The dilemma of automation
Candace Worley, McAfee Vice-President and Chief Technical Strategist, has been working in the security industry for nineteen and a half years. Her discussions with thousands of companies about their security programs and about how they address cyber security problems have convinced her that, while there have been some changes, many things remain the same.
The working environment and technologies available to respond to security issues have evolved. However, companies still struggle to maximise the effectiveness of their tools and cyber security teams.
The automation solution is most often confined to corrective tasks, such as testing digital signature files, or a patch before deployment. However, it is used less commonly by cyber security professionals for more complex tasks.
There are two main reasons for this scepticism:
• Companies fear that automating these complex tasks could increase the risk of something going wrong, compromising the organisation’s security.
• The security team’s credibility could suffer. It’s not always easy for this team’s members (network operators, IT team) to make the necessary changes to apply security requirements, even when all goes well.
Variables have intervened in this ecosystem over the past few years thanks to which cyber security professionals are now starting to reconsider their positions on broader adoption of automation.
The threat landscape: An important argument
Threats have evolved greatly in the computing world. In the early 2000s, they were mostly just mischief. Malware caused problems, but the main motivation of the people behind these attacks was to gain notoriety.
Today, their goal is to benefit from these activities. Hackers now seek to obtain information of a political nature or industrial secrets for economic reasons. So today, there is organised cybercrime that did not exist 15 or 20 years ago. The digital world is much safer than the physical world for criminals, thanks to an unequalled level of anonymity.
What we might call "hacktivism" is also growing: people wanting to express their opinion on how companies should manage their activities vis-a-vis the environment, for example. Their goal is to obtain information that could damage a brand.
Finally, employees, partners, and independent entrepreneurs – people who should be trustworthy – steal information and sell it or use it inappropriately.
These criminal activities are becoming more common, and tests conducted by McAfee provide telling statistics about cybercrime worldwide. Its products use information associated with URLs, files or other databases to determine whether a URL is good, bad or uncertain.
MacAfee receives 49 billion GTI reputation requests every day, that’s 569 000 per second. During the first quarter of 2019, the amount of ransomware increased by 118%, with 66 new families. By 2021, businesses will be hit by a ransomware attack every 11 seconds (compared with 14 seconds today).
Finally, studying cybercrime has allowed MacAfee to assess its overall economic impact. By 2020, this will equal some $6 trillion, representing significantly more than the GDP of many countries around the world. Cybercrime represents almost a country in itself because it is simply too lucrative for cybercriminals to cease their activities.
Managing sensitive data: An increasingly complex problem
Companies have to manage huge amounts of data. Domo estimates that 90% of the data existing in the world today has been generated in the past two years. This exponential increase should encourage professionals to find ways to gain visibility with respect to these data, to apply security controls to them and to plan the strategy to be adopted for this exponential development.
IDC indicates that by 2025, 50% of the data worldwide will be unprotected. Of course, not all these data are important (public documents, financial results of previous years, etc.), but of this 50%, a certain proportion will be considered sensitive. So, we need to clearly identify them and know how to secure them when they escape their ecosystems.
Again, according to IDC, 450 billion business-to-business transactions will be produced by 2020. This is important because transactions are now no longer physical but digital with a degree of anonymity, which makes them valuable from a cyber security point of view.
Finally, McAfee conducted a study of the cloud this year and found a 53% increase in the amount of sensitive data stored on it.
Five years ago, many companies refused to store critical data on the cloud. Two years later, MacAfee itself began transferring some workloads there. Now, some organisations have decided to go "all cloud" and to give up their private data centres. It is clear that this movement will only grow, and protecting these sensitive data during their transfer from on-site data centres to data centres on the cloud will require precautions.
At the same time, alerts from cloud security applications are more and more numerous, increasing requirements for the response to incidents. On average, companies with a physical presence on the cloud see 3.2 billion alerts or events each month, of which 3 200 are anomalies and 31 are legitimate threats. It is impossible for the incident response team to react effectively.
The growing environmental complexity is our next challenge. Fifteen years ago, Windows was the primary operating system, with Mac reserved for executives and Linux and UNIX for data centres.
Most mobile phones were Blackberries, and Nokia was very strong in Europe, but these devices did not offer very advanced connectivity functions (telephone calls, emails, calendar, SMS, etc.). The network itself was very secure and the cloud did not exist.
Today, Windows, Apple, and several versions of Android co-exist. Linux is much better represented in both data centres and on the cloud, and UNIX is still present. The cloud supports virtual desktops, workloads and instances that are not directly controlled but are based on third-party infrastructure. The network is now porous and insecure. And mobile phones are now as powerful as some computers were just a few years ago.
Cisco has conducted research on the presence of mobile phones in the network space. They believe that, by 2022, the market will see $8.4 billion personal devices or laptops that are increasingly more powerful and capable of storing and transmitting even more data, in particular thanks to the advent of 5G.
For security teams, everything will be more and more complicated. As for their relationship on networks, the company indicates that 94% of workloads and instances will be processed via the cloud by 2021, confirming that companies will adopt it en masse.
Last, it is expected that 31 billion connected objects will occupy the market by 2021 and the amount of work necessary to secure the IoT space is enormous. Without this, these devices will be an open door to attacks.
The Mirai botnet illustrates particularly well how these attacks can occur.
Automation: The only solution to the cyber security problem
All these challenges must be addressed at a time where many companies report dealing with complications in the cyber security area. And these complications grow more rapidly than the number of experts in cyber security.
Two years ago, MacAfee conducted a survey of 775 IT professionals. Nine out of ten thought that technology would be the only way to respond to the problem of the lack of human resources dedicated to these threats. Companies spend millions of dollars for their security and employ the best possible experts. Top executives generally support this approach and yet, such attacks and breaches are multiplying.
There are three key points for which automation is of short-term interest to improve the businesses’ security.
Many businesses fail to install patches to respond to a vulnerability, even months after they are made available. Yet, they know that when a vulnerability is exposed, it can be exploited in the space of a few hours.
Plus, the installation of patches is highly automated, as are tests and the deployment of these patches. Infrastructure and cloud applications are patched through automation and this is very well accepted. However, this is not the case on site.
Security products not deployed
Companies buy security products to solve a problem but don’t deploy them. Again, automation can provide an answer because the product can be tested or deployed very easily. This is a problem that should not exist.
Companies are buying security products that cannot communicate with each other. These incompatibilities are often exploited by hackers to penetrate organisations.
So, it is more important to verify that information can flow between products to ensure that if an attack is blocked at the entrance of the network, the information will be relayed to the security team to ensure that all other points of entry are also secure. Automation can ensure that when a threat is blocked at a certain place, all other entries react at the same time.
Responses offered by automation
Most experts agree that the expertise of security professionals will always be necessary, because it is the machine-human association and automation that will meet these challenges. Candace Worley explains that we need to "call on the best that technology and people have to offer".
Technologies like artificial intelligence and automatic learning can reduce risks and eliminate the scepticism of security professionals with respect to automation for complex tasks. Machines and automation can collect and analyse data very quickly.
On their part, humans can use the information obtained by automation and provide a strategic intellectualisation to qualify and extrapolate it. Other times, a machine will recommend an action that a human can mitigate. So, if automation recommends disabling a DNS server or isolating the CEO’s computer, a person can examine the problem in greater depth.
Toward a change of attitude
Security operations centres are often the first to adopt changes, and seem to want to move gradually to automation, with companies reporting that they have already automated between 30% and 75% of their production process.
However, the change is still too immature and businesses do not understand all the opportunities they have to introduce automation. They need to understand its value in terms of contribution, especially for the discovery, analysis and remediation of vulnerabilities.
The analysis power of automation takes a huge weight off security teams, who can then focus their efforts on more critical projects like automatic learning and artificial intelligence, which will form the basis of the future cyber security response.
McAfee believes that this solution should make it possible to integrate the workflow from the device to the cloud through the partner, and that this workflow should integrate three critical elements:
• Facilitate crossed counter-measures and known information on threats
• Reduce the need for human intervention in remediation tasks by automating these tasks
• Deliver a robust management policy and analytical engines that simplify the work of security teams by reducing their workload and providing an additional barrier on the automation of scripts as they are implemented
This means taking advantage of both the machines’ technical capabilities and humans’ cognitive abilities to accelerate detection times and reduce the risk of not detecting a threat.
Automation alone may not be the answer to all cyber security problems, but it constitutes an added value that no one should ignore.
Speaker: Candace Worley, McAfee