订阅内容

Ansible-Blog_Security-Automation

 

In 2019, CISOs struggle more than ever to contain and counter cyberattacks despite an apparently flourishing IT security market and hundreds of millions of dollars in venture capital fueling yearly waves of new startups. Why?

If you review the IT security landscape today, you’ll find it crowded with startups and mainstream vendors offering solutions against cybersecurity threats that have fundamentally remained unchanged for the last two decades. Yes, a small minority of those solutions focus on protecting new infrastructures and platforms (like container-based ones) and new application architecture (like serverless computing), but for the most part, the threats and attack methods against these targets have remained largely the same as in the past.

This crowded market, propelled by increasing venture capital investments, is challenging to assess, and can make it difficult for a CISO to identify and select the best possible solution to protect an enterprise IT environment. On top of this, none of the solutions on the market solve all security problems, and so the average security portfolio of a large end user organization can often comprise of dozens of products, sometimes up to 50 different vendors and overlap in multiple areas.

Despite the choices, and more than three decades of experience to refine how security solutions should address cyberattacks, various research studies and surveys describe a highly inefficient security landscape. VentureBeat, for example, reported that, “the average security team typically examines less than 5% of the alerts flowing into them every day.” In another example, Cisco reported that of all legitimate alerts generated by security solutions, only 51% of them are remediated. As a final example, The Ponemon Institute reported that 57% of interviewed organizations said the time to resolve an incident has increased, while 65% of them reported that the severity of attacks has increased.

 

So why do we struggle to counter cyberattacks?

A full analysis of the state of the security industry goes beyond the purpose of this blog post, and we certainly believe that there's concurrence of causes, but we also believe that one of the main factors impacting CISOs capability to defend their IT infrastructures is the lack of integration between the plethora of security solutions available in the market.

The products that CISOs buy and implement as part of their security arsenals are almost never working in an orchestrated way because, by design, they don’t talk to each other. Occasionally, 2-3 products could share data if they are delivered by the same security vendor or if, temporarily, there’s a technology collaboration between the manufacturers. However, for the most part, the IT security solutions out there are completely disjointed from each other. Which is, to use an analogy, like saying that we invested in multiple security solutions to protect a commercial building, such as a CCTV system, security guards, and patrol dogs. But, the security guards don’t look at the CCTV cameras and the patrol dogs are kept locked in the basement. 

 

How can we fix this industry-wide lack of integration?

In an ideal world, the whole security industry would embrace an open standard (there have been many proposals on the table for years) and each security solution out there would embrace that standard allowing any software or hardware solution to orchestrate the CISO arsenal in a harmonious assessment or remediation plan. Unfortunately, it seems we are still far from that day. 

Until then, the idea is to leverage IT automation as a connecting tissue between security solutions across various industry categories, from enterprise firewalls to intrusion detection systems (IDS) to security information and management (SIEM) solutions, and many others. If security products across these categories can be individually automated through a common automation language, then the latter can be used as the “lingua franca” to express an orchestrated remediation plan. 

To succeed, we believe that this plan requires an automation language that has three fundamental characteristics:

  • It is already widespread and highly adopted across the IT industry, to minimize the implementation friction
  • It is not in control of any security player, to maintain an unbiased approach to solving the problem
  • It can be easily extended by any industry constituency, to integrate and support a long tail of security solutions out there

The industry can already count on a similar automation language: Ansible. As an open source automation platform and language, Ansible already integrates with a wide range of security solutions (and network solutions, and infrastructure solutions, and much more) and is driven forward by a global community of thousands. Ansible, in fact, is the 7th most contributed open source project worldwide on GitHub according to the 2018 Octoverse report.

At Red Hat, we believe that Ansible could become a de facto standard in integrating and automating the security ecosystem and we stand by this belief by committing commercial support for a number of enterprise security solutions widely used by CISOs around the world. 

 

What can we do when multiple security solutions are integrated through automation?

Security analysts around the world understand how difficult it is to conduct an investigation about an application’s suspicious behaviour. Security operators know how difficult it is to stop an ongoing attack before it’s too late or how to remediate the mayhem caused by a successful one. 

When every solution in a security portfolio is automated through the same language, both analysts and operators can perform a series of actions across various products in a fraction of the time, maximizing the overall efficiency of the security team.

For example, a security analyst that must evaluate suspicious behaviour from a production server, might need to increase the verbosity of the logs across all deployed firewalls and/or enable a rule on the deployed IDS to better understand who’s doing what and why. This seemingly trivial activity often involves the collaboration of multiple security professionals across the organization and can be slowed down by a series of support tickets/emails/phone calls to explain and justify what to do and how.

A pre-existing, pre-verified, pre-approved automation workflow (an Ansible Playbook in our case), that security analysts could launch anytime they are conducting an investigation, could significantly reduce that inefficiency.

This is just one of the use cases that we’ll support. At the launch of Ansible security automation, with the upcoming release of Ansible Automation, we’ll deliver the integration with enterprise security solutions across multiple product categories:

Enterprise Firewalls
  • Check Point Next Generation Firewall
  • Fortinet Next Generation Firewall
  • Cisco Firepower Threat Defense
Intrusion Detection & Prevention Systems
  • Check Point Intrusion Prevention System
  • Fortinet Intrusion Prevention System
  • Snort
Privileged Access Management
  • CyberArk Privileged Access Security
Security Information & Events Management
  • IBM QRadar SIEM
  • Splunk Enterprise Security

Over time, we plan to extend support to more security categories and more products across those categories. In fact, security vendors are welcome to reach out to us and explore how we can cooperate to increase the efficiency of security solutions out there. 

If you are interested in the details of how Ansible security automation works, we have an entire security track at AnsibleFest Atlanta 2019 from Sept 24-26, 2019. Let’s meet there: https://www.ansible.com/ansiblefest

 


关于作者

Alessandro Perilli is the GM, Management Strategy at Red Hat.

Perilli helps to chart the long-term strategy in the Red Hat management business unit, including company efforts in cloud management, IT automation, and self-healing IT. He also develops the vision behind new management initiatives in multiple areas like cybersecurity and artificial intelligence. He has led the creation of Ansible Security Automation.

Perilli is a member of the European AI Alliance and has co-authored the first Cloud Computing Risk Assessment for the European Network and Information Security Agency (ENISA). He is a former Gartner analyst, where he led the research for private cloud and cloud management in the early years of cloud computing. He was also a pioneer of the virtualization industry as an advisor for Fortune Global 2000 companies.

Perilli started his career in 1999, publishing a book about cybersecurity for Arnoldo Mondadori Editore and creating one of the first ethical hacking classes in the world.

Read full bio
UI_Icon-Red_Hat-Close-A-Black-RGB

按频道浏览

automation icon

自动化

有关技术、团队和环境 IT 自动化的最新信息

AI icon

人工智能

平台更新使客户可以在任何地方运行人工智能工作负载

open hybrid cloud icon

开放混合云

了解我们如何利用混合云构建更灵活的未来

security icon

安全防护

有关我们如何跨环境和技术减少风险的最新信息

edge icon

边缘计算

简化边缘运维的平台更新

Infrastructure icon

基础架构

全球领先企业 Linux 平台的最新动态

application development icon

应用领域

我们针对最严峻的应用挑战的解决方案

Original series icon

原创节目

关于企业技术领域的创客和领导者们有趣的故事