Mistakes are part of life, but unfortunately in cybersecurity operations, mistakes have the potential to be financially devastating to the business. According to a 2014 IBM study, more than 95 percent of cybersecurity incidents are due to human error. It’s a staggering number, and one that cybercriminals and nation-state adversaries alike are counting on.
When referring to “mistakes,” even within the context of the information technology field, it can have broad meaning. One of the first things that often comes to mind is poorly secured code or systems misconfigurations – the kinds of errors made by busy programmers or overworked systems and network administrators. While these kinds of mistakes do play a part in security breaches, more often than not it’s a far simpler mistake: innocent errors of judgment that are leaving businesses and government networks exposed to massive data loss and financial ruin.
It might be your boss
Or it might be his secretary. More and more security professionals are finding that one of the leading consequences of successful cyber exploitation is the leakage of sensitive data. In addition, innocent users with elevated access credentials are accidentally e-mailing sensitive data to the wrong people or losing unencrypted media or portable devices full of personally identifiable information (PII). Other users are taking sensitive data home with them on thumb drives or putting the data up on file sharing sites so they can more easily access their work from a home office or hotel.
In and of themselves, mistakes like this are usually innocent, and often made by an organization’s smartest and most successful people. They have work to do, deals to make, and problems to solve. To a Type-A problem solver on a mission, even good barriers–like the kind security policy makers and systems administrators put in place to secure data and intellectual property–can be perceived as the enemy. Some may willfully attempt to circumvent additional security protections put in place, while other innocent mistakes can transform them into unwitting accomplices to breaches and data loss that cybersecurity professionals must attempt to defend against.
For example, think about the ubiquitous USB thumb-drive. It’s hard to think of a device more beloved by business users for their convenience and simplicity, and yet present IT security personnel with a significant challenge in terms of securing and monitoring their use. Business users love them because they’re small, hold tons of data, and they’re simple to use. Yet for IT security personnel, they present a serious security risk and challenge to both control and monitor their use. The very simplicity and ease-of-use the devices offer are central to facilitating irresponsible usage and leading to an increased risk of data leakage.
Other all too successful means of exploitation include users falling prey to phishing attacks. An e-mail that appears to be from a friend or a co-worker may be delivery mechanisms via embedded hyperlinks or malware dropping file attachments that can take control of personal computers or redirect users to rogue websites designed to harvest user security credentials. In spite of mandatory training in corporate and government sectors, every single day, users that should know better will click something they shouldn’t and create a situation where they put themselves and their organization’s data at risk. It’s a simple mistake, and one that can happen in an instant, but it can also provide an attacker with an instant network foothold as part of a multiphase breach of an organization’s enterprise security.
Cleaning up the mess
The combination of both simple user mistakes as well as a highly complex threat environment is that the virtual surface area that security personnel are required to defend is extremely large and continually growing. If security managers and systems administrators simply have to worry about defending network access points or hardening servers full of PII, the threat posed by mistakes would be far less damaging. But what happens when one of your users with high-level access to these same resources sends an unencrypted e-mail full of usernames and passwords to their personal e-mail account? As the interconnection of our work and personal worlds expands, so too does the exploitable surface area of the enterprise, regardless of whether or not they’re physically connected.
Luckily, most organizations are doing the right things to get a handle on securing their far-flung digital borders. They’re using multifaceted approaches that include user education, security policy, and security appliances that can “sniff out” things like leaking PII or phishing attacks, and give security personnel an opportunity to eliminate the threats before they’re able to wreak havoc.
Orchestrating future security
The missing piece in all of these well-intentioned pieces of the cybersecurity puzzle is something that can coordinate these disparate and often disjointed initiatives into something fast and cohesive. This is important because most security organizations are unable to answer the two most important problems that they face: How do they manage the volume of threats and the speed with which they can execute? For the most part, they can’t.
Most organizations are suffering from data overload when it comes to their cyber security operations and incident response. They often lack sufficient human resources to adequately keep pace with the daily influx of detection events, and when real threats are found, they can’t respond to them in time to stop sensitive information from being lost. Keep in mind that a timely response and comprehensive mitigation are just the most critical pieces of the puzzle. Organizations must also deal with compliance requirements, auditing trails, and change control.
To ignore the threat in favor of maintaining compliance leaves the enterprise open to attackers. To fall too far the other way leaves an organization exposed to the legal ramifications of not keeping pace with compliance requirements. Neither situation is acceptable, yet organizations in both the public and private sectors must balance these risks every single day.
Some have turned to automation as a means of accelerating defensive measures and reducing response time to threats. It’s a reasonable reaction, and one that many successful organizations use in some form today. The problem with automation alone is that simply bringing the term up in a conversation can often times elicit a knee-jerk reaction of fear and distrust. If simple mistakes and data leakage can cause so much pain, then what about the potential consequences resulting from automation of these flawed existing processes?
In most cases, this is simply an outdated view on automation, and a damaging one. When used correctly, and managed by a highly flexible orchestration platform, automation can do the one thing that every security operations center needs: it can give them the time they need to respond quickly and thoroughly to both internal and external threats.
Organizations may realize immediate return on investment by leveraging an orchestration and automation platform for SOC teams to facilitate the contextual analysis process via data gathering and reduce human time consumed by low risk and highly repetitive tasks such as opening, updating, and assignment of trouble tickets. In other words, all of the necessary, but time-consuming work that is preventing SOC analysts from spending time conducting more inherently valuable tasks such as adversary and threat hunting. The more they’re able to focus on solving problems, and the less they’re bouncing between uncoordinated toolsets and trying to write like Shakespeare in their trouble tickets, the better.
The concept of security orchestration and automation is one that is rapidly gaining ground and is a solution that is intended to directly address both the problems of increasing threat volume and complexity. It also helps address issues of human error and costly “mistakes” as described previously. Nothing introduces error to an organization faster than being overworked and under the gun.
Orchestration and automation together can start eating away at time deficits and giving security personnel more time to make complex decisions. Think of it as a time machine of sorts. A platform that lets you slow the clock down to the moment just after the “boom” occurs, so that analysts and incident responders have more time to decide and act to counter the threat, instead of rushing to gather data and make sense of what just occurred.