Many great people have been quoted over the years in saying that lazy people are the best choice when assigning difficult tasks because they will find the easiest way to accomplish it.
A nicer way to put it might be “efficient”. Since the beginning of my IT career, I’ve been automating away repetitive tasks as part of my daily work. Not because it was part of my job description, but because inefficient behavior always bothered me. I don’t profess to be the best typist, but I make up for it with reduced keystrokes through shortcuts. If an administrative task needed to be done, there’s a good chance that I scripted it out so I (and others) could do it again. Even as I’ve moved into executive leadership, I’ve continued to automate. You should see some of my spreadsheets…
When I first transitioned into roles which required more of a focus on cybersecurity, I lamented the existence of so many repetitive tasks in those duties. Since my first exposure to that world, there are so many more great toolsets in existence and opportunities to automate processes. However, it seems that many organizations are slow to adopt the cultural and technological changes necessary to reap the benefits of an automated approach.
Darren Death notes in Forbes that “it is imperative that cybersecurity teams become smarter when it comes to code and development practices. In the future, the cybersecurity program may become a developer shop where automation capabilities will be created and advanced using multiple automation techniques.” The article is one of my favorites of 2019 because it echoes many of my own long-held beliefs about the role of automation and other development activities in cybersecurity.
Cybersecurity teams need to get better at development and operations, including automation. Development and operations teams are already getting good at working together and automating processes, but it’s often at the expense of security. It’s imperative that all teams are integrated together throughout system and application lifecycles in order to provide the best value for the organization.
This Is The Way
Without further ado here are my “5 ways”, conveniently listed with numbers assigned for those of you skipping down to find the answers you seek.
1. Application Code Pipelines
Most DevOps teams are familiar with code quality and testing framework integration in their application pipelines. In addition to those mechanisms which focus on the quality and usability of the software, dynamic and static code analysis focusing on security outcomes can be integrated as well.
Dynamic code analysis runs against a working, “live” copy of the application and has the ability to find security issues caused by the code’s interaction with other system components like databases, application servers or Web services. Dynamic code analysis, presented with a wide range of inputs and security tests, will generally pick up about 85% of the flaws present in the code.
Through combination with static code analysis tools, a more comprehensive view of potential vulnerabilities can be assessed. One such type of analysis tool that many organizations don’t focus on is vulnerabilities in open source packages and libraries included in internal software projects. Considering today’s typical application will include 60%-80% open source code, it’s very important that organizations don’t neglect open source security management and deploy a dedicated solution that will track and alert users about open source risks throughout the DevSecOps pipeline.
2. Infrastructure as Code
Infrastructure as Code (IaC) is the management of infrastructure (networks, virtual machines, load balancers, and connection topology) in a descriptive model, using the same versioning that DevOps teams use for source code. Like the principle that the same source code generates the same binary, an IaC model generates the same environment every time it is applied.
IaC has been a great boon to operations teams, especially with the advent and popularization of cloud technologies. Infrastructure as Code evolved to solve the problem of environment drift in the release pipeline. Without IaC, teams must maintain the settings of individual deployment environments. Over time, each environment becomes a snowflake, that is, a unique configuration that cannot be reproduced automatically. Inconsistency among environments leads to issues during deployments.
Now imagine if code review for IaC was performed by both cybersecurity and operations personnel. Cybersecurity personnel with knowledge of the system topologies could catch potentially insecure infrastructure deployments before they’re even deployed, instead of finding out about an insecure configuration after the next scan (and review of that scan). There are even some automated platforms which claim to be able to detect such configurations without manual review.
3. Vulnerability Management
Vulnerability management is the “cyclical practice of identifying, classifying, prioritizing, remediating, and mitigating” software vulnerabilities. Basically, your environment is running operating systems and external applications which need to be kept up-to-date with the latest patches.
This requires a system which can keep an accurate asset inventory and then has the ability to scan those systems for package version to compare against a vulnerability database and report its findings. The best tools in this category also have the ability to remediate the vulnerabilities from within the same application.
A lot of organizations I work with have a vulnerability management system of some variety, but the real magic comes with the automated onboarding of new assets to the platform and the ability to have a single-click remediation of the vulnerability list. Cybersecurity teams need an up-todate inventory in order to prevent compromise from a neglected and unpatched system with the organization. Likewise, the last thing that operations folks want to be running down is patches off of a PDF or spreadsheet report from the cybersecurity team. Tool choice is key here.
4. Compliance Framework Drift
A compliance framework is a structured set of guidelines that details an organization’s processes for maintaining accordance with established regulations, specifications or legislation. You’re evaluating systems against a compliance framework, aren’t you? Whether it’s CIS, NIST 800-53, DISA STIG, or other, compliance frameworks give your organization the best starting point for system security in order to prevent compromise.
The problem with adherence to compliance frameworks in organizations which implement them is that they often make application functionality difficult. Some classic “gotchas” in compliance framework implementation are temporary partitions preventing legitimate app execution and also anything involving SELinux. If operations teams are just handed “gold” images from cybersecurity, they’re likely to disable or circumvent many of the security controls which are meant to keep systems safe. So, how do we know that we’re no longer in compliance?
If you’re implementing a compliance framework, you must implement a mechanism to constantly check for drift against the controls. This is an often overlooked step, but is required in order to really be sure that the security controls put in place during the initial system deployment remain for the entire lifetime of the system. The best software packages to fill this need are integrated with Vulnerability Management capabilities, as a good asset inventory is integral to both.
5. Cybersecurity Event Mitigation
Even if you’ve done everything right, it’s very difficult to completely prevent security breaches and malware. Now the question becomes “How fast can you react to an event?”
SOAR (Security Orchestration, Automation and Response) toolsets are a solution stack of compatible software programs that allow an organization to collect data about security threats from multiple sources and respond to low-level security events without human assistance.
In the context of network automation and response, imagine a threat is detected by an agent on a system in your data center. The agent can send an alert to a system which can not only provide visualization of the event to cybersecurity personnel, but also trigger an action as well. Maybe we disable the switch port servicing that system in order to prevent the spread of malware. With the right set of tools, the sky is the limit.
So, what happens if you don’t automate?
- Automation amplifies the efforts of your existing workforce. In the US, unemployment is extremely low in most parts of the country right now and there is a drastic shortage of qualified cybersecurity candidates. Unless good people start falling out of the sky, you’re going to need to automate just to keep up.
- Reduced manual intervention prevents employee burnout. If done correctly, automation will make the constant frantic pace of work and pervasive task-switching a thing of the past.
- Increasing automated tasks frees staff to work on more important initiatives which might be currently neglected. Everyone wants to work on something worthwhile and important. Let’s make it happen.
Notice how these all focus on quality of life for your employees? That’s because employees are the ones that ultimately bring the most value to your business, no matter what that business is. The most valuable automation is the automation that enables your employees to do their most optimal work. Focus on that, and you’ll go far.
It’s A Creed
How do we get started?
- Change culture first. If you’re like most organizations, there are some barriers built up between teams. Break ‘em down.
- Integrate personnel with development and operations backgrounds into your cybersecurity team. It’s extremely valuable to have people on your cybersecurity team who can read code and speak to operational impact.
- Partner cybersecurity with organizational development and operations teams. You need to be involved in every facet of the business. The days of intermittently scanning environments and code are over.
- Start automating. There are a lot of solutions out there and a lot of opportunities to automate within your organization. Start small and show value.
I know this is a lot, and it seems even more daunting when faced with the typical day-to-day activities you’re already dealing with. Hang in there, just keep swimming, and it’ll pay huge dividends down the road.
Nicholas Hughes helps businesses integrate cybersecurity automation into their IT lifecycle processes in order to amplify the efforts of the existing workforce, prevent employee burnout, and free them to do the more important tasks that might be currently neglected. As part of his daily duties as a founding partner and CEO of EITR Technologies LLC., he’s responsible for all of those super awesome elements of the CEO job that you read about as a kid, like setting the strategic direction of the company and modeling corporate values. Additionally, Nick stills performs technical consulting work with specializations in Automation & Orchestration, Cloud Infrastructure, Cloud Security, and Systems Architecture. He has over 15 years of experience in a wide breadth of roles within Information Technology, which is invaluable to clients seeking comprehensive technical solutions to business problems. Nick highly values pragmatism, logical thinking, and integrity in both his business and personal life… which is a decidedly boring set of core values that reap great results when applied to the task at hand. He also has a wonderful wife and two boys who keep him on his toes.