Security automation planning: Tips from three experts
Enabling business process change is a core aspect of enterprise architecture. Automation is a great way to improve operational efficiency by streamlining human routines with technology. Security automation takes a proactive approach to immediately detect threats like phishing, malware, and endpoint vulnerabilities and not make detection an afterthought or during audits.
Cyber threats aren't exclusive to external actors. The entire concept of zero trust architecture is built on the premise that all users, inside and outside the network, must be authenticated, authorized, and continuously verified before being granted access to assets or files.
Here are a few use cases from architects and engineers to inspire you to begin integrating security automation in your organization.
4 tips for getting started with security automation
Muhammad Aizuddin Zali, Associate Principal Consultant, Red Hat
Security automation means continuous enhancement and learning loops to keep your ever-evolving security posture relevant. While working on multiple projects that involve security automation, my team and I found there are many technical and process challenges to be aware of before starting.
- Lack of standardization adds complexity when integrating security into current automation practices. Some system configurations do not follow standard security profiles like those from the Center for Internet Security (CIS) and use a mix of configuration profiles.
- Some policies will introduce false positives. This can create a massive bottleneck for the organization to validate and may require policy exceptions (permission to bypass certain restrictions). Policy exceptions could increase day-2 complexity, making you even more vulnerable to automation errors. For example, one wrong change can cripple the system.
- Security automation requires many different tools. No single tool will help you achieve all your automation goals. Security automation requires some degree of integration between tools. Typically it's best to integrate with existing tooling. A tool's compatibility with the system will dictate whether the integration is possible.
- People and processes take precedence. It's important to remember that automation is not a replacement for humans and processes. There is much speculation that automation is replacing people. While working with engineers on specific projects, we noticed this sentiment and were met with much pushback and resistance to incorporating automation. But more proactive security initiatives can reduce administrator workload and automate incident detection and remediation. However, many processes still do not have security built into them, causing a cascading effect of issues, sometimes org-wide.
Security automation requires proper planning. It must start with people and processes, which requires a cultural shift in how teams think. Along with that, the policy, tooling, and engineering must use standardization to reduce risk and failure. Always remember to incorporate safeguards from the beginning, not when it is too late.
[ Learn best practices for implementing automation across your organization. Download The automation architect's handbook. ]
Ansible: A security automation use case
Troy Ellis, Senior Specialist Solution Architect, Red Hat
At the core of Red Hat Ansible Automation Platform, security automation is the platform's ability to orchestrate efficient, consistent, and repeatable operations for security teams to automate their processes and tools. Within the security use case for Ansible, it's imperative to keep in mind Ansible's role in automating processes focused around identifying, investigating, and remediating incidents. However, Ansible should also play a significant role in automating preventative security measures.
The conversations I've had with partners and customers around security automation mainly focus on how Ansible can be utilized in specific security scenarios.
A partner recently inquired how Ansible could be used in remediating a ransomware event. At a high level, a ransomware attack involves a system being infected by malware. In this example, the filesystem is encrypted, the data on the system is no longer accessible, and a ransom demand to decrypt the filesystem is issued. Ansible can automate the following remediation steps to restore the system:
- Quarantine the machine.
- Create a backup of the encrypted filesystem to be transferred to removable media for possible recovery at a later date.
- Wipe and restore the system from a known good system backup or snapshot.
- Scan the restored system for malware, viruses, and vulnerabilities.
- Restore the system to a full operational state.
Ansible Automation Platform should be the center of automating preventative security measures such as vulnerability patching, compliance scanning, system hardening, system backups, deploying and managing endpoint protection systems, and managing security incident and event management (SIEM) systems. Ultimately, Ansible can help security teams create a cohesive toolset that can be both proactive and reactive to any security event.
[ Get hands-on with these interactive labs for Red Hat Ansible Automation Platform. ]
Let security and automation evolve with your processes
Josh Rickard, Senior Software Engineer, AppOmni
Whether you're implementing a security orchestration, automation, and response (SOAR) product, building a solution, or simply improving CI/CD processes, you must design knowing your product integrations will continually evolve. It's critical to remember to design processes that are separate from product-specific data definitions.
Additionally, as your internal security tools change due to upgrades and replacements, so will many security automation processes and reporting. Organizations must understand that neither automation nor vulnerability management will ever be complete.
Try to hire and retain employees who can take abstract business processes and convert them to code. Depending on the organization type, security automation may be able to help with other business processes, which further shows its value. Finally, do not assume you know a process. Communicate with operators and analysts to understand their perspectives. Grab some people, a room, a couple of days, and a whiteboard, then walk through mitigation processes and gain consensus together.
Automation is an essential strategy in today's IT ecosystem. Automation with a security perspective continues to grow in importance and practicality, and tools such as Ansible can help you proactively and reactively mitigate security incidents. These three experts' perspectives demonstrate useful ways of managing systems that provide lessons for any organization.
[ Learn more about security automation, what it means, and how to get there. ]
Navigate the shifting technology landscape. Read An architect's guide to multicloud infrastructure.