Security automation is a hot topic these days, mainly because it’s become humanly impossible to keep up with the sheer volume and variance of cyber threats hitting organizational IT networks at any given time. Even with the best security defenses in place, sooner or later an attacker is going to get through. The goal, of course, is to discover the attack and mitigate it as quickly as possible—and that’s where security automation can be extremely valuable.
This year, in its annual Cost of Data Breach Study, Ponemon for the first time looked at how the deployment of security automation technology factored into the costs incurred by a breached organization. It discovered that the average cost of breach for organizations that had fully deployed security automation was approximately 35% lower than organizations without automation. When you’re talking about millions of dollars, that’s a significant savings.
What worked then won’t work now.
Years ago, I was conducting a PCI DSS audit in conjunction with one of the first major credit card data breaches ever reported. Forensics teams, auditors, FBI, legal staff—all were focusing on the 40 million cards that were said to have been taken by nefarious actors. As part of the ongoing incident response, they had staff members take turns watching the logs scroll in, in real time, in hopes of identifying the single logged event that would serve as their smoking gun. (It reminds me of the Matrix green waterfall!)
I sat there, watching the staff member’s head shift back and forth between the six monitors in front of him, stacked 3x2 high; all to provide the organization with the check mark on their PCI compliance report. I remember commending the attorney, who was then the acting COO, for committing the resources to monitor the logs in the method they had.
In today’s security world, there is no way I would sign off on a staff-only method of event monitoring. Organizations must implement a comprehensive automated solution to monitor their systems for anomalies, unauthorized access, unauthorized modifications, etc.
Security automation creates efficiency, but you still need people.
Implementing security automation technologies and then reducing staffing levels—either by headcount or knowledge—to align costs is a big mistake. For one, these devices need to be managed, configured correctly, and kept in a tuned/optimized state. Most importantly, it takes qualified staff to analyze data outputs and escalate security alerts as appropriate per your organization’s policies and procedures. You certainly don’t want to go the way of Neiman Marcus or Target.
Efficiency is an important, cost-saving benefit to security automation, because it reduces the time it takes to identify an intrusion or prevent data exfiltration, and it allows your staff to address legitimate security events only. Certain security automation tools can also help your organization satisfy compliance obligations.
But you still need people, and here’s where the negatives come in. Security automation tools are often very expensive to purchase and implement. In addition, whether open source or commercial, nothing is “free”—are you prepared to internally support the care and feeding of an open source solution? And finally, do you have the qualified internal resources to monitor and manage the tool such that the organization will effectively respond to a “red alert”?
Building a strong security posture means reducing your distractions.
For some organizations, internally deploying security automation technologies can actually cause increased distraction from the core business. This is usually due to a lean internal team that would be better utilized for IT projects rather than information security. If your team fits this description, it may be best to consider partnering with a managed security service provider that can provide both the technology and the manpower to reinforce your security posture.
Lastly, each organization must address the security needs of their shareholders by securing the assets and information it considers sensitive. This starts with understanding the organization's objectives, risks and existing controls as well as its weaknesses. Should you have any questions about what tool or method of security automation you can implement to address your organizational needs, please feel free to reach out to us for assistance.