Security Program Automation

I had a great conversation with a CISO colleague / mentor recently who told me that his biggest challenge is that his staff is swamped with repetitive tasks – things that should be automatible, but have not been for a variety of reasons. Many thanks to him for helping me organize my thoughts on this topic and sharing his successes in this area. This post will discuss the sorts of tasks that can be automated, the pros and cons of tools to help automation, better approaches, and why those approaches are worth investing in.

I generally see two main categories of automatible tasks in security: administrative tasks and operational tasks. Administrative tasks are things like periodically reviewing that all accounts are necessary and do not have more privileges than they require. Operational tasks are things like isolating a host on the network when it appears to be compromised. We could spend all day listing out additional examples of each — the better question is what examples do you see in your environment? Anyone working in a security program likely has a list of things that take up an inordinate amount of their time.

It is ironic that computers were meant to make our lives easier, yet they seem to have created more work for us with their ability to generate it at an ever increasing rate. The natural consequence of tools generating work is the creation of more tools to help automate that work. It is here the difference between operational and administrative tasks becomes important. Operational security tasks are generally being automated by a class of tools called Security Orchestration products. There are a bunch of players in this space, and Phantom — acquired by Splunk earlier this year — is the clear leader in the space. One of the distinguishing features of Phantom (and something I hope is not harmed by the Splunk acquisition) is the massive number of tools integrations in its ecosystem, making it much easier to interface with at least your COTS systems.

The tools that help with the more administrative tasks tend to be more workflow / compliance focused. They are good for automating periodic tasks, like “ensure that vendors have a current security assessment performed on an annual basis”, but they tend to do this by emailing the responsible parties annually to login to the tool and validate that the task is complete, sometimes requiring that associated artifacts are attached. While it is true that the vendor security assessments would need to be updated regardless, the tools are actually creating more work by requiring personnel to login to them, upload artifacts, and so forth. Automating administrative tasks tends to involve a lot more data integration.

Fortunately, data integration is something that countless technologists have tackled. The solution here lies in finding someone who can do this data integration. There are tools such as Extract, Transform, and Load (ETL) tools from the database world that could help, and people whose careers have focused in this area; in fact, such tools and people are probably overkill for the tasks seen in most security programs. Usually anyone with a bit of programming background can tackle it with a Python script or even an Excel macro (I long lamented the security implications of Visual Basic macros but cannot deny their utility, especially when trying to integrate data from four Excel workbooks). Since you already have a security person performing the task, the person doing the automation does not necessarily need that expertise, although it will typically be useful to have someone who understands infrastructure to be able to knowledgeably handle things like fields with mixed hostnames and IP addresses. When you combine automation and infrastructure, you get DevOps, which may or may not be an easier person to find than your security analysts. Of course, you need not be that specific — you may have great success finding someone knowledgeable about scripting and security or infrastructure who does not want to be “labeled” a DevOps person.

The good news is that any automation task will likely have a clear return on investment. Analysts can fairly easily estimate how much time they spend doing these tasks in a given unit of time, take that times their burdened salary, and you have how much is being spent on that task annually. For example, if an employee with a burdened salary of $200k spends 10% of their time on a task, spending $10k to automate that task will pay off in just six months. For any reasonably sized security program, you can probably pretty quickly automate an FTE worth of work. Outside of security, that may mean downsizing, but in security it more likely means covering that billet you haven’t been able to fill or ensuring that your staff can still get everything done even with the inevitable turnover. It hopefully will even mean that your analyst — no longer burdened by a tedious task — will now be able to put thought to deeper issues.

If you don’t have the security orchestration / scripting / data integration skills on your team and are finding DevOps people as hard to come by as security analysts, BuboWerks can help. Just fill out our contact form to set up a free discussion about how we can help automate your team. BuboWerks is agile enough to take on automating anywhere from one to one-hundred or more tasks, and can help with automating both operational and administrative tasks, leaving your security analysts to, well, analyze security.

Leave a Reply

Your email address will not be published. Required fields are marked *