Automation is an area where IT has always been somewhat nervous, and historically this is with good reason. In the past, I worked for two anti-virus vendors where a weekly signature update was released that caused clients to overwrite legitimate files with zero-byte replacements. Even more recently, a vendor accidentally released an update which caused the anti-virus software to flag Windows system files as malware, and made them inaccessible to Windows!
I’m also pretty sure that most IT admins have a story somewhere in their history about how a software patch was deployed without testing, only to get a rather uncomfortable call at 2am from the CEO to say (probably quite loudly) that they were no longer able to access email or sales data.
Then, of course, there are those technologies which sound great at deployment but, in practice, become an absolute headache. For example, the much-vaunted security protection offered by early IPS (intrusion prevention systems) which actually resulted in too many false-positives to ever be useful.
Yet automation, to a reasonable extent, is well used today, in scripting and configuring, log gathering, provisioning software and deployments, and even automated security signature updates – these are relatively simple tasks, and in most cases, include a degree of testing first.
What connects these areas of automation together is what they ‘do’ – they follow the plan laid down by us - admins who have pre-determined ‘what’ the automation tool sets out to accomplish.
Where businesses have been less enthusiastic about adopting automation is utilizing it in ‘response’ processes – the notion that the machine will do something based on its own determination, has weighed on the mind of the IT department and has prevented automation from being widely implemented in this area. Arguably, truly creative use of automation in the fight against cybercrime has been somewhat limited as a result.
This needs to change. The truth is that businesses are already fighting off automation used by cyber-criminals. In February 2017, over 94 million pieces of malware were registered by Symantec; these were not written by 94 million malware developers – or even by 94,000 developers coding 1,000 pieces each. For this amount of malware to be released, it had to have been automated.
This sheer weight of numbers is an effort to bypass the typical defenses that are implemented today. Security models are typically built around ‘time’ today. It takes time for a research organization to discover, analyze, identify, update and then provide that update to customers – who then have to deploy the update. This ‘time’ is very likely to be longer than it takes cyber-criminals to develop and distribute malware, especially if – as we saw with WannaCry – the customer also needs to deploy several patches to be fully protected.
Cyber-criminals are exploiting automation to the fullest, to the point where they have even commercialized their offerings to others for sale – automation is actually built into the design – and the result is vulnerable businesses, trying to fight automated threats with semi-automated security solutions.
Businesses need to start to use the data it holds within the business, to protect the business. Doing more than merely collecting logs, it needs to turn ‘data into wisdom’ by taking the information and correlation of a myriad events, that in turn can provide knowledge about what’s normal and what’s not – and wisely using that knowledge to incrementally improve security within the business.
Incremental improvements include identifying tasks which can be automated for the security team, meaning that they no longer spend time watching log files and instead will be promptly alerted to unusual activity. Take the WannaCry ransomware as an example. This malware was atypical of human behavior in two ways:
- Writing large numbers of files on local drives within a short period of time
- Multiple and frequent connections over certain (SMBv1) network protocols to find other vulnerable hosts to attack
What security teams need are actionable insights: drawing those data points from behavior, rather than relying on an out-of-date approach that looks to pattern-match a file in memory, on disk, or on the network – and then create a controlled response to that behavior, preventing future threats from spreading within the network with little to no maintenance.
This dynamic, machine-automated security system can take the strain and allow the security team to increasingly focus on determining what is and isn’t normal – and improving that understanding incrementally over time.
Thus, the machine is doing what it does well – processing large, repetitive amounts of data, based on human, business-specific rules, to help identify and prevent known attack methods, rather than relying on the pattern-matching, ‘time’ to defend-based approach. This leaves the user to focus time on what is more difficult for a machine to work out – lateral thinking that identifies a new, innovative attack method. New rules can be created, built on new knowledge, and utilizing that wisdom to incrementally improve the security posture of the business.
Is there a new appetite for automated security? Well, in answer to my earlier point about traditional reluctance in this area, I think the mind-set is changing. Businesses are already looking at ways to increase the use and scope of the data it holds to help improve and drive engagement with customers through the use of big data initiatives and the analytics associated with it – and the consumer is also seeing convenient benefits in the use of analytics, so it must surely only be a matter of time.