AUTOMATION & ORCHESTRATION
The Future of Cybersecurity Automation & Orchestration
By Arleen Zank July 2017
IT'S NOT FREE
Investment in layers of cybersecurity for cloud implementations will effectively reduce the return on investment of the cloud by 5 to 10 percent, while performance of systems also diminishes by 5 to 15 percent.1
Cybersecurity automation and orchestration has many names — continuous monitoring (CM); continuous diagnostics and mitigation (CDM), Security Content Automation Protocol (SCAP). It is an essential element in effective digital risk management and implementing risk-bases cybersecurity solutions. Here is a look at innovations in this technology and what the future of cybersecurity automation looks like. (If you are up for some patent geekery we’ve added links to the patents associated with some of these innovations.)
A LITTLE BACKGROUND
Cybersecurity automation describes the necessary reality that you need automated tools to collect salient information about your risk posture and the state of your environment so you can continuously monitor your information supply chain and understand your risk posture. Orchestration is the process of capturing, coordinating, normalizing, and presenting all the data and status information from all of your security tools and human cybersecurity analysts. Most firms have 6–7 different products to manage to monitor and report on different aspects of the security of the digital enterprise. Cybersecurity automation and orchestration is fundamental technology to enable risk managers and cybersecurity experts to see and react in near-realtime to manage threats and attacks.
CONTINUOUS MONITORING (CM) & CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)
The cornerstone of risk-based cybersecurity is the use of automation tools to implement continuous monitoring processes using continuous diagnostics and mitigation tools and technology. This is the primary implementing mechanism to build and deliver cybersecurity automation and orchestration capabilities.
Continuous Monitoring and Continuous Diagnostics and Mitigation are similar but they are not the same. Continuous Monitoring is the watchuing, figuring out and reacting tools. Continuous Diagnotics and Mitigation are the enabling tools so that you have something to watch. CDM creates the data, houses the rules, keeps track of your stuff, and handles fixing and reporting.
Continuous monitoring include:
- Maintaining a picture of an organization’s security posture;
- Measuring security posture in light of the organizations acceptable risk posture;
- Identifying deviations from expected results (which implies you have technology in place to know what your expected results are);
- Providing visibility into information supply chain assets (a deep dive into your assets and components);
- Obtaining automated data feeds from your security infrastructure;
- Monitoring on-going effectiveness of security controls (there is no set it and forget it in this domain);
- Enables prioritization of remedies and responses;
- Informing automated or human-assisted implementation of remedies and fixes; and,
- Creating visualization tools so information supply chain managers and risk managers can see and understand what’s going on (elaborate and colorful dashboards).
CDM is the use of tools and open source programming tools to identify cybersecurity risks on an ongoing basis, prioritize these risks based upon potential impacts, and enable cybersecurity personnel or automated processes to mitigate and enable prioritization of the most significant problems first.
CDM tools covers a wide range of areas and functional capabilities:
- Hardware Asset Management
- Software Asset Management
- Configuration Management
- Vulnerability Management
- Management of Network and Asset Controls
- Management Trust Levels and People Granted Access
- Management Security Related Behavior
- Management Credential and Authentication
- Management Account Access
- Preparing for Contingencies and Incidents
- Responding to Contingencies and Incidents
- Design and Build in Requirements, Policy and Planning
- Deploying and Managing Security Policies and Control
- Management of Audit Information
- Management Operation Security
Broadly Automation and orchestration technologies are organized into the following domains:
- Vulnerability and Patch Management
- Event and Incident Management
- Malware Detection
- Network Management
- Software Assurance
- Information Protection | Data Loss Prevention
- Security Information & Event Management
- Configuration Management
- Asset Management
- License Management
- Management Dashboards
Orchestration is integration of capabilities that enables humans to compile, understand the gigabytes of log file and alert data, and turning it all into something useful. Without orchestration, risk-based cybersecurity and knowing when your risk posture has changed is a daunting task. Automation and orchestration technologies enables humans to have a fighting change to stay ahead of the attackers and their increasingly complex and sophisticated attacks.
INNOVATIONS IN CYBERSECURITY AUTOMATION & ORCHESTRATION
Innovations in cybersecurity automation and orchestration has the potential to radically change and improve the way cybersecurity is accomplished and to enable digital transformation and continuous delivery of new capabilities across the information supply chain. It is an essential component of successful digital transformation, information supply chain management and digital risk management. Here is a look at the innovations that may be game changers, capabilities innovators are including in patented inventions — the areas to watch.
AUTOMATED RISK ASSESSMENT & SCORING
All risks are not created equal. The success of a risk-based cybersecurity strategy depends on being able to assess risk and determine how you want to manage it. Automated risk asdessment and scoring innovations take a variety of forms. Some look at a complex set of risks associated with a cloud implementation using features such as:
- Cloud Service Risk — how your cloud service provider delivers security and what are the attributes of that security;
- Data Risk — how you share data, how your data is protected at rest and in-transit, application development processes;
- User/Device Risk — how do you manage your endpoints and the devices your users bring with them; how you detect the presence of new devices or changes in the devices that are in your digital enterprise.;
- Business Risk — the risks associated with your cloud service providers audit and operational practices, and the risks associated with your provider in light of your business and mission;
- Legal Risk — Risks related to data residence, legal protections provided by your cloud service provider, the jurisdictional risks, intellectual property protection, and how data is handled in highly regulated industries that need to manage critical data and privacy information in compliance with industry-specific regulations.
Other approaches continuously evaluate specific assets and measure them against compliance control frameworks using electronic identifiers, and creating multi-dimensional arrays of assets and risks and calculating complex scores. These models use machine learning and statistical modeling in conjunction with a range of compliance techniques to evaluate and score the environment in light of their risks. A number of innovators in this space are focused on use of non-linear models as a more robust way to capture, assess, and score risks and to projections on the risk posture of the system.
Here are two patents in that space. The first is Skyhigh Networks's Cloud service usage risk assessment using darkness intelligence patent 9,674,211, a relatively new patent granted June 6, 2017. Another approach, 7,752,125 Automated enterprise risk assessment. The inventor is Pravin Kothari who is founder and CEO at CipherCloud.
USER | ENTITY BEHAVIORAL ANALYSIS (UEBA)
Users/Entity Behavioral Analysis (UEBA) is technology, usually software and some level of machine learning that analyzes the behaviors of organizations' insiders (employees), outsiders connected to their networks (such as third party contractors, partners, customers or consumers) and flags security vulnerabilities across organizations' assets that hold sensitive data. In addition to analyzing user behavior, UEBA assesses organizations' entities meaning endpoints (such as laptop computers, mobile devices and other connected devices) and applications, and identifies any unusual behavior coming from those entities. UEBA connects the behavioral information with the data collected about users and entities to uncover security risks that cyber criminals may exploit.
UEBA looks for normal and abnormal behavior. It helps detect rogue insiders who are going places they don't normally go and doing things they don’t normally do. It is useful in detecting behavior that is disconnected — for example finding out why a set of credentials are being used to access the database when the owner of those credentials hasn't made their normal endpoint approach or access to the network.
Splunk, a leading provider of real-time operational intelligence using machine data, is the holder of US Patent 9,699,205 granted June 20, 2017. It covers a security platform that is "big data" driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.
More and more providers of digital transformation and information supply chain capabilities are focused on the increasing move to the cloud. Cloud Access Security Brokers are major consumers of UEBA technology.
TRUSTED MAN-IN-THE-MIDDLE — CLOUD ACCESS SECURITY BROKERS (CASB)
A cloud access security broker (CASB) is an on-premises or cloud-based security policy enforcement point that is placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as cloud-based resources are accessed. Organizations are increasingly turning to CASB to address cloud service risks, enforce security policies, and comply with regulations, even when cloud services are beyond their perimeter and out of their direct control. The value proposition in CASB capabilities is enabling security officers and risk managers to increase confidence about their organization's cloud service usage, policy enforcement and data protection.
ADAPTIVE MONITORING & PREDICTIVE ANALYTICS
Digging through the voluminous quantities of files and data and alerted from your SIEM system to look for malware and other nefarious activities is not for humans. Enter Adaptive Monitoring.
Adaptive monitoring uses artificial intelligence to identify new trends from all this data to looks for trends in the data and the complex relationships within it. The technology enables finding, understanding, and reacting to patterns and non-linear relationships between and among the complex data sets in the environment. A non-linear relationship is a type of relationship between two entities in which change in one entity does not correspond with constant change in the other entity.
The side of a square and its area are not linear. If you double the side of a square (2X), its area will increase 4 times (4X).
When dealing with cyber attacks you are usually dealing with two rules of engagement. First, the attacker needs a physical path. An attack can only occur by following network connectivity and reachability. The attacker needs to get in. The second element is the attack structure. The attacker needs an attack structure, a vulnerability, that they can exploit. Adaptive monitoring in conjunction with predictive analytics using the statistics techniques in data science find atypical usage patterns, and peculiar activity that can be detected very early in the attacker's mission.
Adaptive monitoring and predictive analytics offer benefits in finding and mitigating masquerader attackers attempting to exfiltrate data using stolen insider credentials. Attackers masquerading as insiders are already past the cyber infrastructure's perimeter defenses and can obtain significant knowledge about security policies in operation, they will try to circumvent the known policies, making it more difficult to observe their behavior using traditional intrusion detection and information loss prevention technology. While differentiating insider threat activity from normal usage activity is very challenging, masqueraders do not know exactly how their victim, the privileged u uses the network resources. Adaptive monitoring and predictive analytics find atypical usage patterns that can be detected very early in the attacker's mission providing security engineers with a much broader range of options in preventing or managing an attack.
AUTOMATED RISK MITIGATION & REMEDIATION
One of the more interesting approaches is to create isolation capabilities, essentially your own man-in-the-middle capability, to isolate users from interacting with nefarious content on the web while delivering what they are looking at as an image. This technology is interesting as it has the potential to protect against real man-in-the-middle exploits, drive-by exploits and phishing.
Basically it works like this. You install a secure server that is used to authenticate your users and give them a unique ID. The server then receives user input on where they want to go on the web. The secure server uses that input to reconstruct the commands to deliver the web content back to the secure server. When the response comes back to the secure server. The server transforms the content and generates an image that represents the information the user was looking for and sends it to the user endpoint via a secure transmission. The innovation delivers a safe visual stream to users’ devices, preventing any malicious content from ever reaching endpoints. Each web session is confined to a virtual container which is disposed at the end of the session, eliminating malware persistency. According to its inventors at Fireglass, this innovation works on web content, email and documents, as well as outbound malware command and control communications and data exfiltration. Fireglass protects against automated and scripted attacks including credentials stuffing, man-in-the-browser, and cross-site scripting, (Read their patents here and here.)
ONE MORE THING
According to Andras Cser, principal analyst at technology research company Forrester, additional layers of security over the top of cloud computing has an impact, both on price and performance. Investment in layers of cybersecurity for cloud implementations will effectively reduce the return on investment of the cloud by five to 10 percent, while performance of systems also diminishes by five to 15 percent, depending on the processing requirements.
This table maps NIST 800-53 controls to Cybersecurity Automation and Orchestration Tools organized around the key cybersecurity automation domains to the controls where this technology is useful in building your security architecture and risk management framework. It's expected that how these innovations fit within the risk management framework will evolve but this is a good place to start.
Click on each of the domains to the left to see the controls where these tools should be part of your security architecture and security solution implementation.
Controls with indicate controls where Cloud Service Providers have corresponding responsibilities to the implementation of the control.
Vulnerability & Patch Management
Patch and vulnerability management is a security practice designed to proactively prevent the exploitation of IT vulnerabilities that exist within an the digital enterprise and the information supply chain. Patch and vulnerability management tools are essential components of continuous diagnostics and mitigation and cybersecurity automation and orchestration.
Vulnerability management and vulnerability scanning of continuously identify, classify, remediate, and mitigate vulnerabilities. Patch management is the process for identifying, acquiring, installing, and verifying patches for products and systems. Patches correct security and functionality problems in software and firmware by significantly reducing the opportunities for exploitation of bugs and weaknesses in the system. Patches also add new features to software and firmware, including security capabilities.
These are the controls where vulnerability and patch management tools are applicable:
Controls with indicate controls where Cloud Service Providers have corresponding responsibilities to the implementation of the control.Read NIST's Patch Management Guidance
Event & Incident Management
Event and incident management systems define, collect and manage the raw data about what's going on in your information supply chain. These tool assemble the information that is fed into other systems and/or used to orchestrate continuous monitoring of your digital enterprise. There are two sets of tools that are used for event and incident management. They are mapped to the corresponding controls below.
Logging & Log Management
Log management aggregates data from many sources, including network, security, servers, databases, applications, providing the ability to consolidate monitored data to help avoid missing crucial events. The data collected directly correlates to your specific configurations, architectures, endpoint and user access and authentication capabilities. These log files feed other automation and orchestration tools to enable continuous assessment of a system or information supply chain's risk posture and wellness.
Controls with indicate controls where Cloud Service Providers have corresponding responsibilities to the implementation of the control.Read NIST IDPS Guidance Here
Malware, a portmanteau for malicious software, is the contemptible amalgam of hostile and intrusive software, computer viruses, worms, trojan horses, ransomware, spyware, adware, scareware, and phishing tools designed to be covertly inserted into your information supply chain to destroy data, compromise the confidentiality, integrity, or availability of your data, applications, or operating system and generally mess up your systems ruining your day, your weekend and your appearance at the next board meeting.
Malware is the most common external threat to most digital enterprises, causing widespread damage and disruption and necessitating extensive recovery endeavors. This is one of those risk areas where you need to continuously update your malware detection capabilities for known vulnerabilities while building capabilities to deploy resilient systems for the zero-day exploits and other increasingly sinister creations from the hacker underworld that you don't know about yet.
And while you are here, let us remind you to backup your data and critical apps on a regular schedule.
A network management encompasses the hardware and/or software tools that allow an IT professional to supervise the individual components of a network. These tools enable network administrators manage a network's independent components inside a bigger network management framework. Network management is an increasingly complex domain given the breadth and scope and exponentially expanding boundaries of what constitutes your network.
Software Assurance is the planned and systematic set of activities that ensure that software processes and products conform to requirements, standards, and organizational procedures help achieve:
- Trustworthiness – No exploitable vulnerabilities exist, either of malicious or unintentional origin; and
- Predictable Execution – Justifiable confidence that software, when executed, functions as intended.
These are the security controls to consider when building Software Assurance into your risk-based cybersecurity architecture:
Information Protection | Data Loss Prevention (DLP)
Data loss prevention and information protection cover the techniques for protecting your most important digital assets. It prevents end users from removing data or emailing to their friends, it protects these assets from deliberate or inadvertent disclosure and insures that all of your data assets are identified and tracked.
From a cybersecurity perspective Data Loss Prevention tools also provide the mechanisms to watch the flow of data out of your enterprise by monitoring the normal ebb and flow of data in your environment. DLP software forces the bad guys to steal your stuff more slowly so that your DLP doesn't tip you off that there is a change in your data movements.
Security Information and Event Management
Security information event management (SIEM) tools gather, analyze and present information from network and security devices, identity and access-management applications, vulnerability management and policy-compliance tools, operating-system, database and application logs, external threat data.
SIEMs aggregate data, correlate and link events to turn data into useful information; perform security alerting on issues within the environment; automate compliance and security governance and auditing functions and enable presentation of dashboards to facilitate real-time monitoring of the state and health of the system and its components.
SIEM tools may be used as part of an implementation strategy for these controls:
Configuration management is the holy grail of cybersecurity. If you don't know what you have, how it's configured, and where it is you can't protect it. Configuration management (CM) is a governance and systems engineering process that ensures the proper accounting of an enterprise's information technology assets and of the interrelationship between them in an operational environment across the system lifecycle.
In today's world of agile software development, continuous DevOps deployment cycles, security-focused configuration management is an essential element in digital innovation and digital transformation.
Asset Management is the process of tracking a diverse set of hardware and software and the location and configuration of networked devices and software across the enterprise — hardware include servers, workstations, and network devices; software include operating systems, applications, and files.
Comprehensive asset management programs enable organizations to more securely and efficiently monitor and manage their organization's many information technology (IT) assets in an increasingly complex information supply chain that includes complex systems and complex organizations that can include networks of IT assets supporting networks of subsidiaries, branches, third-party partners, contractors, temporary workers, constituents, customers, and guests.
Consider these controls when building asset management into your cybersecurity program.
License management keeps track of software license agreements, how those licenses are deployed and managed, and providing access to software resources in usage-based business models. License management is used to insure license compliance and to digital rights management. From a cybersecurity perspective this enables management of legitimate software and helps find unlicensed software present in the environment.
Management dashboards provide a visual representation of what is happening within the digital enterprise and the information supply chain providing a quick and easy way to see and assess your risk posture. Dashboards automatically and securely connects to your data and continuously update in real-time. The challenge in building and deploying effective management dashboards is to determining which metrics provide the most relevant actionable information on the state and status of your systems Here are the controls that can help you build your dashboards; and risk and security awareness strategies.