How is automation evolving to detect and mitigate cyber threats?
Automation is evolving to address cyber threats. Here's our take on how automation has impacted the stages of development, deployment, and operation/consumption of applications and technologies.
The modern enterprise is a complex hybrid environment, with applications, servers, and in general, workloads being run in on-premises data centers as well as cloud. In addition, the applications and technologies used for the management, security and operations of those applications are not just commercial, off-the-shelf (COTS), but in many cases homegrown and developed. As a result, one way to look at how automation is evolving to address cyber threats is to look at not just how it has impacted the management, operations, and security of these applications, but also look at how it has impacted the in-house application development and deployment within many of these large enterprises.
In specific terms, here’s my view on how automation has impacted the stages of a) development, b) deployment and c) operation/consumption of applications and technologies.
a) Development: With the advent of DevSecOps, and the wide adoption of the shift-left paradigm, application developers are looking at a fully automated and secured CI/CD pipeline. This helps them in writing secure code, without having to re-invent some of the key pieces, such as Identity and Access Management, for the applications and are able to easily hook into an existing identity and access management system that their organization may already have. This ensures that developers are incorporating secure best practices in the development stage, resulting in applications, which are ready to be plugged into the IAM system, thus ensuring the right authentication and authorization management policies are set up for the applications from day 1.
b) Deployment: This comes with many choices, on-prem (private cloud, hosted private cloud), hybrid cloud, pure Cloud and with many architectural options (microservices-based, for e.g) and installers like Terraform and Ansible, which can completely automate the deployment of infrastructure through code (a.k.a Infrastructure as code). This equips IT and security ops teams with the right tools for deploying the various components with the right security policies. For e.g. when deploying a new web-based application, the installer automates the configuration/setting up of:
- Establishment of trust between systems and services to drive secure machine-to-machine communication
- Deploying perimeter-based security for access from within/outside the perimeter. This might involve spinning up firewalls and reverse proxies on the fly with a per-app policy.
- IAM systems (for access and governance security) for perimeter-less secure access, such that the application is protected with the right access policies for the various identities accessing the system. For e.g. the system may automate federation of the app with the IAM system, creation of roles or assigning certain pre-configured roles/groups/identities to the application based on the deployment policy for the app.
- Log and events collection with risk analytics and SIEM systems for continuous monitoring, User and Entity Behavior Analysis (UEBA) for just in time access policy creation or deletion or for inspection and investigation. A lot of times this comes integrated with the IAM system.
- If some of the applications are in a public IaaS (such as AWS, Azure) then configuring cloud access security brokers (CASBs) and establishing/configuring connection with the IAM system such that proper access level policy changes can be made based on the fine grain visibility coming from the CASB.
The above is far from being a comprehensive list of all the automation tasks that happen, but I did try to focus on some of the key steps critical in ensuring timely detection and mitigation of breaches.
c) Operation: This is by far the most vulnerable part of the lifecycle and one which puts to test all the good work that has already gone into the development and deployment stages, one of them being the setting up with the log/events analytics engines for continuous monitoring and risk assessment. This area has evolved by leaps and bounds in the past few years and is critical in the detection and prevention of attacks and breaches. Some of the highlights are:
- AI /w ML has been applied very effectively in sifting through gargantuan amounts of data to establish identity profiles, which are then used for detecting not just anomalous but also malicious behavior
- Evolving from being prescriptive (providing broad recommendations) on how to mitigate cyber threats) to being directive (providing definite steps and automating them) on mitigating threats
- Evolving from siloed, in many cases unsupervised learning to hybrid – combining human intelligence and inputs (supervised) along with unsupervised.
- Automated Orchestration of configuration of adjacent and impacted systems to reduce the propagation of cyber threats.
- Automated notifications and mitigation steps (for e.g blocking access or reducing to least privilege). Robotic Process Automation (RPA) also brings in efficiencies in this area.
This post originally appeared in a Quora Q&A session hosted in January 2020. Our CPO Archit Lohokare was asked to discuss the state of cybersecurity, Zero Trust, artificial technology and machine learning and working in the security field, among other things. Stay tuned as we share more of his answers in our blog!