Automation is an area where IT has always been somewhat nervous, and historically this is with good reason. In the past, I worked for two antivirus vendors where a weekly signature update was released that caused clients to overwrite legitimate files with zero-byte replacements. Even more recently, a vendor accidentally released an update which caused the antivirus software to flag Windows system files as malware and made them inaccessible to Windows!
By Lee Fisher, Security Specialist, Juniper Networks
I’m also pretty sure that most IT admins have a story somewhere in their history about how a software patch was deployed without testing, only to get a rather uncomfortable call at 2am from the CEO to say (probably quite loudly) that they were no longer able to access email or sales data.
Yet automation, to a reasonable extent, is well used today, in scripting and configuring, log gathering, provisioning software and deployments, and even automated security signature updates – these are relatively simple tasks, and in most cases, include a degree of testing first. What connects these areas of automation together is what they ‘do’ – they follow the plan laid down by us – admins who have pre-determined ‘what’ the automation tool sets out to accomplish.
Where businesses have been less enthusiastic about adopting automation is utilising it in ‘response’ processes – the notion that the machine will do something based on its own determination, has weighed on the mind of the IT department and has prevented automation from being widely implemented in this area. Arguably, truly creative use of automation in the fight against cyber-crime has been somewhat limited as a result.
This needs to change. The truth is that businesses are already fighting off automation used by cyber-criminals. In February 2017, over 94 million pieces of malware were registered by Symantec; these were not written by 94 million malware developers – or even by 94,000 developers coding 1,000 pieces each. For this amount of malware to be released, it had to have been automated.
This sheer weight of numbers is an effort to bypass the typical defences that are implemented today. Security models are typically built around ‘time’ today. It takes time for a research organisation to discover, analyse, identify, update and then provide that update to customers – who then have to deploy the update. This ‘time’ is very likely to be longer than it takes cyber-criminals to develop and distribute malware, especially if – as we saw with WannaCry – the customer also needs to deploy several patches to be fully protected. Cyber-criminals are exploiting automation to the fullest, to the point where they have even commercialised their offerings to others for sale – automation is actually built into the design – and the result is vulnerable businesses, trying to fight automated threats with semi-automated security solutions.
IT Security teams are already over-burdened. (ISC)2, a non-profit security advocacy group, reported an estimated shortfall of 1.5 million cyber security professionals by 2019 and many organisations surveyed stated it could take six months to identify qualified candidates.
So how do businesses need to change? Can businesses separate the roles of human and machine to both reduce the burden on IT professionals and improve security at the same time?
Let’s consider this analogy Nobody knows you better than you, and it’s the same with your business and your data – no other business, no criminal, no competitor – no one knows your business, what’s normal and what’s not normal, better than you.
In other words, businesses need to start to use the data it holds within the business, to protect the business. Doing more than merely collecting logs, it needs to turn ‘data into wisdom’ by taking the information and correlation of a myriad events, that in turn can provide knowledge about what’s normal and what’s not – and wisely using that knowledge to incrementally improve security within the business.
Incremental improvements include identifying tasks which can be automated for the security team, meaning that they no longer spend time watching log files and instead will be promptly alerted to unusual activity. Take the WannaCry ransomware as an example. This malware was atypical of human behaviour in two ways:
1. Writing large numbers of files on local drives within a short period of time
2. Multiple and frequent connections over certain (SMBv1) network protocols to find other vulnerable hosts to attack
What security teams need are actionable insights: drawing those data points from behaviour, rather than relying on an out-of-date approach that looks to pattern-match a file in memory, on disk, or on the network – and then create a controlled response to that behaviour, preventing future threats from spreading within the network with little to no maintenance.
This dynamic, machine-automated security system can take the strain and allow the security team to increasingly focus on determining what is and isn’t normal – and improving that understanding incrementally over time.
Thus, the machine is doing what it does well – processing large, repetitive amounts of data, based on human, business-specific rules, to help identify and prevent known attack methods, rather than relying on the pattern-matching, ‘time’ to defend-based approach.
This leaves the user to focus time on what is more difficult for a machine to work out – lateral thinking that identifies a new, innovative attack method. New rules can be created, built on new knowledge, and utilizing that wisdom to incrementally improve the security posture of the business.
Is there a new appetite for automated security? Well, I think the mind-set is changing. Businesses are already looking at ways to increase the use and scope of the data it holds to help improve and drive engagement with customers through the use of big data initiatives and the analytics associated with it – and the consumer is also seeing convenient benefits in the use of analytics.
After all – it’s quite a simple question really:
Do we continue to merely maintain security and hope for the best, or use the wisdom of the data across the business to incrementally improve security for the business?
I think the answer is pretty obvious.