Cyber security is an issue keeping an awful lot of IT executives up at night. And rightly so. Today’s threat landscape is increasingly hostile, the cyber security skills gap continues widening, and budgets aren’t keeping pace with the demand for better defensive measures. It’s a perilous situation exacerbated by the astounding fact that many C-suite executives don’t take the need for cyber security seriously, until a high-profile incident occurs on their watch.
Gaining a better understanding of the dynamics shaping this domain requires insight from a cyber security expert like Naor Penso, Founder of Toast (a cyber security startup currently in stealth mode), and former CTO of Cyber Security at AMDOCS, a global telecommunications services company. In this episode, Naor breaks down for us why cyber security professionals should view automation as an asset in their never-ending struggle against bad actors, what metrics IT security executives should focus on when evaluating the effectiveness of automating security operations, and why automation is one of only two realistic ways to mitigate the cyber security talent shortage.
Guy Nadivi: Welcome, everyone. Our guest today on Intelligent Automation Radio is Naor Penso, former CTO of Cyber Security at AMDOCS, a global telecommunication services company many of you might know of. He’s also the founder of Toast, a cyber security startup currently in stealth mode. Naor knows a lot about cyber security. Given the dire need for automation in the cyber security space, we were very eager to have him come on the show so we could get his insights on the current state of this market. Naor Penso, welcome to Intelligent Automation Radio.
Naor Penso: Hello, Guy. Thank you for having me.
Guy Nadivi: Naor, let’s dive right in. What are some of the biggest benefits to an organization from automating their security operations?
Naor Penso: I have two ways of looking into the benefits of automation. The first one focuses on the internals of the security group. That means that when you are automating within the security group, you can actually remove some of the tedious tasks that security people has to do in order to actually do things. Otherwise, they won’t have the time to do and will probably dive into the talent shortage and speak a little bit about it. Definitely, reducing the time to value, which means reducing the time for detection of incidents. Maybe reducing the time to act and respond to incidents. That’s definitely a core benefit. Another ecosystem that is beneficial of security automations is actually reducing the friction with the IT units, especially with the employee experience groups within the IT. That normally has a lot of reservations around the security aspects and how that impacts the employees’ productivity.
Guy Nadivi: For IT executives, what are some of the biggest benefits that they would see from automating security operations?
Naor Penso: First and foremost, there is a lot to do with SLAs around cyber security. Today, cyber security’s embedded within most of the IT processes starting from the initiation of new projects up to protecting a real-life production environment. The majority of those tasks around security require manual intervention either from an architect, from an engineer, or even from the security operation center. By enabling automation to those users, we can definitely help the IT executives reach better SLAs for the business customers within the company and also for the external customers of the organization. Furthermore, as I said around the friction with the IT definitely by automating some of the tasks that are occurring between the IT and the employees of the company, the IT group can get far better results and less friction with the employees themselves. At the end of the day, a happy employee for the IT is definitely better.
Guy Nadivi: Those are the benefits. What are some of the bigger challenges for automating security operations?
Naor Penso: For cyber security specifically, I think that it is a little bit of a problem trying to design replicatable processes. From what I’ve seen, I’ve seen across multiple organizations, there are numerous tasks that although seem to be reproducible, every time a different employee or a security expert engages with that task, he operates it differently. This is actually where some of the more intelligent automation features should definitely come into play. Today, there is a lot missing in the standardization within the market in general and within security organizations to be specific.
Guy Nadivi: When you say missing standardization, you’re referring to things like playbooks and things of that nature?
Naor Penso: Definitely. Definitely, playbooks on how to do things. Also, in terms of activities within the organization and how they’re being executed. If you will go and survey different security groups, you will find that the same tasks is probably done 60% differently in each and every one of the organizations because there are different security systems involved or different IT processes, which makes it hard for an organization to try and succeed in replicating that playbook and that knowledge. Definitely, that is an issue.
Guy Nadivi: You mention security professionals, and we’ve seen that some security professionals are reluctant to embrace security automation. Can you speak to what some of the psychology is behind that?
Naor Penso: Yeah, definitely. From the reluctance standpoint, I’m seeing two options of the reasoning for an expert to try and steer clear from automation. The first one is looking from a technical security standpoint. When you’re introducing a new automation system to the environment, in essence, that system has access to numerous internal systems, sometimes very sensitive systems, or at least systems which can cause a lot of damage. By introducing an automation security, you are essentially creating a single point of an issue that the security people need to attend to. That is probably less of the biggest reluctance in security as far as I am concerned. The second one would be that security experts like to be a part of the processes.
Security as a whole, we see today that people in the security industry definitely feel that they need the support or a supportive tool, but not necessarily a decision maker that is doing the entire automation end-to-end because there are many different factors that you need to take under consideration when you’re handling security. Where it is a security incident where you need to decide if you are blocking a machine from accessing the network, or you are enabling the machine to continue working because the business impact is too high, those sort of things cause security professionals to steer clear from automation and try to use at least the automation at least in some aspect, but just as a supporting tool. Definitely, not the full automation tool.
Guy Nadivi: You’re describing some of the reasons that security pros are suspicious about automation. How would you go about mitigating that suspicion for them about automation?
Naor Penso: I think the first thing is something that should come from the automation vendors of the world. I think that there is a somewhat lack of transparency in how those automations work and how secure the automation systems are. If an automation vendor can prove beyond doubt that the system is secure and is supporting that in the architecture, in the way that the system was developed, in penetration testing results, definitely that can raise the assurance of security experts that they can now leverage that automation system. The second thing is to attend to the maturity of the security teams themselves. Unlike automation of IT service desk, where the impact of the issue might be contained to some extent, when it comes to cyber security, the impact of an automation failure or a failure in the design of an automation can be devastating to the organization. Definitely, that is a point in the maturity curve that security teams need to start adjusting to. I would say instead of jumping from no automation at all to fully aligned automation with playbooks running without any human intervention, you should have a step in the middle where automation is a decision support system for the security group, not necessarily a replacement for some of the security personnel within different processes.
Guy Nadivi: So making automation more of a tool for better decision-making?
Naor Penso: Definitely a tool for better decision-making. I would even take it a step farther and say one of the things that would actually raise assurance is to demonstrate over time that the decisions that were taken over by the security personnel were exactly the same. That would actually pivot or tip it over to full automation. Considering that there is an incident and the security team is 99.9% of the time handling it the same way, there is no reason why not to fully automate that. In order to reach that level of assurance, we need data and we need to be a part of the process until that data magnitude is achieved.
Guy Nadivi: For a security organization that can overcome the suspicions and get comfortable with automation, what functions of the security organization would benefit the most from automation?
Naor Penso: I think that similarly to the IT, that would probably start with the security operation center and the service desk. There are a lot of tasks for these teams that can be fairly easily replicated in an automated manner. Mainly around collection of knowledge and collection of insights from different systems. The ability to take decisive actions, even if they are prompted manually. As an example, I need to push a patch to that server or I need to run a full virus scan on that machine. Those are simple playbooks that can definitely raise the posture of the security operation center. With that, raise the security posture of the entire organization. Of course, outside of that scope, there are also the governance risk and compliance teams. One of the things that I have noticed over the years is that a lot of organizations attempt and manage their risk practices. They have a risk registry where they can definitely show the Chief Information Security Officer what is the current risk score for the organization. But ongoing governance is something that is very hard to reach.
Think about a use case where an architect is working on a project within the IT or within a business unit and he’s defining the standard on how this system should be secure. As an example, a virus scan should run on a weekly basis. These sort of networking policies should not be acceptable as an example. The server should not accept any requests within certain amount of ports. Those sort of things are always reading into documents, but rarely coming to practice when it comes to the governance of the system. That in essence can be automated. Those governance processes can definitely be automated and provide much greater assurance to the security team that their requirements and demands are actually taking place in real-life production environments.
Guy Nadivi: You’re mentioning governance processes, and you mentioned playbooks earlier. That’s got me curious, Naor. What specific security processes do you feel are best suited to be automated?
Naor Penso: I think that at first forensic data collection, and the ability to run, I call them, executioners. Forensics data collection in essence enables the IT team, and the security team to gather data very quickly when there is an event that requires such. We can look into collecting metadata from the server that might run a Malware, or a Ransomware attack where you want to quickly scan all of the machines and get some insights. Those type of automations can definitely help reduce the time to value for the investigative team. Furthermore, we can definitely find processes around network and host change management. That is the executioner part where you can come and say, “I need to take that computer offline right now.” Today, what would probably happen is that an engineer will need to remotely access the machine and then invoke a command to shut down the machine, or if someone already wrote a script that attempts to do that. The ability to automate those type of processes and actually define a structure, a very simple one even.
If we found that there is an event of a virus, then run a virus scan on the machine, can definitely help the security teams handle events that they might not have handled in the past because they were flooded by events or because they had more severe cases to handle. Last but not least, as I said there is the point of system governance which can definitely be leveraged through automation. Also, one of the things that I’m seeing for companies that want enhanced security over their production environments and over access to very sensitive systems is an example of a process that generates temporal users and provides access for a certain amount of time. Then, blocks the access. Those sort of things are things that can only occur through automation, because when it comes to scale, you cannot augment users and remove access, recurrently using manual labor.
Guy Nadivi: You just mentioned scripting, and that got me wondering, Naor, what skills do you think are most important in order to effectively automate security operations?
Naor Penso: I think that the first skillset is actually understanding the business processes, and understand where security is embedded into those processes, and where the process can be automated. Of course, for internal security purposes or internal security instances, the business understanding reflects on what systems are a part of the process. What is the impact of the automation of the process? Afterwards, it is crucial to identify the integration points and the systems associated and how will that come into play within the playbook. I have seen multiple customers and corporates along the way that had developers working within a security group building scripts, whether it was in Python or other scripting languages, but on most occasions, what I’ve seen is that it was hard to maintain over time, and it was hard to manage from an holistic standpoint. Definitely, I think that the ability to build the playbook is the most critical one given that today there are solutions in the market that enable augmentation of those playbooks in a fairly straight forward manner.
Guy Nadivi: For the IT executive or security executive that’s considering incorporating automation into their security operation, what single metric do you think best captures the effectiveness of automating security?
Naor Penso: That is a tough question, because in security inherently, there is no real way to show ROI. Consider that when you are implementing a firewall, in essence you have invested money in a system that will generate alerts that will then require you to do something about it. It is not a real value ROI model for an organization. If we’re looking into the metrics that is valuable for the measurement of the success of automation within the security realm, I would say the improvement of the SLA performance. Being able to demonstrate the amount of time it took to investigate an incident or to respond to an alert was in the hours, and now it becomes minutes or seconds. That is a dramatic improvement. When it comes to a Ransomware attack that is now spreading out in the wild in the organization, that timeframe is critical for the business to prevent any disruption. Other metrics that might be considered are time-sensitive metrics. I’m trying to look into how much time is saved for the team that now has time to invest in other ventures. People can now start investing into building new foundations for the future of the security group, not necessarily just to keep their heads above water. Last, but not least, the corporate risk part. I think that there is value in measuring corporate risk. I think that most organizations, the large ones at least, do measure the cyber security risk.
Definitely, automation can be a valuable part in the reduction of that risk either by deciding which policies are enforced corporate-wide. Then, instead of evaluating them on a periodical basis, actually automating the identification of any deficiencies. Then, the alignment of the organization with those policies. That can definitely reduce the risk.
Last, but not least, when it comes to risk, we should most probably talk about the human factor. We haven’t talked about it yet in this discussion. As most security statistics will show, the human factor is the most critical function that is responsible for breaches and attacks. Of course, it starts from employees that get a phishing email that then manifests into Malware, but it is not the only case. Think about the latest breaches to cloud environment in which some wrong management of an AWS S3 bucket permission set exposed a large amount of highly sensitive data to the internet. That sort of issue can exist only because someone has mis-configured that specific S3 bucket. In essence, that is reflected across organizations. Everyone makes mistakes. By introducing automation into the system and into the organization, you are reducing dramatically the amount of human error in places that it might be manifested into. Think about network change management, host change management, policy enforcement, and of course continuous governance of environments.
Guy Nadivi: You mentioned the human factor. It’s well known that there’s a massive human or talent shortage in cyber security today. How can automation help mitigate that?
Naor Penso: Let’s talk about the facts for a moment. When we’re saying “talent shortage”, it is to say the least, we are speaking about the global crisis. We see more and more headlines around the cyber security talent issue. Today, we are already way past the 1.5 million open positions worldwide in cyber security. Based on analysts, it will only get worse. Analysts are speaking about three point something million open positions by 2021. That means that in essence the world does not generate enough cyber security experts to actually mitigate the need of organizations or to at least accommodate any of organizations for cyber security talent. When you don’t have talent, you only have two ways to try and resolve the issue. The first one is to try and standardize, ensure, and collaborate within different organizations. Actually, help organizations replicate their knowledge. In essence, help them grow together. That’s the first way.
The second way is definitely automation. When it comes to activities that can be automated, that means that the organization can either reduce the need for new manpower or at least to enable the existing manpower to focus on things that otherwise they wouldn’t have done so. I think that automation for cyber security is, if not the present, then at least the future. As long as automation will continue to grow in terms of the integration points for a new system, in terms of the ability to integrate it into business processes, definitely that is something that every CISO needs to consider today when thinking about the talent shortage.
Guy Nadivi: Naor, you really have an amazing depth of knowledge about cyber security and the state of the market. Unfortunately, it looks like that’s all the time we have on this episode of Intelligent Automation Radio. Naor Penso, thank you very much for joining us today, and giving us your considerable insights about the state of cyber security, and how automation plays a role in that specialty. You’ve been a really informative guest.
Naor Penso: Thank you very much. It was my pleasure.
Guy Nadivi: Naor Penso, former CTO of cyber security at Amdocs, a global telecommunication services company, and currently founder of Toast, a cyber security startup in stealth mode. Thank you for listening, everyone. Remember, don’t hesitate, automate.