Why is it that virtually all aspects of IT operate at near real time EXCEPT security? You can spin up a new server on demand or create a new database in a couple of minutes, but anything that has to do with the security policy can take weeks—or longer.
It all goes back to a peculiar distrust of automation when it comes to enterprise security. IT pros don’t want to deal with the flak from the sales director who got locked out of a remote connection she needed for a client presentation because the IPS solution perceived it as a suspected intrusion. Or grief from the account manager who has “always” had access to a business application that now says he is no longer authorized to use.
So instead, they continue to trust manual systems to identify and respond to potential threats. This is, demonstrably, not a good choice. Ask the folks at Target or Community Health Systems or Home Depot or JP Morgan Chase or . . . you get the idea. These are sophisticated companies, with outstanding—but very busy—IT teams. In several of those cases, their security infrastructure did detect potentially malicious activity, but closing off access required manual action. And that didn’t happen until weeks after the initial incursion because that’s how long it took for the security teams to evaluate the alerts, verify the problem and shut down access.
So, on the one hand, you may irritate some folks you work with, some of whom may sign your paycheck, with a little overzealous protection. On the other hand, you may let in hackers who steal the credit card or personal identifier information of millions of customers because you don’t recognize an attack quickly enough. Either way, it’s been a bad spot for the IT team.
Except now, it’s not. A few recent developments have tipped the scales toward automation (without risking your job). These include:
Increased reliability: Initial versions of automated tools suffered from a high rate of false positives that led to automatically shutting down perfectly innocuous connections. Improvements in the technology have reduced those so that security teams can have greater comfort that these tools work as advertised.
Increased demand: Security teams have to make more changes more often than ever, with the same or fewer resources. No wonder that two-thirds of respondents to our State of Network Security Survey said they were constrained by time-consuming manual processes—they’re managing more applications with rapidly evolving threats across a hybrid onsite/cloud environment with limited visibility. Manual processes just can’t keep up.
Increased infrastructure diversity: Whether accommodating BYOD or implementing advanced malware protection, more/new/better technologies and business models are streaming into the security environment, but older technologies remain, as well, and they also need to be kept up to date and in compliance.
I’ve seen more and more companies making the shift toward greater automation, particularly in the IPS/IDS area where they’ve (finally) opted to enable prevention as well as detection. More businesses are also choosing to push security policy automatically to their firewalls after years of resisting fully automating the change process.
If you’re considering automating more of your security functions, here are a few tips:
Start with repetitive manual processes: If you are reviewing the same data and making the same decision time after time, consider programming software with that logic—or getting an off the shelf solution that will do it for you.
Run a pilot program: Trusting an automated solution can be a little nerve wracking, so give yourself a safe zone to test it out before implementing across the entire network. Try it in a live, but non-critical business segment first and work out any kinks. By the time you roll it out, you’ll know you can trust it. You’ll sleep better.
Ensure visibility: Even if you fully trust the solution, you want to be able to see what it’s doing or has done. If you’ve automated more of your security and the solution blocks a malicious attack—think Home Depot—you’d want to know your POS had been compromised. But wouldn’t you rather see an alert that said an attack was shut down, even weeks after it happened, than find out you’d been hacked when customer credit card numbers hit the black market?
Receive notifications of new posts by email.