Weissblick - Fotolia

Security Think Tank: Don’t automatically automate security

How can organisations evolve their security operations teams to do more automation of basic tasks and cope with dynamic IT environments?

From a network infrastructure perspective, the first thing to understand is whether an organisation requires basic security tasks to be automated. Is AI [artificial intelligence] needed to detect and respond to external threats automatically based on suspicious activities and, if so, which areas of the security function would benefit?

There is therefore a strong argument for undertaking risk impact analysis to avoid investment that is unnecessary – and may actually increase the risk placed on a team that is already likely to be over-burdened.

If these assessments conclude that automation is the best way to respond appropriately to external threats, various options are available; again, these need to be weighed up objectively. For some elements of security, upskilling the existing team to implement and deliver the technical solutions in-house within a reasonable timeframe is realistic. 

However, in areas for which this will not suffice, outsourcing needs to be considered, whether through contractors, consulting partners or platform providers, to deliver the right expertise when needed. 

If the outsourcing route is chosen, due diligence is critical to ensure the platform offers the detection methods required, and that suppliers have the right credentials to deliver what is needed. Any product purchases need to be reinforced with the requisite people and processes to ensure the technology delivers return on investment.

Within the enterprise network, specific applications can also be protected. Depending on this landscape, there are many tools available to assist with the automation of day-to-day security administration.

governance, risk and compliance (GRC) tools automate the checking of basic security parameters, such as the requirements for password changes and the number of incorrect logins allowed before a user is locked out of the system. Controls can, for example, validate that these are set up according to the security guidelines specified by the organisation.

Basic security tasks

In the case of SAP, its GRC Access Control tool can also help to automate basic security tasks. For example, the Segregation of Duties Review process can be used to check for critical access risks automatically by running daily checks for violations.

Security settings can also be checked with tools such as SAP’s Enterprise Threat Detection (ETD), which looks for suspicious activity based on pattern recognition, tracking activities from network and applications logs. It can also verify the security parameters, as well as undertake checks such as Network Security and Critical User Access.

Although most SIEM [security information and event management] tools can perform this function, ETD goes further into the application level by correlating these access point patterns with explicit application logs to show what information might have been accessed.

It is also possible to use threat intelligence AI coupled, with log monitoring, to identify trends that could indicate an attack. The AI would automatically learn new definitions and adjust its algorithms for the log monitoring accordingly.

It is critical to consider the human element required for automated tools to be effective. An AI-based system will only learn from the inputs, so the organisation has to set the ground rules for what constitutes a threat, as well as further classify security incidents. This provides the data needed to trigger any automated responses.

Read more Security Think Tank articles about security automation

From here, workflow solutions can be defined using management tools so that the data can reach those most able to deal with the information effectively.

But however good the intentions and however sophisticated the technology, automatic monitoring is unlikely to take off without executive support. Traditionally, security has been regarded as an overhead and has not been prioritised for investment. However, recent surveys, corroborated by industry trends, suggest this is changing – security is increasingly a strategic imperative that gets board level airtime.

Securing this level of interest requires that, rather than being the sole domain of the IT department, each area of security is owned by the relevant business unit. This helps to influence the board and gain access to funding.

In many ways, automation and AI should be an “easy sell” to the board, offering as it does the opportunity to reduce the manual costs of many security-related activities.

Investing in automation to test, monitor and validate the configuration of enterprise systems, as well as undertake activities such as month-end validation tasks, can achieve significant time savings, especially where controls execution and testing requires a large amount of manual input. This frees up the security team, allowing them to focus on areas of higher complexity and achieve a more compliant, efficient IT landscape.

Read more on Hackers and cybercrime prevention