Automation and Security Perfection

Episode 3   Published February 16, 202417 minute watch

Automation and Security Perfection, Episode Summary

In this episode, Jason Kikta discusses the top ways to advocate for automation maturity in IT and security. He emphasizes the importance of anomaly detection and the challenge of human error in security. He also highlights the speed of response and proactive measures that automation enables. Additionally, he discusses how automation improves reliability and security, identifies vulnerable nodes, and allows for innovative security response. Finally, he explains how automation enhances efficiency and scale, and how it contributes to achieving security perfection.

Read the CISO IT Transcript

Yo DJ, drop that funky beat.

Hello and welcome back to the Automox CISO IT podcast. I'm your host, Jason Kikta and I'm the CISO here at Automox. Today we're gonna talk about top ways the CISOs advocate for automation maturity. And this is a subject that's near and dear to my heart because I think it's often overlooked by security professionals and IT professionals just how much this can do to really improve your security game.

Not to mention, obviously, fantastic IT outcomes come from uh, adopting automation, increasing its use throughout your organization. But there are some really, uh, important security imperatives that can be met as well. So let's dive right into it. The, the first thing that I would say is, you know, when you break down security, as we've talked about on previous podcasts, when you break down security to its, uh, most straightforward elements, like, what are you really talking about?

You're really talking about, you know, finding anomalies in your network. And you know, so it's that anomaly detection. And then, you know, tuning is the art of weeding out the false positives, so that you know, you can find that true positive, and then obviously, you have to respond to it and mitigate it, and so on and so forth. But, you know, that detection piece is really, really critical on the front end.

And I think that sometimes it's easy to overlook how much of that, you know, can really challenge your security posture. Because you know, if you're struggling with a lot of false positives, you know, if you're having trouble finding the signal and the noise and weeding out the things that you don't care about, so you can get to the things that you do, you know, that's really going to impact your security team's ability to find out what's going on and do something about it in a timely manner, right?

Most intrusions that I've seen can be stopped in the early stages with really good detection. But the challenge is computers are largely deterministic machines. There are obviously things like AI models are a bit more stochastic, but computers are deterministic, meaning given a specified set of inputs, you're going to get a pretty reliably solid set of outputs.

But humans, we add a little more chaos into the mix, right? Both from the aspect of, hey, humans program computers. We design computers. We make mistakes in there. And there are ways and techniques that hardware manufacturers and software vendors try to minimize those. But the single biggest noise point on any network is going to be your users. Your users generate a lot of noise. Your users generate noise.

A lot of anomalous signals that you're going to pick up on in the course of every business day and anyone who's ever done any level of detection engineering will not only agree but probably give you their own personal soliloquy on just how challenging this can be.

And so adding in automation to your IT processes really cuts down on that human error, right? It gives you those uniform outcomes that are predictable, and reliable. And by doing that, you have a much better sense of what you need to detect it on and what, you know, what is, you know, different from baseline, right? Like, what is that? That signal that's coming through the noise? Well, if you lower the noise floor, that signal becomes much clearer.

You know, I think that far and away is a huge reason to really focus on automation. And again, it's not just the IT side of the house, it should be in favor of it, you know, your security team sizzles like I like myself, like we should deeply be in favor of it, because it just really adds a lot of reliability to the patterns going on inside the network.

But it's not the only reason. Another big one is speeders response, like we just talked about a minute ago, speed of response is critical. And that automation creates opportunities to have a much better response. And probably response is even a bit narrowly scoped because it also improves the proactive measures you can take.

I think when I look back at how security has changed over the last several years, really even like just the last three years alone. You know, it's a much different landscape is a different landscape that it was even just three years ago.

But the speed and scope and you know, impact of follow on actions of these mass exploitation events is just really, really ramped up, right. And I think, you know, it's, it's something that the internet's really had a long history with, right? We don't know if you think about worms, obviously, going back to the morse worm, and I think 1981 early 80s, you know, that was a, you know, pivotal, I want to call it a pivotal, like watershed moment for the internet, but part of me feels like maybe that's not the right approach because I'm not sure that we learned any fantastic lessons out of it.

But when you look back at the worms 20 years ago that spread across the internet when most of the populace was on the internet for the first time or still in our early days, it was mind blowing how much around the turn of the millennium, how much damage could be caused by these worms of you know, code red, Nimda, ILOVEYOU, Anna Kornikova, like those are, those are seared into my memory, trying to respond to, you know, those worms spreading across the internet. And I think they got everyone's attention. And then obviously, later on things like NotPetYa and Wannacry brought it back into our consciousness.

But, you know, self propagating worms still remain the exception rather than the rule when we talk about mass exploitation. And most of the time, what we're talking about is being able to take an exploit, turn it around rapidly and weaponize it, and then fire it off against a large number of viable targets. And probably the best in the world today still remains crypto miners. They're just so very fast.

But honestly, when they get into your network, it's almost a, a help because you can be sure that state actors and ransomware actors aren't far behind and none of them are going to tolerate, uh, being co-located, uh, with a crypto miner. And so if, if that's all you got, uh, you know, pay the bill, be happy and move on. But, um, you know, we've had these events, Log4j being like the most dramatic, uh, but they just keep happening again and again, where there is some, uh, you know, recently breaking vulnerability that is undergoing mass public exploitation and your ability to identify vulnerable nodes in your network, especially on the public facing side, but even internal as well. Because, you know, it's, it's not like that will, you know, a perimeter will keep them out forever. You know, you got to be able to find that and you got to be able to respond quickly.

And so things like proactively patching proactively changing configurations to either mitigate it or make yourself less vulnerable. Those are extremely important and, and cannot be understated with their security impact. But I think it also gives you, uh, you know, using automation, it gives you those opportunities on the, uh, response side as well, right? The post incident or mid incident, um, response, if you have automated processes, you can really do some innovative things with your security response. You know, back in my time in the Marine Corps when I was on active duty and at Cyber Command, we did this exercise. And we wrote up the scenario and just had this really, really detailed scenario. And we were going to, you know, we sat down and basically did essentially a table read, right, where, OK, we have a scenario.

And we're going to go through all of the exercise injects. And here's what we're going to inject at this point. At this point, here's going to be, these are going to be time-based. These are going to be conditions based and talking about how the, the network defenders that we were training, how we wanted them to think about their security posture and how we wanted them to, you know, detect and respond. And as we were going through it, you know, I was, I was sort of red teaming it a bit.

Saying like what I wanted to be able to, you know, what I was going to do in response to these, to these exercise stimuli. And so someone starts reading it off and I'm like, oh, I'm going to, you know, change this, I'm going to change this, I'm going to change this, I'm going to make it really hard for them to get around my network. And it kind of stopped the conversation cold for a minute while everyone processed it. And the initial thought was like, my goodness, like this.

This would shut down an adversary, right? Being able to just change these major characteristics with your network on the fly would really befuddle any actor, no matter how advanced the network of, like, hey, IP space moved, things got locked down, things were on tighter timeouts, just like everything. All the friction that you could think of was put into the network. It wasn't shut down, but it was just made such a challenging operating environment that it would have overcome their game plan. But then reality quickly set in of like, hey Jason, how comfortable are you that you'd actually be able to make those technical changes in any sort of relevant time? And that's where I had to cop to, well, I'd like to be able to do it, but we don't really actually have the tools to do any of that.

Because at the time, DoD had not made much of an investment in automation. It was still, you know, largely human driven process. And if there's one thing DoD is never short on it's people. So that's obviously not the, the situation in industry. And it's also not where the state of the art is today. You know, today we have a lot of automation.

And so you can think about not just those proactive things that you do like patching and configuration and the reactive things that you do for to deal with a specific threat, but you can also think about your response and are there things that your IT department can do to help the security team be able to better respond to a threat to isolate an actor into a given area to slow them down as they move through your network and improve your ability to find them?

Are there things that you can find, right? Can you, you know, do you have the ability to automate, you know, pulling certain logs and sending them to a safe storage area? You know, how quickly can you do that? And of course, you know, like always with any security measure, have you rehearsed it? So that's, I would say my second big aspect of the importance of automation for security.

The third one is that, you know, it, it's something of an efficiency argument, but it's, you know, again, from a security perspective, is that, you know, computers were invented for a reason, and they're very, very powerful. And they're good at things that humans are not good at, right? They're good at scale, they're good at rep repetition, they're good at precision.

Characteristically different things, right? Leaps of intuition, understanding, experience, right? Adapting an experience to a new set of circumstances, that's something that humans do well and that computers have trouble with. Even with AI, right? When we look at the current state of AI, it's impressive how far we've come. And large language models are probably the most impressive implementation that we've seen yet.

But they, you know, they only go so far, right? They, they, it's hilarious to watch AI fails where, you know, it makes a meme. And we were having some fun today with AI generated memes, uh, in our security team. And we were, we were generating some of them and I was laughing at how many of them were turned out with just nonsense words. Some weren't even words, some weren't even letters, right?

But it would get the image right. And it would have text at the top and the bottom and understood that but it had no idea the model had no idea what it should put for the text, it couldn't think of anything witty, because like, that's not how its artificial cognition works. And while those while AI and those use cases for AI will improve over time, they're not there today.

And so anytime that you can rely on automated systems to do things at scale, things that need repetition, things that need a high degree of precision, you should absolutely do that because that frees up the human beings on both your security and IT team to focus on those security tasks. Again, whether this is straight up preventative, it's reactive to a major incident or whether it's during a response itself. And it's certainly valuable.

During the mitigation phase, you know, I think that something that we discount too often because it's something we've all heard, but because it's so obvious, we don't always live in our day to day is that security demands a degree of perfection. It's not fair. It's not how I wish things to be.

But you know, if you patch 99 out of 100 vulnerable systems, and that one system is still vulnerable, and it's still exposed, then you're probably still going to get breached, even though you had a 99% success rate, because that's just the nature of security. And so, you know, having an automation in place, where you know for a fact, whatever you've implemented, whether it be, you know, a mitigation mitigating configuration, or whether it be a security patch or something else, you know, that that's been implemented. And you know, it's been implemented for each and every one. And if one of them fails, you know, you'll get back an error and be able to then go track that down and find out what's going on with that system. But, you know, that really, really helps.

Your security process on a deep and meaningful level. And it just shouldn't be underestimated, even though, again, it's something that's old hat to many of us who've been doing it for a while. So anyhow, that's my pitch as a CISO to all of you on why you should really take automation and having a mature approach.

An organizational approach to automation very seriously. I hope you have all enjoyed it, and I will see you next time. Stay safe out there on the internet. Thanks. Bye.