These challenges have forced organisations to deploy a range of technical solutions, from next generation firewalls and change control methodologies, to the latest in host-based intrusion prevention technologies. Relief has only been short-term; the proliferation of point solutions has become an event management problem for security teams that are already over stretched and under funded.
Budgets are unlikely to grow much during the next twelve months, and local IT personnel are on the hunt for ways to reduce the cost of security processes via existing operational expertise, solutions and capabilities. They want more from the capabilities they already have.
However, IT security is not all gloom and despair; there is a light at the end of the tunnel. Using automation, tightly integrated across multi-vendor systems and management areas, CSOs have begun to realise that they can operationalise a large number of initial security event processes, freeing up experienced resources and cutting costs.
Integrate operational silos
Traditionally, automation is considered in terms of patch management and deployments. While that is part of the solution, today it is possible to automate critical security event management tasks, and integrate those processes across multiple systems and operational silos. This operationalises the security processes that tie up highly skilled and expensive security resources.
Security process automation ensures that correct procedures are followed, and that no event is mishandled or overlooked. Controls, such as audit records or segregation of duties between departments, can be automated to ensure compliance with industry or regulatory standards. Highly repetitive tasks are automated in order to cut labour and reduce training costs.
The type of processes that lend themselves to automation could include:
- Assigning alerts to the correct security administrators
- Populating tickets in a ticketing system for incidents
- Temporarily modifying the scope of monitoring on critical systems in response to a detected event or vulnerability
- Responding to a password reset event
- Approving new additions to a group with high privileges
Let’s use the last example in this list to illustrate how security process automation works. Approving new additions to a group with high privileges is a common event, which requires review and authorisation by either the business owner of that group or a security administrator. For example, a user might request access to a Microsoft Active Directory (AD) group, which calls for an administration review and the appropriate stakeholder to be notified.
The workflow is initially triggered when the Security Information and Event Management (SIEM) solution detects a change within the privileged group. The automation platform then forwards details about the security event to the administrator via email, along with a defined list of possible responses.
In this instance, the administrator has the choice of responding with either an ‘allow’ or ‘reject’ message in text format via e-mail. As soon as the e-mail message is sent, the process automation technology either documents the acceptance (along with any additional details the administrator has included) or performs the appropriate remediation (removing the user from the group) and, most importantly documents what has happened.
Handling this relatively simple event with process automation presents all the information necessary to make a quick decision, minimising the time involved in remediation. Rather than launching multiple tools and contacting other members of the security team to check on event specifics, the administrator can work from a single e-mail, confident that defined and agreed upon processes are followed.
Three common forms of security process automation
Security programs of this maturity require an open-process, vendor-agnostic integration and automation platform. With the number of competing point solutions an enterprise is likely to have deployed, they must be able to integrate these technologies and processes regardless of the third parties and management teams involved. Typically, automated security event management focuses on the following areas:
1. Control and audit system configuration
Significant labour reductions can be achieved in configuration tasks, where the bulk of manual labour takes place. Multi-vendor environments make the appropriate configuration of critical data time intensive, especially around exceptions to policy and server configuration changes.
This can be overcome by automating the assessment process, which integrates reports into security and IT processes for policy exception management, remediation and change management. Mis-configured systems are automatically identified as non-compliant, which initiates a service desk ticket, and manages business exceptions, approvals, and/or remediation. There’s no need for staff to get involved.
2. User activity management and compliance
Monitoring suspicious activity across multiple platforms and gathering analysis in real-time is a serious headache for compliance teams. The level of effort involved tends to make monitoring user activity impractical.
Security process automation relieves this pressure by automatically compiling an analysis of updated user information, notifying users for confirmation, and then escalating the incident for review or permission denials. Furthermore, integrating security processes among systems makes it easier to reduce event noise, track user activity and respond in real-time.
3. Enforce change controls
Business evolution means all systems change over time no matter how well configured. Known as “configuration drift” this issue must be carefully managed to maintain strong security controls. Organisations have to quickly identify any changes that occur, and correlate this with internal change control procedures.
Applying security process automation to this task goes beyond detection and reporting to, as an example, correlate changes on critical systems or applications with authorised change requests. This automatically revalidates the security of the system by triggering a configuration assessment, and/or escalating changes for review by business owners.
Automated benefits
Management and compliance drivers demand that security teams begin to implement higher levels of control associated with user monitoring, configuration assessments and the controlled delegation of authority. The tools that drive this typically provide data integration, but fail to integrate the activities that comprise the newly formalised processes. It is this lack of integration, along with an overly heavy focus on the specific technologies that reduces or even stalls an organisation’s evolution towards a fully mature security program.
Enter security process automation, which reduces manual tasks to provide a more consistent response that lowers the chance of mishandled security events or overlooked policy compliance. It also captures and documents the tribal knowledge of managing critical technologies and complex applications, which mitigates potential risks from employee turnover.
This approach, in which highly mature processes cross business functional areas and leverage IT operations that are already in place, is defining a move away from resource intensive security management towards a more strategic use of an organisation’s skilled personnel.