EXCLUSIVE: Automation – Cyber Friend, or Cyber Fiend?

Automation can mean different things to different people depending on their industry. In a manufacturing context, automation can refer to integrating machines or robots doing the basic assembly of the final product. Talk to someone in business, and they will probably think about automating business processes using Enterprise Resource Planning (ERP) software.

However, there is a common thread across all functions and industries. Automation offers more consistency and efficiency, but a lot of people are anxious about automation replacing their jobs. Although automation seems like a significant improvement to traditional methods, there’s frequently unease and even resistance to changing the way things have been done for so long. Another concern is the apparent speed and pervasiveness of automation – it’s being introduced in new fields and in new ways on a seemingly daily basis.

Cybersecurity is a function that is receiving a lot of attention from automation. While there’s almost always some hesitance and uncertainty with the introduction of a new way of doing things, automation offers benefits that just can’t be ignored. As the concerns over hacking and cyber attacks increase, automation is a potential solution for security concerns.

Organizations in both the government and commercial spaces can benefit from automation, but they first need to understand what automation means in terms of cybersecurity. According to the Department of Homeland Security, automated cybersecurity is the use of computers, applications and toolsets, “working together in near-real-time to anticipate and prevent cyber attacks, limit the spread of attacks across participating devices, minimize the consequences of attacks, and recover a trusted state.”

To greatly simplify, it’s employing computers to quickly do all the work humans have traditionally done. The advantage of automation is power is spread among participants, enabling management and collaboration by combining the innate and interoperable capabilities of disparate devices with trusted information exchanges and shared configurable policies.

Such automation can occur using various tools and techniques, but the primary method is scripting – writing code that can execute a task with as little as a single click of the mouse or a few keystrokes on a command line. It’s fast, simple, repeatable, and so long as the script is written without errors, the resultsare flawless and reliable.

With that understanding in mind, here are five reasons government agencies as well as commercial organizations should welcome automation:

Automation eliminates errors and produces consistent results

When you consider all the costs required to staff a cybersecurity position (salary, benefits, training, etc.), it’s clear some cybersecurity activities should be conducted by automated scripts or software in order to save costs. Not only can scripts save money, but they provide consistent, error-free results. Scripts provide reliable, fast and inexpensive results, while humans just can’t promise the same. Also, humans can be easily distracted or grow bored, and they aren’t always great at reviewing the same streams of data, seeking out small inconsistencies. This activity is perfectly suited for automation.

That doesn’t mean people aren’t needed anymore. As the creators of the scripts and the implementers of automation, humans are a necessary element in the equation. However, rather than spending valuable manpower on manual processes, people should be used to oversee the proper development of the scripts and to monitor the input and output of the scripts to ensure they are producing the business value needed. Look for the exceptions and act on them – that’s what the humans should be doing.

A large expense for organizations is thecost of direct labor, which is usually driven by the amount of work that needs to be done – more work equals more hours required, which equals more people equaling greater expenses for the organization. The same is true when it comes to protecting your organization from vulnerabilities, malvertising, ransomware and other cyber threats. Thousands of new threats are released every day, and the more your organization grows, the more entry points there are into your network. Without automation, your team of cyber analysts will likely need to grow with the size and complexity of your organization, driving labor costs ever-upward. However, with automation, organizations can identify threats regardless of the volume of threats or size of the organization’s network. By shifting to automation, organizations can adjust their budget and employ a smaller number of skilled cyber experts as opposed to an entire fleet of analysts.

Automation evaluates and measures risk uniformly

One of the things cyber analysts do is identify vulnerabilities and calculate the risk associated with each. The challenge is each analyst is different and has learned how to do their job based on previous experiences – with other analysts, other organizations and other threats. What this means is each analyst may very well find different vulnerabilities and calculate the risk differently. Even with the best documentation and standard operating procedures, very rarely will you find that humans arrive at the same result through the exact same method. It’s like asking a group of kindergartners to draw a picture of a tree – some of the trees might be big, others small; some might be brown, others green. You’ll get the same result – a tree – but how much time and effort were exerted to get the tree, and is it the one you wanted? With automation, you’d get the same tree every time – quickly, cheaply and accurately. Unlike a team of analysts who may become bored or distracted, a single script can scan an entire network apart from distraction, fatigue or bias.

Automation provides a holistic view

Often, due to the size of networks and the volume of threats, analysts opt for a divide-and-conquer approach to identifying vulnerabilities. While one analyst might be in charge ofscanning all web-based applications, another may be responsible for servers. And, sometimes, the analyst who discovers the vulnerability might not be the analyst who calculates the risk associated with it. To further complicate things, analysts frequently operate independently, meaning the results of a scan by one analyst on one part of the network may remain completely isolated from everyone else on the team. That can be improved through status meetings and communication across the team, but with such a big network and so many threats out there, who has time to document and communicate the threats? When people get busy, communication and collaboration are often first to be dismissed and forgotten.

In short, not only do many analysts operate in silos, but there are a plethora of possible paths that can be used by analysts to calculate risk – and each path may influence the ultimate risk score differently than another, ultimately educating and influencing decision makers on the best course of action for any given threat.

Automation is based on reliable and repeatable code that doesn’t make decisions based on experience or assumption. Instead, automation allows experts to make timely and informed decisions based on soundly-processed data – pure data that has been gathered without undue influence or delay.

Furthermore, all of the data can be further processed and displayed in automated reports, providing leadership and decision makers with near-real-time data across the entire network, not just segmented data on servers or web-applications alone, giving a holistic view of threats and risk to the organization.

Automation encourages improvement

For years, many organizations have succumbed to a reactionary operational state. With the growth of the organization and in turn the increase in the number of employees and the size and complexity of the network, many organizations have fallen behind when it comes to proactively scanning their network, measuring and recording the data and making changes for improvement and preparing for the future. Imagine if you could anticipate when new threats were likely to be introduced, where on your network they might have an impact, and use baseline data and trends to proactively prepare for future cyber attacks.

All of that is entirely possible with automation. By automating your processes and the overall means by which you assign risk to threats, organizations can then establish a baseline threat level and measure against that baseline on a regular and recurring basis. This can inform leadership of trends and help them prepare for the future, while also giving them the opportunity to learn from their past, all based on reliable data and repeatable processes through automation.

NIST encourages cyber automation

The National Institute of Standards and Technology (NIST) promotes the US economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. NIST has statutory responsibilities under the Federal Information Security Management Act (FISMA) to develop information security standards and guidelines and is also responsible for developing the Risk Management Framework (RMF) that many organizations use today. According to NIST Special Publication 800-37 Rev. 1, automation:

  • Facilitates a greater frequency and volume of security assessments that is consistent with the monitoring strategy established by the organization
  • Can facilitate near-real-time risk management with ongoing monitoring of security controls and changes to the information system and its environment of operation
  • Makes it possible to monitor a greater number of security controls on an ongoing basis than is feasible using manual processes
  • Can provide senior leaders the necessary information to make cost-effective, risk-based decisions with regard to the organizational information systems supporting their core missions and business functions
  • Supports the concept of continuous monitoring and near real-time risk management

Because so much of cybersecurity revolves around scanning, monitoring and managing risk – all traditionally manual activities – the automation of those activities could have a pervasively positive impact across the cyber practice.

Analysis

Automation makes a lot of people anxious, mostly because they fear it will reduce their relevance in the workplace. Who wouldn’t be worried about a computer doing their job better than they can? Instead of dwelling on the possibility of being replaced by a computer or an automated process or script, people should start thinking about the future of their role. If, eventually, jobs that are primarily centered on hand-jamming data are going to be replaced by automated scripts, what are the future tasks that those people should do that automation can’t?

Those who best understand the processes should consider developing the code and scripts to create the automated processes. Those who best understand threats and how risks are calculated for each one should consider developing ways for automation to capture more threats or better calculate or even predict risks. Those who best understand what risk means for their organization should start thinking about how they are going to explain that risk to leadership. Instead of worrying about all the things a computer can do that they can’t, they should focus on the things they can do that a computer cannot.

Automation is spreading, and it’s changing the way many organizations conduct business and keep their networks and data secure. To be successful, we need to make sure we are evolving with it. Automation allows computers to do what they do best – compute and process – and it also allows human to do what they do best (and what computers can’t) – apply critical thinking to solve a problem. Ultimately, the roles and jobs of those in the cyber field may change, but the systems and networks will be more secure, and people will find their work more engaging and rewarding.

Colby Proffitt is a Senior Business Process Analyst for NetCentrics Corporation, a provider of cybersecurity and IT Services for the federal government. Colby has helped various federal agencies such as the Department of State and Department of Defense mature some of their most critical business processes. From improving the onboarding process to implementing IT service desk best practices, Colby has helped the government capitalize on their process efficiencies.

The Government Technology & Services Coalition's Homeland Security Today (HSToday) is the premier news and information resource for the homeland security community, dedicated to elevating the discussions and insights that can support a safe and secure nation. A non-profit magazine and media platform, HSToday provides readers with the whole story, placing facts and comments in context to inform debate and drive realistic solutions to some of the nation’s most vexing security challenges.

Leave a Reply