Yes, I can. Hello?
How are you doing welcome.
Very good. How are you?
I'm good too. Thank you. What will you talk about
Today? We're we wanna talk about security automation in the financial sector. Some of my research findings.
Perfect. Sounds very interesting. And then I would say the stage is yours.
All right. Thank you very much. Welcome everybody. First of all, a little bit about me. I am Donnie went. I'm a principal security researcher for MasterCard where I've worked since 2004. I'm also an adjunct professor at Utica college where I teach you the master's cybersecurity program. A lot of the presentation today, it's, it's based on a combination of my dissertation research for my doctorate, and also my practical experience with implementing security automation is trying to bring those two worlds together. Here's what we're gonna cover today. I'm gonna begin with just a brief overview of kind of the driving forces behind security automation. And then look at my research, including an overview of the, of the theory and conceptual framework upon which it was based. And then conclude with the findings from both my research and my personal experience, implementing security automation.
So, first of all, let's look at why are we interested in security automation? Is it if, is it to reduce cost and save money? I would say if that is why you're pursuing the security automation, you're probably in for a rude awakening, but we'll, we'll revisit that question later in the presentation. So before we get too far into it, I I'd like to, I'd like you to consider where your organization is with security automation at this point, hopefully your, a little bit closer to that left side, where automation is your default in everything you do and not on the right side where there's your lack of automation is quite disturbing. If you're like most organizations, you're probably somewhere in the middle of this scale.
So let's briefly look at the current state and what are the driving forces behind security automation in our operations center. Of course the attackers enjoy asymmetric advantage, right? So that they can acquire and reuse exploits with with much ease and couple that with the low likelihood of detection, this all strongly favors the attackers, also the use of similar operating systems, hardware and applications, all of these increase the reward for attackers who can develop exploits and reuse those against dominant products. The in also the increasing sophistication of attacks is making the identification of both successful and unsuccessful attacks, much more difficult. Cuz we have to consider that any attackers who are investing in advanced threats are highly motivated and they're going to devote significant time to achieve their goals, mapping out multiple paths and pivoting their attack as necessary. So our current human centered cyber defense practices just cannot keep up with the threats, targeting us in order to meet this challenge, we must drastically increase both the speed of detection and response, but finally, perhaps the chief driver of automation is, is most of you're aware that the shortage of cybersecurity professionals to deal with the increasing threats.
So now that we look to current state, I wanna take just a couple minutes to discuss the observe orient decide act or ULO theory that was developed by us air force pilot, John Boyd. This theory refers to gaining superiority in air combat by completing your loop faster than your opponent. This theory has been applied to many other situations, including cybersecurity unfortu. The Ulu is often simplify most depictions reduce this theory to a four simple four phase cyclic approach in which the phases occurred. Sequence implying that one first observes then orients then decides then acts, just keep ING and repeating. Unfortunately, this oversimplification removes much of the important nuances of the theory though. Boyd often discussed this theory. There's only one known sketch by Boyd, which appeared in a presentation in 1996, the loop as drawn by void depicts continuous interactions between the various steps, acting simultaneously feedback from the decide and act phases influence our observations.
Also voids diagram depicts information feeding forward from the observation to the orientation, which influences both the side and act orientation is adjusted continuously and considers factors such as cultural traditions, previous experience and new information void noted that orientation shapes our observation decision and actions, feedback from the decisions and actions along with observed phenomenon, continually shape orientation, orientation plays the central role voids action flows from orientation implicitly often without any explicit commands. Boyd sketch shows these implicit instructions flowing from orientation to guide both observation and action bypassing decisions. The emphasis on orientation turns the conflict into a contest to see which opponent can maintain situational awareness, better. Maintaining accurate situational awareness in a dynamic environment is critical to inform our correct decisions and effective courses of actions. The underlying goal that Ulu is to be faster than the enemy. The goal means that as cyber defenders must streamline our command and control while also interfering with attackers command and control.
So what do we do? Cyber defenders have to address both sides of the equation to narrow the gap between the attackers time to compromise and our time to respond. Leading research addresses the disadvantage through community sharing of security, intelligence, automation, security responses, and innovative defenses, including deception and active defense, an integrated approach involving security orchestration, automated response, information sharing and advanced defense methods can reduce this competitive gap. The intelligence sharing and automated response work together to reduce our cost and time collective action fostered by community sharing can act as an immune system for the collaborating organizations while security automation increases the speed of response and proactive application of intelligence at the same time, advanced defense methods, including deception and active defense, raise the cost to the attacker and slow the attack.
So let's look at each of those components. We talk about speeding. The detection response, the complexity of technology, business and information assets in large organizations, demands automation to assist humans in maintaining situational awareness, full situational awareness of a current situational within a complex cyber environment is impossible without automation. The alerts concerning anomalies in and date security Analyst must quickly triage security events, triage analysis, which requires the Analyst review analyze and interpret vast amounts of security. Data is one of the most labor intensive tasks performed by a security Analyst. Automated enrichment allows the Analyst to make informed decisions based on events within the environment. Security automation can either execute automated responses or provide recommended responses to the Analyst, leaving the humans to do what they do best discern and decide the increasing move to cybersecurity. Automation requires the workforce to adapt from what we call a human in the loop process to more human on the loop processes and oversight.
Automation's never going to fully replace human judgment. However, the effectiveness, the efficiencies realized through automation will permit cybersecurity professionals to focus on more advanced threats and attacks that do require our intervention and our decision making, sharing threat intelligence can help organizations respond to and prevent malicious attacks with quick decisive action based on informed decisions and situational awareness sharing between organizations acts as a countermeasure against sophisticated actors decreasing the reusability of exploits. However, organizations do need to move beyond creating simply interoperable systems to share data and develop more methods to generate value from the shared information. The other side of that equation, when we talk about slowing the slowing, the attacker and boy seminal presentation on our combat, he suggested that to win it is necessary to get inside the adversary Zulu interrupting the adversary loop can cause confusion and disorder for the opponent changing the situation faster than they can comprehend.
Deception based defense is providing advantage to defenders by affecting the attackers observation and orientation, deceiving humans and manipulating the data streams can compromise the opponent's decision, making ability using deception that disrupts the attacker orientation will compromise the attacker's subsequent decision and actions. Defensive deceptions can help consume the attackers resources and by slowing the attacker, the defender can gain more time to further orient decide and act by inserting oneself into the opponent's Ulu. But combatant can discover the strengths, weaknesses, tactics, and intent of the adversary, thereby improving the defender's situational awareness and decision making. Of course, deploying and maintaining deception requires expertise and ongoing maintenance. We have to ensure that deception remains relevant for deception operation to be effective and must present and maintain a plausible story to the attacker. The deception must also be realistic enough that it lures the attacker in it and continues to deceive the attacker.
Let's skip past a couple of these here and look at my research. So looking at my research, it, I saw it to uncover strategies to improve security automation and adapted defenses. And in the research, my focus was within the financial sector. However, the lessons learned from this research can be implied, can be applied to increased security posture of individual institutions and other sectors as well. The result of this re study also, I hope will assist cybersecurity leaders to help justify future investments in security automation and adaptive cyber defenses. So where I'll go, we had like five emergent themes, which I'll go through in order as we go through this. So back to the question about why, so if, if not to save money, why have these organizations invested in security automation say, as we go through, you'll also see some of the quotes on the slides from the participants in my research.
Well, there are many benefits that organizations have derived from security automation and probably the most frequently mentioned benefits were time savings and efficiency gains for this security Analyst. But perhaps the most important interrelated benefits are the increased visibility in decreased time to detect and respond security automation provided increased visibility into events by increasing the volume of events that could be processed. Quite frankly, before automation Analyst did not have time to review all the events organizations now can leverage automation to respond to many routine events, perform the enrichment of events, requiring human intervention and filter out non-relevant events. Giving us visibility into far more. This leads to the ability to free security analysts for more advanced work, such as threat hunting and improving automation. So instead of cutting costs, the, the efficiency gains allow organizations to redeploy their security Analyst to hunt for more advanced threats, respond to events, not seen before automation and improve the overall security posture of the company possible. Let's recall. There is a, there's a significant shortage of cybersecurity professionals. So automation allows us to redeploy those scarce resources to further enhance our security. Another important benefit that we uncovered was the consistent consistency of processes when responding to alerts playbooks ensured that the Analyst followed a standard process consistently also standardized playbooks can, can be used to train new Analyst.
Next, we look at what the use cases. So there are many use cases that financial companies have applied security automation, including event enrichment intelligence, processing detection, and prevention of incidents in automated response. The most frequently cited use cases were for event enrichment and correlation. The concept behind the enrichment use case is to perform the repetitive lookups and provide the Analyst with all the related data or situational awareness. So the Analyst can make an informed decision. Automation searches the internal sources, such as security, instant event management, security tools, and other internal data sources to provide data related to the prevalence within the environment and details on the users and the hosts automation also then goes out and collects external data such as reputation scores and contextual information concerning the threat or the threat actor. Another very closely related use case to the, to the enrichment is the ingestion and processing of indicators of compromise or IOCs from intelligence feeds the volume of the IOCs of course, in and dating a financial institution requires automation to filter out those that, that, that don't apply automated responses, use cases that we saw included implementing blocks, quarantining hosts, or users and malware remediation.
Automation applies blocks at firewalls intrusion prevention systems with filtering solutions and host based security solutions or any combination of those before applying an important thing to note though, before applying an automated block automation, actually we use it to go out and check the internal sources to determine any possible impact on operations. If there's a high risk of impact, then we can send that to a human to make that decision with that call security automation can also assist with detection and prevention use cases. Financial institutions are currently applying automation to combating campaigns, detect and prevent leakage of sensitive data, a real important topic in this industry and to detect an alert on insider threats.
So how do we ensure success with our automation before you begin, you have to understand what resources are necessary. Having a team focused on security automation is going to greatly enhance the chances of success. The main roles you need to consider are leadership, which is going to set the directions and priorities and align those both with insecurity and with external teams, we're also gonna need automation engineering. This is typically someone who's going to develop, maintain, and test your playbooks, analyze the processes and defines requirements for any custom development. That's gonna be needed. Security operations Analyst, they're the subject matter experts. So they're going provide that expertise as required and then developers, their custom development is going to be needed most of the time, whether you do that internally or outsource it to a statement of work, by the way, most of the automation platforms are based on Python.
So that, and that's where most of your development will go in. If you're one of the off the shelf platforms, once you have the team successful implementation requires careful planning, probably the most. Well, definitely the most important factor in success is building that support and trust throughout the organizations. Companies should first focus on use cases entirely under the purview of the security team. That approach will allow the security team to develop that trust and confidence internally before attempting to automate use cases, to take actions outside of security, expect to face significant barriers when implementing automation reaches into other parts of the organization, take time to develop that trust with those other organizations, such as it legal human resources by looking for mutual mutually beneficial use cases and gaining or support. Also when implementing automation outside of security proceed with great care automation mistake that impacts another team could quickly derail a security automation implementation.
Of course, another important consideration is pursuing quick lens show, some benefit to, to increase that momentum. And then that's why I want so, so that was all about speeding. And we also wanted to look then about disrupting the attacker. Interestingly, we found minimal use of deception and automated response among the participants. However, they were all very interested in, in pursuing these further, although they hadn't, hadn't implemented them fully. The research did uncover several promising use cases, including just detection of insider threats, collection of IOCs and acting as an early warning system. There was a lot of concerns with legal concerns and also concerns with inviting the attackers in that that these companies are grappling with first, when it came to automated responses, unfortunately, currently only rudimentary automated blocking and quarantining was being used. There is a desire to move to more automated response methods. The main reluctance of course, to automating responses is a concern of causing business impact.
Therefore, we have to consider how to counter or undo any incorrect actions taken by automation before we implement the automation since the financial sector realizes definitely realizes importance of intelligence sharing. So it was no surprise that, that these companies were all actively involved in sharing intelligence with peers, peer to peer agreements and industry organizations. However, there's there, there were some concerns with sharing, which basically fell into two categories, either the concern with intelligence feed or, or reluctance to share the intelligence, the main concerns with the feeds related to the quality relevance and recency of the data where automation could actually help with each of those automation can filter out IOCs that are not relevant. It can speed the dissemination of IOCs and it can also, you can implement one thing that I've looked at doing and have done a little bit of work on is using automation to help score intelligence feeds and apply confidence rates. The reluctance to share a lot. Some of it is because it's a highly regulated regulated industry and companies are reluctant to share data with the government or governments regulating them, right? And maybe a little bit of reluctance to do more wide share wide scale sharing with, with competitors. But there seems to be a lot of peer tope and organizational sharing going on.
So in conclusion, when we look at, there are many use cases for security automation, for which not financial organizations are driving significant benefits. Each use case does align with the need to increase our speed of detection, response and security automation can help address the concerns about scarcity of cybersecurity professionals. Successful implementation of our orchestration does require careful planning. This is not a side gig. You have to build the team and the pipeline in order to succeed, focus on quick wins and begin within pro with processes within the security team's control and the most important factor, build support, and trust through the organization and do that by demonstrating success.
So what we really do need to help a little further on the improving the intelligence sharing to move beyond just sharing simple indicators. A lot, most of the sharing was that's what it was about. It wasn't about using automation to harvest new, new Intel and sharing that out. So, so we, we have quite a lot of work to do on improving that intelligence sharing so it can act like an immune system. And then the, the last though, though, there there's a significant interest and automated deception and response. There's a lot of work to be done there. Most of our automated responses are at rudimentary. There is strong interest in, in moving that further. And my belief is that as we gain more experience, as we develop trust in these solutions, companies are going to increasingly leverage automated response and automated deception to improve their cybersecurity posture. I wanna thank you all that. That was all I had. I, I included a couple other slides that have, you can take a look at that are just some sample playbook workflows really simplified for you to look at, but I wanna thank you all for, for attending.
Thank you very much, Tony.
Yeah.
