Panel | Best Practices for Implementing Enterprise Security Automation for Threat Detection and Intelligence

Perfect. So let's start with a short introduction, Ron, maybe Donnie starts.

Hello, I'm Donnie went, a principal security researcher at MasterCard and also an adjunct professor of cybersecurity at Utica University. Hello, my name is Riy, chief technologist for St. Paris. We're an identity driven company protecting active directory Azure ad and anything that drives your business from an authentication perspective. Good morning. My name's Sergeant Collins. I'm the global director of sales engineering at D three Security.

We are a vendor of a security orchestration, automation and response technology that helps busy security operations teams to standardize, automate, and increase efficiency. Perfect. This was really short and on point, like the presentation before panel topic is best practices for implementing enterprise security automation for threat detection and intelligence. A really long headline question, why do we need security automation? Which gap does it close for our existing tools, processes? Maybe we start Oh yes.

And I actually started with security automation early on before there were even any vendors in this field. So it's been interesting seeing this progress and one of the main areas that we were looking at initially was just trying to increase the visibility because we knew we were not seeing all the attacks because there was no way that our human centered response could keep pace with the volume. So by in bringing in security automation, we were able to more see a lot more events respond to a lot more events than we had in the past.

And it was also about being able to plug in new technologies readily because we had very disparate systems. And when you have multiple types of, say, firewall vendors within your environment and that it, it helps to have that common sort of interface form. Great. Perfect.

Guid, anything to add from your end? Well, yeah, I, I, I fully understand that MasterCard must be a, a privileged target for, for, for, to try to get into it as in any banking industry, as in any company that that has intelligence to offer to, often its intellectual property. It's not just bank accounts and, and financial value direct, but where does that start? And that's where their automation to, to understand all the changes that happen in an environment. Make sense. What are the vulnerabilities that you have in your environment?

Configuration change of of an administrator might open up a vulnerability that they're not aware of and if you don't have automation tools that check on that periodically to warn you would've been, let's say a three hop attack against your environment. Now it's gone down to one hop attack. When somebody's in your environment, you have a problem if you don't notice that. So that automation is key to be aware of your vulnerabilities. Absolutely. Sever is then security automation replacing our security, our incident Analyst or is this something additionally?

It's an interesting question from, from my perspective, it does not replace the Analyst because we always need specialists that will have general oversight within our organization in security operations.

However, automation will take some of their repetitive tasks and to do it automatically, meaning freeing out the time that Analyst will spend as part of this incident response processes on various different tasks, automating those and freeing out the time to help them learn, advance their skill set, focus on other things, for example, threat hunting within the environment where they currently can't spend any time on because they have too many tasks to operate on a day to day basis. Absolutely. Donny your thoughts about that.

Yeah, and it's, it's when looking at this, and I have a presentation by the way, spoiler alert coming up here shortly on this topic, but when, so part of my doctoral research, I, I actually talked with leaders in fin sec financial securities, financial services industry that had implemented automation about why they did it and what benefits they've seen and most of the benefits, it, it really wasn't at all about cutting cost or replacing people because what they, what we found, what I always like to ask that there's one exception, are you totally satisfied with your security today?

If so, automating it, we'll cut cost, we'll save you money if not what we're doing. If you've ever been in that frontline SOC operation, that security operation center, you'll see how that that job can get very repetitive. It can also lead to a lot of turnover in that. And I have very talented people that should be doing what humans do best, which is the, the whole discernment, the decision making, not the looking up, not the enriching the data.

So that, that's where I saw Yes, the main benefits was getting that consistent enrichment, that situational awareness for our Analyst so that our analysts can make better decisions, they can handle more events and they can do the proactive threat hunting that we need them to do. Especially to look for advanced persistent threats in that that may not be popping up through the normal channels. Exactly.

Especially the, the active threat hunting was something that we discussed yesterday in in the panel with these s together how you can prevent state driven attacks but no matter whether it's state driven or not, you need the expert that do internal assessments, training simulations and all that stuff. Red teaming at the end to improve your security.

So to summarize, you expect and GIU for sure you can also state your opinion on thoughts about that, but in general it the, it will not replace the, the human here but the human will as always with IT and technology be more specialized and focused on that where what Donny mentioned humans are good at keto. I I can just emphasize exactly that. I think it's, if I look around the room here, we've got plenty of let's say experienced IT administrators that know that it and your infrastructure has not gotten simpler, it's gotten just more complex.

The journey to the cloud with the promise of cutting your cost has that happened. It's questionable that you were able to take down your, your staff and, and need to monitor and act less on on issues.

It's, it's just the reality that our IT landscape is getting more complex. Intruders are getting smarter, they're getting tools to, to hit you easier. They don't need to be an expert anymore. In our case, in you know, identity space, active directory, intruder doesn't need to be an active directory expert. They just need to be a tool expert to, to attack.

And so you need to be aware constantly of the ongoing risk and you can't look at everything and the different stacks that you have in your IT infrastructure that must be automated to help you to see where do you need to act before it's too late. Isn't it also a big threat at all to rely on such an tool that is detecting and also reacting, maybe let thing about Terminator, whatever Skynet and some artificial intelligence that is trying to decide what is best for for your company. I mean at the end of decides all computers are potentially dangerous, then let's block all users.

This would be the consequence Don? Oh Yes, I was. Cause one of the things that early on when we were starting the research into security automation, so it was one, one concept that we hammered home a lot was this idea of low impact, high reward.

That's, that's the processes I'm looking for to start. I'm not looking to get in when I start, especially my automation journey, I am not immediately starting with blocking network traffic and things like that. I'm going to build that trust and confidence in my automation by first starting with, in my view, I always looked with those that are completely in the control of the security department cuz I wanna gain our trust first before I reach out to the network team to the, to all the other teams and start taking actions there.

And then we also had the concept of, and I always like we, we need a response loop. So what we did initially going on was recommend the solution and then get feedback from the humans on whether that was the correct solution, the solution they would take. And only after we build that trust and confidence we implement it.

Now the one thing that I find really hard to do and that this is where you, you actually need skilled resources within your environment is developing all of the, all of the exception rules for when things go wrong with automation and detecting it because that a lot of the automation tools, it's real easy to put 'em in and and immediately connect with the systems and do things. But what I found it's still a lot of custom development we're doing for those what if in error cases to respond and re retrain or or reap and get out of those error situations.

But I always caveat with that with do you expect your soc Analyst to be right a hundred percent of the time because most times, no they're not. Do I expect my automation to be right a hundred percent of the time? Unfortunately a lot of people think yes, but no I don't, but I ex because it's based, it's automation, what it's learned, what it's doing is based on my human input, which isn't a hundred percent accurate. Absolutely severin more from an vendor perspective. What would you say is security automation the threat of getting something like Skynet?

I don't think it is, and I slightly disagree with with that opinion just now because automation has to be a hundred percent right all the time and the best practice to apply automation, we see that in various different customers. Engagement is automating what has and follows a standard operating procedure. For example, you spin up certain instances to bring up quick infrastructure within the cloud, attach the virus, different devices via automation against your security monitoring tool, run vulnerability scans against it, validating that the infrastructure is a hundred percent protected.

I don't need human interaction in this particular process, but I need validation and that validation should be accurate as such I can fully automate it. There are other scenarios within the security operations center you mentioned, for example, enrichment. We can fully automate that because it's the same process. Take information, query different sources and analyze it. That can be a hundred percent automated. There are other scenarios where automation is not necessarily applicable or a hundred percent usable but or everything else.

Those is where the quick wins are and what's costing Analyst time. Absolutely. Okay. Any question from the audience here on site? The remote attendees haven't had any question yet.

So again, for the honor attendees, feel free to use the chat function. I receive it here on my tablet. You have the great opportunity to talk, talk or ask a good question to one of the panelists here and also for the onsite attendees, feel free if you have, it's a million dollar chance by the way to, to ask you a question here. No one. Okay. 10 ago I had with my question looking more there's a question.

No, I was too late. Sorry.

So it's, it's a well known fact that automation is important, but a lot of companies are still not yet automating. What's the reason behind that? What's stopping every company from going on an automation journey and it's, it's open to all the panelists, Whoever is willing to answer. I Would say from, from my, from my perspective, the, the companies I deal with mostly in the financial services industry, they are on that, you know, going towards automation.

Now, whether that is now, I would say from that research we had very different levels. There were some that were very mature putting in a say a sore product and doing that there. But most of 'em had already started on that automation. They've been doing it with scripting in that for years. Right. I don't think it's, it like the the, the capabilities are far better. You're seeing more advancements in it, but at least in, from what I've seen in within the financial services industry, it it's being used quite a bit.

I think you'll need to differentiate between company sizes and, and expertise in house. Yeah. And in any enterprise company, at least scripting is, is a day to day job. Nobody does that much manual work in the environment. So that is already a lot of automation and they are looking for solutions that replace their manual scripting, replace the dependency on that one person that is scripting genius so that, you know, that one isn't there anymore. You have a dependency on that, but smaller companies, they need ease of use. Yeah.

And, and, and that's why they're gonna look at tools that, that don't add another level of extra complexity for them to get, let's say that that that view that they're looking for, for information that they cannot see easily with manual searches of, of any type. They might not have the expertise. It's one person or few responsible for a ton of different technologies in the same company.

And so they need to be supported just as much as, you know, in the enterprise that that's more a state of the art already in the enterprise, but the, the medium size companies needed just as much What were they needed, such as much the interesting factors also what we've seen sometimes in various different engagements was smaller organizations were relying on external partners to provide services and sometimes obviously they would be reluctant to be creating automation and getting themselves out of the contract.

So we've seen that a few times in, in addition to that, various organizations assess their own maturity and sometimes believe they're not mature enough, not understanding that by standardizing and putting the structure in place in the first place, that's where they gain the actual wins. So it's not waiting on becoming mature, having the right resources in house, it's actually starting, that's where they gain real benefits. Perfect. Now may a question from my side.

What is realistic when it comes to thinking of automation and machine learning taking over the role of the formerly human carbon-based life form as an administrator? What is the, what is the ratio when we think of an of a, of a so implementation, what is handled automatically by pattern matching by by, you mentioned these, these, these defined processes, these defined statements of how this should be executed, what is covered by machine learning, if at all, and what still remains with the admin?

And I'm really looking forward to your results from the practitioner, from the vendor, from academia. I really would would like to see what are the expectations and what is realistic. Let me just take one take at this from a perspective of what we see in the industry and what we're also working on. A human has a hard time to to to figure out anomalies in an environment. Yeah. So so that's exactly where machine learning is is is strong at taking a bunch of data, comparing it to some baseline and understanding something is different here. At least to question it.

It cannot really necessarily determine that, that you are right now at risk, but at least something to highlight to the Analyst that that then takes it to the next step and understands, oh, I need to act here. I don't, yeah, so, so that is where I believe machine learning taking over, not necessarily immediately shutting down, you know, all systems, you know, the gates from, from everything. That is something where you'll always have a decision making through a human before you take such drastic steps. You hit on a very interesting topic for me.

So one of my other main research areas is on machine learning's use and cyber security. And because most, most products out there today in security use some sort of machine learning, it's often presented to the practitioner or the user as some sort of magic vari dust where they're gonna drop it into your environment, it's going to learn what's normal and then it's going to start doing it well. And that's why I got on this path of trying to educate my cybersecurity professionals of the basics of machine learning so they understand what it really is and what it isn't.

And when we start talking about putting something in the system to learn online what is normal, I get very concerned from a security standpoint because what you're telling me is you're going to put something in my network and you're going to learn what's going on now and anything that deviates from it's an attack or is an anomaly, I have no way to tell if, unless you've done some data standardization, some data cleansing in that I have no way to guarantee that the traffic that's normal in my network is good. Normal does not equal good.

And and that's when I think that they keep failing to see when they go for machine learning. And so, so that's one where I really think we need a lot of advancement there.

Yeah, it's funny that you said that because yesterday I said the same thing. So if you input a mess in a machine learning what you get is just more mess. So just on the same topic about machine learning, so probably will be interesting to have your cake on machine learning, which is so, I mean I'm interested as, as well. Yes. And that's one of the top I think I presented at the last KuppingerCole event on adversarial machine learning.

So it, it's one of those things coming from a software development background from software developers. We long ago learned we needed to start pen testing, we needed to start doing this red teaming. A lot of the machine learning processes aren't doing that yet. And they need to do that. They need to do the adversarial machine learning to, to test against the tax Guid Severin also something to add to that question to the statement, Basically just full agreement of what Donnie just said.

Whew, That's a good one. Okay, perfect. I think we should go a bit more back to the prepared questions because they are going in the direction. What are the next steps to enable your business for security automation? So where do, where should organizations start when they, when they want to start in security automation and maybe it makes really sense to start with the vendors first. So sever It, it's really a simple task. You firstly need to identify the various different areas where automation can be applied.

Then you need to start structuring and identifying the individual processes, standardize those processes and you can create very simple workflows associated and then take those different workflows and put them in the various different technologies to make it happen. That's typically the easiest start by identifying the various different areas where you can improve. You will get visibility or where you can gain the biggest way can I have the biggest impact within the overall environment.

You get visibility where you potentially lack resources where automation could be applied to assist deviating this scenario. So that's really the easiest entry point, You Know.

Yeah, I'd add from an identity management perspective, it's really around understanding your vulnerabilities in your identity system. That is very often underestimated. And if we look into the Microsoft world, I'm, it's a bit unfortunate that I still have to sit here and warn people about all the default permissions that are configured in, for example, a Microsoft active directory that are so crucial for intruders to do reconnaissance in the environment and basically understand everything in your, about your environment before you know your own vulnerabilities.

And that is why you need to look at your systems with tools that show you those vulnerabilities that automate the detection of new vulnerabilities that that, well there's just been new CBEs just, just this month we've had, I don't even know how many, but a lot of patches from Microsoft for vulnerabilities that are being actively used. Yeah. That are out there where, where intruders are checking as soon as they're in your network, what they can use and they can read all of that with those default permission.

So it's understanding your environment, checking it, scanning it, and then basically knowing your vulnerabilities and acting on them. Yeah, and I would say from my side it's, yeah, looking for, I think I talked about for those low impact but high rewards sort of use cases. So I'm looking for use cases initially cause I really have to build up trust that underlies a successful security automation deployment. So I find those use cases where I can quickly implement, see quick results, but have very low risk of causing any damage.

A lot of times I, I've seen some security automation projects derail because they went after the sexy, let's go do some automated response right away and I'll say no back off. Let's start with things like enrichment and the well defined processes. And also the other key is what, go ahead and get started. I think you, the first step is to just get started and then use this as an opportunity to improve your processes. Don't just do the wrong thing faster, improve your processes while you do it.

I love to ask not only positive questions, also maybe a bit negative or we all work in it and we know not everything is always beautiful and easy. What are the challenges, if you want to introduce something like threat detection and intelligence on an automated level, is there anything what you can recommend that people should avoid? Or is there something that you have to learn? Not necessarily avoid, but the, one of the core challenges is obviously getting executive buy-in in the first place.

It, it seems to derail majority of the project not having an executive sponsorship to support this. Which means we as an industry, we as leaders need to be better in educating our C-suites, bringing them up to speed and also explaining where they can gain. As I said earlier, if I have challenges hiring industry professionals to work in my security operations and I can use automation to alleviate this challenge, I need to bring this to the forefront.

I, I, I'd say it's important to, to have an understanding of what are you protecting, where are you investing? And, and Martin this morning in his keynote Martin Kuppinger sat very nicely understand all of your areas and what you're protecting against, where you invest into so that you don't also overinvest into protecting the same thing over and over with different tools. Yeah.

But, but my, my take on your question is that I think the biggest risk is to have a false sense of security when you have automation in place that you believe you're now fully secured and nothing can happen anymore because there is nothing like 100% security. There isn't. So you always also in parallel to that automation need to have your disaster recovery plans ready and be ready for that worst day that you actually need to execute them and get back from the ashes. Right.

And I would say to respond to this question, stay tuned because in my presentation, the last half of that is strategies for failure because I think we can learn a lot from mistakes and there are some rare, really, I say good strategies to fail if you want. And I, I will be discussing some of those in my presentation. A good way to fail. Perfect. Maybe in another question, in in that direction, how reliable is security automation at all?

I mean, I trust the tool instead of a person we talked about, we discuss that the tool detects 100% based on what it's learned and is this 100% reliable? Is this better?

I mean, this goes in the direction we already discuss, but maybe we start with you gido. That's, that's a difficult one to answer as a vendor.

You, youll of course also always wanna be seen as our tool is perfect and, and you know, you have your sales slogans and whatnot. Let's be clear, no vendor can guarantee 100% perfect, perfect security.

If, if a vendor does say that to you, then, then that's a warning sign in itself. Yeah, absolutely.

What, what a vendor can do is to help reduce your vulnerability and basically, you know, lessen your tax surface and in that case make it harder for intruders to get in. And then through the automation, through detection tools, intruder will have it harder, should be easier to actually find things that they then need to do because you've locked them down.

They, they, they, they basically need to show themselves differently. Not gonna go into technical details, but it, it should it pop up in, in your monitoring that something is awkward, something is going wrong and then you can act. There is nothing that gives you that a hundred percent, it shouldn't promise a hundred percent security. We never do That. That's exactly the, the right point.

And also something we discussed yesterday in a c panel, your red teaming or your tools, if you identify techers that are in your systems, sometimes it's just a little thing you identify that is strange and knowing this and then diving deeper into it, maybe starting with detected by a tool or maybe started by detecting by an second or third level Analyst, this is essential only with that you really can identify our attackers already in or not, or is there a threat on or is there not a threat? But yes, you have another Question?

Yeah, maybe more to the positive side. Now you mentioned that that management buy in and to support and to make sure that they are on board and understand what's going on. So what would be good and, and reasonable KPIs to, to to report to the management that they understand that they, that you are in a good way that you are performing and that that is, that it's evolving, that you're getting better.

What, what, what could be a KPI that management understands and that really reflects reality? It's a very interesting question and we do that most of the time when showing our tool set to various different stakeholders. And I give you a very simple example. If we are taking an early step in analysis, it starts with enrichment, enrichment process. If I just wanna validate a hash against the threat source, it might take, let's say a minute copying the hash, going to my tool, waiting for the response, getting the information.

If I automate this process, we can show the acceleration of the entire process in, in contrary to what typically takes a minute manual task, it maybe takes five seconds for the automated now extrapolate those five seconds, how much, how much time you save and at one point you will clearly see that you are literally saving headcounts or freeing up headcounts to then do red teaming to do further improvement of the skill or to focus on complete different tasks From a KPI perspective.

In in, in our area of identity security, it's the count of vulnerabilities that you see that you need to address and basically that you then reduce with the knowledge and the help with the tools. That's what management wants to see. They basically want a lovely number that either, you know, so and so many points of risks have been decreased by whatever, 30%, 40%, et cetera. Yeah. And I would say from mine I try to avoid measurements that are based on time savings or cost savings from automation.

And I'll get into that a little bit when I go into my presentation later, but it's, it's around, that's not why I'm doing automation. Not at all. Why I'm doing automation is so that I can respond to events quicker and I respond to more events. So I'm not looking at its automation versus people measurement. I'm looking at holistically measurement of my security operations center and how quick we're responding to events and how many we can respond to what are we seeing now that we weren't before. What I'm looking for, my automation is not just not to do things faster so I can save people.

It's so that I can secure my environment better. Perfect. And for those who haven't realized, we now talked twice as much time as initially planned, but it was really very interesting and I think it makes sense to join Donny's session as well. He did a lot of advertisement here for sure. Maybe let's close this round with a last statement about what is the first thing to start with security automation. What is the really first essential thing to do? Stop doubting yourself and start beginning to automate things. If you doubt you waste time and lose effectively money.

We typically start with a, with a tabletop exercise of customers understanding the dependencies between all their business applications to the different, let's say, services that they use. And then as once they understand those dependencies, concentrate on securing your most critical applications or services to start there and then work out from there.

So yes, get started, know, dedicate, dedicate the resources and money and get started. Don't try to do this as some little side job. Yeah. Perfect then thank you very much sever, Guido and Donnie for this really very interesting panel discussion. I hope also the audience had a lot of fun onsite and online. Thank you very much. Thank you.