James Todd, SecOps director at KPMG, describes his role as a merging of SecOps, security architecture, and cloud security. It is a particularly interesting crossing point with regard to automation.
“It’s at that intersection of the cloud environment, being very much aligned to deploying everything as code,” says Todd. “A lot of automation is a big part of that. Being able to take dynamic action within a cloud environment is much easier and well-versed than within a traditional data centre or on-premises environment. The controls available to us are much more dynamic.
“That doesn’t preclude us from being able to do things within security controls on the endpoint or within on-premises data centres, but it’s a different approach.”
Research from the Enterprise Strategy Group in October found that almost half (46!%) of SOC teams are automating security operations processes ‘extensively.’ Alongside this, more than half (52!%) of respondents agreed with the statement that security operations were more difficult now than two years ago.
It is not surprising, therefore, that getting automation to work within the security operations centre (SOC) is a major point of emphasis for KPMG. One note from the professional services firm last year insists that automation can have a ‘significant and positive impact on the effectiveness of CISOs and their teams.’ Another, a month later, put automation, alongside upskilling and diversity, as one of the three key approaches to bridging the cybersecurity skills gap.
Todd’s unit provides SecOps consultancy and operations for financial services organizations. There are two primary types of clients. One is a company that has little in the way of security operations within their organization; they are either an organization which has grown in size and needs a more formal process. Alternately, they are more established and want to tread the line between ‘dynamic change within their environment plus continuous change in the threat landscape,’ as Todd puts it. The second are organizations that need to go to the next level and this is where automation can come in.
“Once that established playbook or workbook has been created in relation to a particular threat, or a particular way that incidents are handled, we look then to introduce automated processes that reduce the repetitive task element within security operations initially, and then move to the higher end of automation and introduce some level of autonomy,” says Todd. So, the SOC can react to threats in as near real-time as possible.”
Getting the balance right between automated tooling and human resources is a longstanding head-scratcher for executives. Writing in Security Week in November, Marc Solomon sums the problem up succinctly: ‘using automation to make your people more efficient and using your people to make automation more effective.’
The simplest part of automation, Todd explains, is the robotic process automation (RPA) element, which frees time for the SOC analyst to work on incident handling, threat hunting, and other vital tasks. The next step is to move towards technologies such as machine learning to lead to more intelligent decision-making – or machine-led decision-making. “The platform builds trust in those actions and understands the impact of a particular action playing out,” says Todd.
“If I see a particular indicator file within my environment that is correlated with threat intelligence, and I know the asset that has been targeted, that asset’s security posture and also its susceptibility to the attack that’s being aimed at it, I can then use machine learning to inform a number of decisions that I can take,” he adds. “All the way through from quarantining that particular asset, limiting its movement, playing out particular activities that allow us to gain some further intelligence.”
Todd references the influential MITRE ATT&CK matrix first released in 2015, which catalogues hundreds of tactics adversaries use across enterprise operating systems. While ATT&CK is not laid out in a particular linear order, the first category, ‘initial access’, is the point where an attacker gets a foothold in an organization’s environment. This is where Todd wants his team to be.
“The optimal goal for us is to get to a point where we’re taking action or intervening at the point that the attack is first observed within the cyber kill chain,” says Todd. “Really being slick around being able to observe and take action around the first point that an attacker tries to enter an environment.”
Todd, who is speaking at the Cyber Security & Cloud Expo Global, in London on December 1-2 around cloud security, adds that the most commonly used form of machine learning within cyber defenses is anomaly detection. Right now, that’s where automation is likely to stay.
“I think [where] the human element comes into it is that machine learning is good at spotting outliers and anomalies,” says Todd. “The decision making, certainly for the moment, will reside within the analyst, within the SOC.
“Those analysts [will] be codifying and transferring their well-proven, well-exercised playbooks, or converting those playbooks into an automated approach,” adds Todd. “But I don’t think that we’re quite yet at the time where we’ve got full autonomy on decision-making.”