In football, planning every move down to the smallest details is everything. Any coach worth his or her salt has a playbook of strategies and every move, as impulsive as it may seem, has been carefully calculated with perfect “If this, then that” precision, before it ever took place. Yet, although every play has been pre-charted, effective execution relies on the adaptability of players in the moment and a keen understanding of the adjustments that need to be made “in game”.
When it comes to the security of corporate data, it’s not all that different from football. In order to be ready for anything that comes your way, all aspects need to be planned and mapped out beforehand, automated with a predetermined course of action – in the vernacular, “IFTTT”. This security playbook is called automation and it’s an imperative part of keeping all parts of a security operation workflow moving together in precise and accurate motion.
Automation: It’s not all or nothing
In the complex corporate security environment, automation is increasingly the “go-to” answer for organizations lost in a sea of alerts, logs and data. For many, it’s the only way to address their most critical processes and it’s what keeps them moving from task to task in a fluid manner. But there is a danger in putting too much faith into automation and orchestration alone. Organizations often turn to automation looking for a technological cure-all for their security woes, but while they are very good at what they do (at least theoretically), many security professionals are wary of handing off their most critical processes to a black box that cannot make up for the human intellect element.
Machines are not people and as such, do not waiver from their predetermined playbooks, sometimes to the detriment of the goal at hand – that of keeping corporate data secure. As Gartner security analyst Anton Chuvakin points out. “There is – at this stage of security technology development, at least – GOOD AUTOMATION and EVIL AUTOMATION. Longer term, we will certainly see more automation and more domains of information security (cybersecurity, if you have to) covered by automation, BUT I’d be willing to bet anything that the profession of a security analyst will never be full automated.”1
In Forbes, Courtney Nash writes:
“From a security standpoint, automation provides infrastructure security, and makes it auditable. But it doesn’t really increase data/information security (e.g. this file can/cannot live on that server)–those too are human tasks requiring human judgement.”
Often, just like football’s receiver has to make a moment’s call and adjust strategies, relying on automation and orchestration alone is too rigid. To be truly useful, orchestration must become far more flexible and include people in those processes.
Flexibility in Automation
Semi-automation, in which team’s impact processes, creates the opportunity to define and refine the playbook’s rules. Teams know their own organization better than any template ever could, so orchestration needs to be a dynamic, malleable entity to be effective, with people influencing and overseeing the process. Chuvakin also states that: “To mitigate its “evil effects” while preserving the benefits, look at “semi-automated” or assisted mode with human influence in the loop where the automation gathers all the information and then a human makes one simple call with all available data.”2
Flexibility within automation allows teams to strike a balance between convenience and intellect, complementing and augmenting the human element, rather than replacing it. When incorporating flexibility into the automation process, a typical scenario could go something like this:
The automated process and human intellect work together to create a dynamic, adaptable security infrastructure. Properly implemented the right balance of man/machine mix help validate the relevancy of alerts – allowing analysts to close/eliminate cases more quickly and make sure analysts only look at cases that actually matter while getting rid of the “noise”.
Because maintaining varying degrees of flexibility is in part dependent on the ability to navigate effectively across the security infrastructure, teams need tight integration with other security tools – the tighter the integration of all tools from end to end, the greater the ability to traverse between automation and human investigation. By allowing an easy switch from manual to automatic – SOC teams are able to slowly shift towards a greater degree of automation as they build trust in their predefined workflows and processes.
Finding the perfect balance between human intellect and predetermined moves is a bit of an art form, just like in football. Flexibility within automation, with the input of those people who know their processes best, is the key to complete security.
1,2 Gartner Analyst Blog, Security: Automate And/Or Die?, September 11, 2015, http://blogs.gartner.com/anton-chuvakin/2015/09/11/security-automate-andor-die/