AUTOMATION & ORCHESTRATION

The Future of Cybersecurity Automation & Orchestration

By Arleen Zank July 2017

Innovation in Digital Risk Management

IT'S NOT FREE

Investment in layers of cybersecurity for cloud implementations will effectively reduce the return on investment of the cloud by 5 to 10 percent, while performance of systems also diminishes by 5 to 15 percent.¹

INTRODUCTION

Cybersecurity automation and orchestration has many names — continuous monitoring (CM); continuous diagnostics and mitigation (CDM), Security Content Automation Protocol (SCAP). It is an essential element in effective digital risk management and implementing risk-bases cybersecurity solutions. Here is a look at innovations in this technology and what the future of cybersecurity automation looks like. (If you are up for some patent geekery we’ve added links to the patents associated with some of these innovations.)

A LITTLE BACKGROUND

Cybersecurity automation describes the necessary reality that you need automated tools to collect salient information about your risk posture and the state of your environment so you can continuously monitor your information supply chain and understand your risk posture. Orchestration is the process of capturing, coordinating, normalizing, and presenting all the data and status information from all of your security tools and human cybersecurity analysts. Most firms have 6–7 different products to manage to monitor and report on different aspects of the security of the digital enterprise. Cybersecurity automation and orchestration is fundamental technology to enable risk managers and cybersecurity experts to see and react in near-realtime to manage threats and attacks.

CONTINUOUS MONITORING (CM) & CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

The cornerstone of risk-based cybersecurity is the use of automation tools to implement continuous monitoring processes using continuous diagnostics and mitigation tools and technology. This is the primary implementing mechanism to build and deliver cybersecurity automation and orchestration capabilities.

Continuous Monitoring and Continuous Diagnostics and Mitigation are similar but they are not the same. Continuous Monitoring is the watchuing, figuring out and reacting tools. Continuous Diagnotics and Mitigation are the enabling tools so that you have something to watch. CDM creates the data, houses the rules, keeps track of your stuff, and handles fixing and reporting.

Continuous monitoring include:

• Maintaining a picture of an organization’s security posture;
• Measuring security posture in light of the organizations acceptable risk posture;
• Identifying deviations from expected results (which implies you have technology in place to know what your expected results are);
• Providing visibility into information supply chain assets (a deep dive into your assets and components);
• Obtaining automated data feeds from your security infrastructure;
• Monitoring on-going effectiveness of security controls (there is no set it and forget it in this domain);
• Enables prioritization of remedies and responses;
• Informing automated or human-assisted implementation of remedies and fixes; and,
• Creating visualization tools so information supply chain managers and risk managers can see and understand what’s going on (elaborate and colorful dashboards).

CDM is the use of tools and open source programming tools to identify cybersecurity risks on an ongoing basis, prioritize these risks based upon potential impacts, and enable cybersecurity personnel or automated processes to mitigate and enable prioritization of the most significant problems first.

CDM tools covers a wide range of areas and functional capabilities:

• Hardware Asset Management
• Software Asset Management
• Configuration Management
• Vulnerability Management
• Management of Network and Asset Controls
• Management Trust Levels and People Granted Access
• Management Security Related Behavior
• Management Credential and Authentication
• Management Account Access
• Preparing for Contingencies and Incidents
• Responding to Contingencies and Incidents
• Design and Build in Requirements, Policy and Planning
• Deploying and Managing Security Policies and Control
• Management of Audit Information
• Management Operation Security

Broadly Automation and orchestration technologies are organized into the following domains:

• Vulnerability and Patch Management
• Event and Incident Management
• Malware Detection
• Network Management
• Software Assurance
• Information Protection | Data Loss Prevention
• Security Information & Event Management
• Configuration Management
• Asset Management
• License Management
• Management Dashboards

See the table below for a breakdown of the technology domain and the controls mapped to each.)

Orchestration is integration of capabilities that enables humans to compile, understand the gigabytes of log file and alert data, and turning it all into something useful. Without orchestration, risk-based cybersecurity and knowing when your risk posture has changed is a daunting task. Automation and orchestration technologies enables humans to have a fighting change to stay ahead of the attackers and their increasingly complex and sophisticated attacks.

INNOVATIONS IN CYBERSECURITY AUTOMATION & ORCHESTRATION

Innovations in cybersecurity automation and orchestration has the potential to radically change and improve the way cybersecurity is accomplished and to enable digital transformation and continuous delivery of new capabilities across the information supply chain. It is an essential component of successful digital transformation, information supply chain management and digital risk management. Here is a look at the innovations that may be game changers, capabilities innovators are including in patented inventions — the areas to watch.

AUTOMATED RISK ASSESSMENT & SCORING

All risks are not created equal. The success of a risk-based cybersecurity strategy depends on being able to assess risk and determine how you want to manage it. Automated risk asdessment and scoring innovations take a variety of forms. Some look at a complex set of risks associated with a cloud implementation using features such as:

• Cloud Service Risk — how your cloud service provider delivers security and what are the attributes of that security;
• Data Risk — how you share data, how your data is protected at rest and in-transit, application development processes;
• User/Device Risk — how do you manage your endpoints and the devices your users bring with them; how you detect the presence of new devices or changes in the devices that are in your digital enterprise.;
• Business Risk — the risks associated with your cloud service providers audit and operational practices, and the risks associated with your provider in light of your business and mission;
• Legal Risk — Risks related to data residence, legal protections provided by your cloud service provider, the jurisdictional risks, intellectual property protection, and how data is handled in highly regulated industries that need to manage critical data and privacy information in compliance with industry-specific regulations.

Other approaches continuously evaluate specific assets and measure them against compliance control frameworks using electronic identifiers, and creating multi-dimensional arrays of assets and risks and calculating complex scores. These models use machine learning and statistical modeling in conjunction with a range of compliance techniques to evaluate and score the environment in light of their risks. A number of innovators in this space are focused on use of non-linear models as a more robust way to capture, assess, and score risks and to projections on the risk posture of the system.

Here are two patents in that space. The first is Skyhigh Networks's Cloud service usage risk assessment using darkness intelligence patent 9,674,211, a relatively new patent granted June 6, 2017. Another approach, 7,752,125 Automated enterprise risk assessment. The inventor is Pravin Kothari who is founder and CEO at CipherCloud.

USER | ENTITY BEHAVIORAL ANALYSIS (UEBA)

Users/Entity Behavioral Analysis (UEBA) is technology, usually software and some level of machine learning that analyzes the behaviors of organizations' insiders (employees), outsiders connected to their networks (such as third party contractors, partners, customers or consumers) and flags security vulnerabilities across organizations' assets that hold sensitive data. In addition to analyzing user behavior, UEBA assesses organizations' entities meaning endpoints (such as laptop computers, mobile devices and other connected devices) and applications, and identifies any unusual behavior coming from those entities. UEBA connects the behavioral information with the data collected about users and entities to uncover security risks that cyber criminals may exploit.

UEBA looks for normal and abnormal behavior. It helps detect rogue insiders who are going places they don't normally go and doing things they don’t normally do. It is useful in detecting behavior that is disconnected — for example finding out why a set of credentials are being used to access the database when the owner of those credentials hasn't made their normal endpoint approach or access to the network.

Splunk, a leading provider of real-time operational intelligence using machine data, is the holder of US Patent 9,699,205 granted June 20, 2017. It covers a security platform that is "big data" driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.

More and more providers of digital transformation and information supply chain capabilities are focused on the increasing move to the cloud. Cloud Access Security Brokers are major consumers of UEBA technology.

TRUSTED MAN-IN-THE-MIDDLE — CLOUD ACCESS SECURITY BROKERS (CASB)

A cloud access security broker (CASB) is an on-premises or cloud-based security policy enforcement point that is placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as cloud-based resources are accessed. Organizations are increasingly turning to CASB to address cloud service risks, enforce security policies, and comply with regulations, even when cloud services are beyond their perimeter and out of their direct control. The value proposition in CASB capabilities is enabling security officers and risk managers to increase confidence about their organization's cloud service usage, policy enforcement and data protection.

ADAPTIVE MONITORING & PREDICTIVE ANALYTICS

Digging through the voluminous quantities of files and data and alerted from your SIEM system to look for malware and other nefarious activities is not for humans. Enter Adaptive Monitoring.

Adaptive monitoring uses artificial intelligence to identify new trends from all this data to looks for trends in the data and the complex relationships within it. The technology enables finding, understanding, and reacting to patterns and non-linear relationships between and among the complex data sets in the environment. A non-linear relationship is a type of relationship between two entities in which change in one entity does not correspond with constant change in the other entity.

The side of a square and its area are not linear. If you double the side of a square (2X), its area will increase 4 times (4X).

When dealing with cyber attacks you are usually dealing with two rules of engagement. First, the attacker needs a physical path. An attack can only occur by following network connectivity and reachability. The attacker needs to get in. The second element is the attack structure. The attacker needs an attack structure, a vulnerability, that they can exploit. Adaptive monitoring in conjunction with predictive analytics using the statistics techniques in data science find atypical usage patterns, and peculiar activity that can be detected very early in the attacker's mission.

Adaptive monitoring and predictive analytics offer benefits in finding and mitigating masquerader attackers attempting to exfiltrate data using stolen insider credentials. Attackers masquerading as insiders are already past the cyber infrastructure's perimeter defenses and can obtain significant knowledge about security policies in operation, they will try to circumvent the known policies, making it more difficult to observe their behavior using traditional intrusion detection and information loss prevention technology. While differentiating insider threat activity from normal usage activity is very challenging, masqueraders do not know exactly how their victim, the privileged u uses the network resources. Adaptive monitoring and predictive analytics find atypical usage patterns that can be detected very early in the attacker's mission providing security engineers with a much broader range of options in preventing or managing an attack.

AUTOMATED RISK MITIGATION & REMEDIATION

One of the more interesting approaches is to create isolation capabilities, essentially your own man-in-the-middle capability, to isolate users from interacting with nefarious content on the web while delivering what they are looking at as an image. This technology is interesting as it has the potential to protect against real man-in-the-middle exploits, drive-by exploits and phishing.

Basically it works like this. You install a secure server that is used to authenticate your users and give them a unique ID. The server then receives user input on where they want to go on the web. The secure server uses that input to reconstruct the commands to deliver the web content back to the secure server. When the response comes back to the secure server. The server transforms the content and generates an image that represents the information the user was looking for and sends it to the user endpoint via a secure transmission. The innovation delivers a safe visual stream to users’ devices, preventing any malicious content from ever reaching endpoints. Each web session is confined to a virtual container which is disposed at the end of the session, eliminating malware persistency. According to its inventors at Fireglass, this innovation works on web content, email and documents, as well as outbound malware command and control communications and data exfiltration. Fireglass protects against automated and scripted attacks including credentials stuffing, man-in-the-browser, and cross-site scripting, (Read their patents here and here.)

ONE MORE THING

According to Andras Cser, principal analyst at technology research company Forrester, additional layers of security over the top of cloud computing has an impact, both on price and performance. Investment in layers of cybersecurity for cloud implementations will effectively reduce the return on investment of the cloud by five to 10 percent, while performance of systems also diminishes by five to 15 percent, depending on the processing requirements.

RELATED CONTROLS