With every day seeming to bring news of fresh security breaches, protecting the enterprise seems like an impossible task. Already this year, to name just a few, we've seen 885 million records compromised by malicious actors at First American Financial Corp., 540 million records at Facebook, and more than 100 million records at Capital One.
There are simply too many actors and too many threats for any company to avoid compromise. Also, humans are inherently bad at security because we tend to think short term, fight fires, and devalue long-term risks. So it's not a matter of if you will be hit, but when—and what you do about it, assuming you even figure out that you were hit.
So what can your company do in the face of such overwhelming odds? There is no such thing as 100% security or a silver-bullet solution. But there are proactive things you can do to be better tomorrow than you are today.
It's all about knowing your risk tolerance, limiting exposure and attack vectors by automating as much as possible, and doing what you can to prevent human errors. For many organizations, this will require a significant shift in thinking about infrastructure, applications, the security operations center (SOC), and the IT culture itself.
Trying to do too much with too little
Many organizations think the biggest threats are external, but most breaches come from simple human error. It's not that people aren't doing their jobs; it's that the jobs are too big.
This is due in large part to the ways in which networks and infrastructures have expanded in size, scope, and complexity—on premises, in the cloud, on the edge—and with new models such as containers and serverless.
Then you have older, traditional systems running applications critical to specific departments or the entire business. A June 2019 National Security Agency advisory highlights the complexity of patching the myriad, disparate, and often older systems organizations have running today.
IT and security teams are trying to stay on top of new vulnerabilities and old ones in an environment where developers are working fast and furiously—and not always securely—to push out more applications, more services, more products, and more improvements to applications, services, and products.
There just aren't enough skilled people in the workplace, let alone hours in the day, for your staff to continue to patch and update all of those complex hybrid environments and processes manually—or, for that matter, to deal with or even be aware of every vulnerability out there.
Then there's the issue of which vulnerabilities your organization should take seriously and which ones are just hype.
Use automation for security and compliance
If all of this seems overwhelming, it's because it is. Trying to maintain a secure and compliant environment through manual operations is untenable. The use of automated tooling is not a silver bullet, but it's as close to one as organizations can get.
Look at what manual tasks are performed and how often, then design and implement an automation strategy using the most robust, flexible automation technologies available. Over time, the more you automate, the greater return on investment you'll achieve.
Areas ripe for automation include:
• Configuration management
• Package management (this includes patch management, OS hardening, system provisioning, integration with IT service management tools, and storage provisioning)
• Workflows, including services management
• Continuous security and monitoring, including vulnerability identification and management (health checks, etc.); proactive governance of security, control, and compliance policies; remediation (fix generation and automation); and application lifecycle management and CI/CD pipelines.
Start small
That's quite a bit to automate, so take baby steps first. Automation is a huge technical and cultural shift. While your goal should be to automate as much as possible, trying to do too much too soon will only cause confusion and frustration.
Here are four things you can do to lay the groundwork for success, both immediately and over time.
Work iteratively, recognizing, measuring, and celebrating efforts along the way
Maybe you implement a CI system for an application using Jenkins or for the infrastructure using Ansible. That might take a few days on a single project. Then you might add a stage to your CI pipeline to do things such as static code analysis.
As you automate each step of your CI pipeline, you should also automate the creation of compliance audit documentation as well, in each step. You will become more efficient and knowledgeable with the successful implementation of each of these steps, paving the way to expand automation further and further.
Make sure everything is repeatable/reproducible
You don't want to create one-off "snowflakes." As you build out automation across the organization, ensure that everything you do is verifiable and auditable, and that what you put into place can be managed by anyone, including anyone new to your organization.
Share the knowledge
As you gain expertise and develop concrete metrics that demonstrate the value of automation, communicate that across the organization up to and including the security, operations, and development teams. Make sure security is everyone's job, not just the security team's problem. A DevSecOps model may be a way down the road for your organization, but by doing all of this you are laying the foundation for it.
Don't ignore the cultural piece
In addition to the technical challenges to implementing automated tooling, there is also a cultural challenge. Automation represents a big change, and any change can be daunting. And many people fear that the more automation you introduce, the less their services will be required.
Reassure staff that you're looking to automate the tedious work so that they can be redeployed to more mission-critical tasks. Also make sure they understand the high cost of not automating.
Watch the benefits of automation snowball
As people across the organization see the benefits of automation, you'll see increasing demand for it—for security, compliance, and beyond. Many companies are implementing a platform that will let them expand automation efforts to improve compliance with security policies, deploy resources consistently at scale, and identify and remediate security issues faster.
While we know the security hits will continue, automation can help organizations withstand and avoid them. So while there's no such thing as 100% security, you can improve your security and compliance posture and be better tomorrow than you are today.
Just remember to implement your automation journey in baby steps, with the goal of continuously improving.
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.