurity posture is acting, right?
ANDREW: Yeah, completely. Celerity is a great example, you guys understand automation. We've had these discussions. And, you know, it's one of those things that, you know, if you're an organisation, you need guidance when you start looking at how you mature into this. And this is the importance of having a relationship with somebody like Celerity. Right. Or IBM, because fundamentally, there's a lot of pitfalls when any organisation, regardless of the platform, you're going to mature into a store platform or Cloud platform security. So you need to have that strategic advisor on place like Celerity to help you to to mature in the right and appropriate thing. And how do you identify those data certainties and how do you identify what you should be orchestrating? And all of that is really underpinned by those KPIs. And this is really the importance around needing a partner to support that journey.
DAVID: So we kind of touched on this a little bit earlier, but talking about there being numerous tools, especially disparate data locations, you know, is it possible to sort of connect the tools? And is there a way to get a really good overview of your cybersecurity posture in a nice, easy way?
ANDREW: Yeah, definitely. I mean, I think this is really where, you know, from an IBM standpoint where cloud pak for security really comes in. Right. It's about as we kind of discussed and touched on very lightly, that Federated Search API's and data lakes. They all have their place in an organisation, but they all have their own specific, you know, value proposition where organisations need to mature towards is about being able to query data on the fly. OK, if they're midway through an investigation, pulling that data and being able to look at multiple different disparate sources and using that to then help to contextualise in so many different ways. Right. Data explorer a part of the cloud pak security is one component within the platform. But as things like the asset data risk asset and connected asset and risk database within the security that allows you to actually identify those particular assets, understand the risk actually associated these devices, look at what's the vulnerability with those. You know what CVS's do we have running on those endpoints? What's the patch levels? Do we do we need to start thinking about what those particular platforms and actually then translating that from an operational level to actually a business level impact? And really, when we think about cybersecurity, cybersecurity has always been seen as very much this neighbourhood. Right. I think we can all empathise with that. You know, we scrutinised on how much money we're spending and what's the value we get back from that. But really, you know, it's how do we convey that message? How do we really join the dots to say, you know, this is the impact that we have on the organisation. This is what we're doing day by day, protecting our business and giving you essentially a baseline. Right. This is our current level of security posture. This is how many devices are our compliance. This is how many were affected by and then using things like automation to that automatically go and push off to, let's say, Redhat Ansible to then automate the updating of those devices. So, you know, one platform tool that's completely modularised what type of security can make an absolutely enormous impact to the actual risk posture of an organisation and demonstrate that you're a very senior level as well, which I think is actually something, again, I didn't mention at the start, but it's probably another key challenge that organisations are faced with is actually the translation of that risk to a business level.
DAVID: Definitely. Well, thanks for that, thanks for that overview on Cloud Pak for security in particular. So just before we leave, Andy, have you got any advice for any of the viewers who may be looking to automate some parts of their own cybersecurity?
ANDREW: Yeah, definitely. So got two points of recommendation. So the first thing is if you want to try and identify what you can automate, think about where you have elements of that data certainty we spoke about. Now the key thing here is it all starts around process. OK, so so the first recommendation really part of that is really nailing out your process when you're looking at the investigation of an incident. Understand what's the playback? What's the process you need to follow and really understand? Is that as efficient, as effective as possible? Once you've done that, you can then start to identify what points you have that certainty and what points you don't. You can then use that data, whether it's underpinned by KPIs, you know how effective you are responding to that, to then start to calculate what would be the efficiency gains if we were to automate that process. And that becomes your business justification that helps you to identify this is what we need to be prioritising and this is the integrations we're going to do to help us get that. And that's my first bit of advice. If you really want to start going down that journey now I think are more important bits of advice is that really this is one of those particular, you know, journeys that organisations are going to start going on regardless of your level of maturity. And you need to do that with a strategic partner. There's plenty of pitfalls around going down routes of automating too much, not automating it, you know, enough. And this is why, again, the importance of having somebody such Celerity to really support you with that journey as you go forward with that. So good luck, everybody and reach out if have you got any questions
DAVID: Yeah, great Andy some great points there. I think we all know what can happen if a cyberattack occurs. We know some of the costs. We get some of the average costs. But I imagine it's always going to be a bit of a battle trying to justify to the board how your security is performing where you need to be invested in the future. So 100 percent agree with what you're saying there. All right, Andy. It was a pleasure, as always, to talk to you. Thanks for coming on talking to us about improving security with automation. And that's all we have time for in today's episode. Please join us next time for more security panels. And as ever, please reach out to Celerity for any of your cybersecurity needs. Until next time, stay secure!
