The Importance of Context in Cybersecurity Automation
All cybersecurity professionals recognize the potential of automation. The faster we can detect and respond to potential or actual threats, the harder we can make it for attackers. In day-to-day security operations, though, we’ve still only scratched the surface of what can be achieved with automation.
Many security tools promise it, but they can only support a limited number of use cases. The protection provided by some security automation can also be transient rather than permanent—its effectiveness can decrease with technical drift.
With DevOps and DevSecOps, automation is becoming ubiquitous with the adoption of infrastructure as code (IaC). Automating security best practices when new software is first deployed in development is certainly very effective. Yet, it is only effective at an atomic level, as it secures a specific software module, application, or compute node in isolation.
Equally, it can’t do much to mitigate new risks that emerge later with subsequent changes in context. The overall effectiveness wanes with inevitable drift in the environment. For example, it doesn’t provide for any adjustment to a sensitive new dataset being added to the network, a new firewall rule being opened that allows access to a different port, or the opening of a new ingress to support a new service.
Similarly, there has been progress in security operations. Notably in threat detection and incident response, automation is driven today by Security Orchestration, Automation and Response (SOAR) and other tools. This has been instrumental in reducing mean time to detect (MTTD) and mean time to respond (MTTR) rates.
The picture here is also mixed, though. When a scenario is entirely familiar and the unfolding sequence of events is entirely predictable–or, in other words, where there is sufficient context–automation in security operations delivers on its promise.
However with more complex, or unknown attacks–where there is a significant risk that one of the beginning, middle or end phases of an attack may deviate from a familiar context or known playbook–smart SOC teams don’t dare to automate a response. As Allie Mellen, Senior Analyst with Forrester, said, “The ‘autonomous SOC’ is a pipedream.”
The Untapped Opportunity for Automation in Security Posture Management
As security teams hit the limits of the current possibilities for automation in DevSecOps and security operations, the emerging, largely untapped, opportunity lies in automating the correction of environmental drift with cyber asset attack surface management (CAASM).
The maturity of an organization’s security posture depends heavily on the visibility the security team has into its own attack surface—and how dynamically drift from the desired state can be corrected. Poor cyber asset, or posture, management exacerbates, or even causes, security incidents.
Consistent with prevention being better than cure, CAASM drives the automated remediation of risks as they first arise—and at scale. It allows security coverage gaps or toxic combinations created through changes in context to be mitigated before they can develop into security incidents. It also improves the signal to noise ratio in threat detection and response, driving further reductions in MTTD and MTTR.
CAASM doesn’t just drive continuous monitoring and automated adjustment of the posture of compute assets. It covers the full range of non-compute assets in the environment as well. This includes networks and network infrastructure, sensitive datasets, software components and services, people with varying levels of access, vulnerabilities, etc. And it’s the complex and dynamic relationships between all these assets that are scattered across different on-premises and cloud environments that generates cyber risk.
The barrier to automation in attack surface management (ASM) isn’t the security tools themselves. It tends to be that the metadata for gaining richer context is insufficient, unreliable or both. Therefore, further manual investigation is usually needed to improve the quality of the metadata.
For example, automating endpoint configuration should be straightforward in principle. But in practice it isn’t unless you know which systems are not configured correctly. And that requires visibility into their full context – the network they’re on, their location, function, access to sensitive data, etc.
By automating the continuous tracking and assessment of changes in the environment through CAASM, teams can now access a comprehensive, accurate, up-to-date, view of their environment. With that kind of high-fidelity, granular, understanding of assets, context, and the relationships between them, organizations can exploit the power of automation beyond development and operations and into understanding and reducing their attack surface and cyber risk.
For more information on the benefits that CAASM can provide, and how automation is a critical part of that process, check out our eBook: ‘Making the case for CAASM’.