Alexei Balaganski, Lead Analyst, KuppingerCole
Joseph Carson, Chief Security Scientist & Advisory CISO, Thycotic
Christopher Schütze, Director Practice Cybersecurity and Lead Analyst, KuppingerCole
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
So maybe we start with a simple introduction, a question, and this is something we discussed in the, in the preparation. What is security automation? Is it really, is it just a new password or is it just a new name?
So as, I mean, I've been in this industry now, given my gray herbs and scars is close to 30 years. So quite a long time and in my entire career, everything I do, I mean, we as system administrators and infrastructure administrators, we're always looking to automate. We want to spend more time doing the things we enjoy. So a lot of the things that we do that we can repeat and automate, we try and tend to script them. We used to script them, used to be, it started off with tasks.
We would script specific tasks about imaging systems or deploying patches, or, you know, updating configurations or ruling out new applications. We would tend to script those tasks and that was all automation. And then we started getting into more about, well, now why can't I automate the entire tool set the, you know, the provisioning process or the workflow or the entitlement of users' credentials and access?
How, how can I go even further to not just automating a task, but automating the entire workflow end to end. So we started looking at this kind of much more holistic and broad, and we're even going further beyond that, where, you know, now we moved into more automating the entire tool itself. So I put a solution in place and I want that tool to be, I want to be as little in that interface as possible. I want to use APIs. I want to use commands. I want to use automations. I want use workflows that that tool itself will do everything for me.
So we want to be spending less times in the tools and more time actually augmenting and refining and improving the environment and the, the organization's systems and the strategy long term. We wanna be spending the, the, doing the things we enjoy. We wanna do, you know, continuous learning about cuz our industry a choice in our industry is a choice as a lifetime student, but we have to stay up to date and we have to dedicate certain amount of our own time to learning new technologies and, and new techniques now further what's happening now.
And we, we tend to, you know, we have new buzzwords for everything and for me, you know, artificial intelligence really when we peel it back and we really look underneath what's artificial intelligence, it's really advanced automation. It's really, you know, it's, it's augmented automation. It's about helping us make better decisions. And of course we are getting there with artificially challenges becoming much more, let's say autonomous as well. So there is direction to that, but when weal, it it's really advanced automation.
What that means is that it's no longer about having automation within silo solutions. We must automate across multiple solutions. The solutions must work together and that's of course the, the, you know, the API is such an important aspect or the, if a solution doesn't have an API and it can't be integrated well, that solution is something that you should question. It means that we have to start getting into what I refer to is security orchestration. It means that the APIs enable interoperability between those solutions.
And it really gets to mean where we actually can get where security is almost like a living organism within the business. As I mentioned earlier, security cannot be static. It needs to evolve. It needs to be dynamic and adaptive to the threats that's out there.
So when we get into where we're moving to, is this much more interoperability between the security portfolio, where everything works together, where my email filters and scans and my vulnerability scans and my privilege access my identity management, my threat intelligence are all working together to highlight and bring up to the surface. As I mentioned in my previous talk, my job is to, to force the attackers to taking more risks.
And the more I can do that automation to bring the things to the surface that are important, that I intend to maybe investigate, or I need to all of a sudden, you know, actually eliminate an eradicate that threat. That's the direction we're moving to. So really exciting where things are moving, but automation and security is the key to success in the future. Definitely.
And in your previous example about the brands where tech, you already shared how the attackers do that, and you took a batch script scripts, and if you have a high level of automation and I'm pretty sure they do not join every single system, there's also an automatism behind it, where they try, oh, where can I achieve much as much as possible and where can I get access? And where's the potential that the, the organization I attack, they pay the ransom.
I mean, at the end, it's a business and this is what we all stated very often. They want to earn money with us. And Martin did a good quote on, on Monday. If you become a good customer of, for ransomware company, that's not the best because they will come back. They know they pay. And even if you get 50% discount, the first time, this might not be the final solution. Yeah. Just what run somewhere will turn into subscription business.
They, They will take a lesson from us. And we'll say, if you subscribe to our service, we will, you know, we will avoid you in the future. And 60% If you pay right now, I mean, Joe, if you kind of go back to your original statement, I totally agree everything we do for the last 30 years or so is automation in security. Like back then, when you download an antivirus and you run it from a command line, you are doing security automation. Correct.
And you were, and now it's all, I mean, all the progress is just our, first of all, making this security more, all encompassing of more coverage, more is just sort of openness integration correlation between sources. And of course, well automating the automation, if you will.
Ideally, I would say kind of, hopefully in the future, an ideal security tool would just have one button make me secure, right? Well actually, actually your 0.1 of the things. So I'm based in Estonia and we actually have that methodology is that every, every, so we, we look at our, in Estonia, we look at things of, of being a service service defined or service driven. So we look at it not just as this individual system or an individual data component or an application, we look at it from an end to end service. And that's where organizations need to be looking at things.
We need to look at things of, of how we're actually delivering services to our users, to our customers and partners. So we have to look at it from a service perspective. And that means that we have to really understand about one of the goals for in the tax systems and the voting systems is that we need to reduce that interaction with the end user as much as possible. So that's a single click, one click for tax return, one click vote. And all you need to do then is verify, is verify that's signing.
And we need to move to the same for security is that we need security to be going to that direction where we need to be looking at that. Do I stop that service from running or do I send it to my sandbox or do I want to add a policy that will actually send out to the rest of machines we need to get to where security is much more actionable and it's that single button which provides you the choice. And eventually at some point we might give more autonomy over to the system, depending on the outcome or the impact it might have to the business decisions.
So we might start to see more autonomy in security from the single, single actionable impacts. And, You know, I would argue kind of the actual activity behind that button click should not be solve my security problem today. It should be well, make sure that I am as secure now as I was yesterday.
And as I will be, anytime in the future, security has to be well dynamic and competent the whole life cycle, which is why I'm a little bit surprised that anytime or quite a few times in the earlier presentations, we heard security automation is all about threat detection, like making it easier, quicker to detect. I would argue well, hardly in your systems patching in time. It's all about security automation as well. If you could click a button and make sure that all of your systems are patched or ideally, if you don't have to click any buttons and your system would still be pitched.
So I, I had a vision years ago and actually it was really when Dick had mentioned an earlier keynote, he talked about bringing your own identity and he was talking about those concepts and really got me thinking about some of the things I was looking into a few years ago and absolute to your point, I, I would like to, you know, a lot of what we do in security, it has to, it has to be a living organism. It has to be able to be modifiable changeable on demand when you need to.
And I always had this vision of, you know, like, you know, you've got the Def con threat, you know, impact in your, and basically what that would allow you to do is based on realtime threat intelligence, that when we start sharing from organizations who are seeing new variants of ransomware or new variants of malware or new threats or new vulnerable systems, zero days and so forth, that we can simply just turn that dial, not dial automatically change our entire security landscape in the organization that it might say that, well, there's a new ver of ransomware that actually has these types of impacts.
So therefore we just need to turn that dial up. And it might mean for a few weeks that our employees might have to do a little bit more continuous verification, or it might mean that if I run a privilege application that the child processes might not inherit the same privileges that we have to do more auditability.
Now, just turning that do would, you know, make the security almost like fence higher and lower, depending on the threat landscape out there. And it would actually either, you know, make more contextual base security in the background. So having that single adjustment, you know, it's like the volume on your stereo, it'd be like the volume for security.
No, out of this brings me to almost the quote unquote curse world. We here too many times during the conference as well. The policy and security has to be policy based and that dial you, you mentioned it just switching between different policies or make bit of, well, if you need to kind of bring your security to 11 in the, in the back end, it only means, well, you have to enable more security policies.
Maybe this week, you should not allow anyone to log in from China for whatever reason, or maybe kind of activate more biometric application options to ensure that yeah, if you are whatever, if you do not behave, if you usually behave normally, well, probably it's not you someone else working in, in a network. Yeah.
It comes down to, I think, an important message to this conference that I've, you know, seen is that contextual security isn't is critical and, and not just contextual security, but contextual security that works in the background that allows users to not see it, that it's actually just working behind the scenes.
And I like to think of security as a, as almost like a digital polygraph test that every time I want to access something that there's it, maybe ask me a question directly, or it, it will check something in the background to make sure I'm coming from the same device, the same browser, same location, I've got the same, let's say risk scoring based on, you know, how I'm time of day, I'm accessing location, proximity and so forth. So really getting into contextual base security. And that really means that we, we must also make security usable as well. We must make it frictionless as possible.
And this is another key part. And that's why automation's important. The more we automate, the more usable we make security as well, Definitely.
But, but for instance, when talking about policies, don't we move or shift the main problem then to how do we define the policy? So we start to define only users that are not in the vacation, so can join log onto our system.
So have, have a database check, whether he's in vacation or not, maybe I use outlook calendar or whatever. Okay. This saves me a little bit more, but it is not a solution I have to imple reimplement or reinforce the policy several times. And at the end, it's probably more difficult to use it than just define other measures. How can we deal with that? I would argue many people just kind of mix to different things, policies and rules. Yes. Because rules are complicated. You have to have probably on a single firewall alone, you have to have thousands of rules. Those are not policies.
Policy is something simple clarity by nature. Again, ideal policy should be just one line. Certain we want to be absolutely secure. We're not there yet. Maybe we have to kind of write down a few more lines, but again, the ideal policy is very short where concise and very, the declarative Policy is a state that you want to be in. That's what a policy is.
It's, it's a predefined state within that policy. There might be set of different rules or different automation or different kind of contextual things that you want to happen as part of that policy to, to meet that policy. And it might come, as I mentioned, we need to have work security orchestration between multiple systems has to be part of a policy. A policy should not be isolated to one solution. A policy should actually incorporate multiple solutions working together, organizations.
If, if you can't get security solutions to work together, what it means is that you end up having more people, wasting their time to manage individual solutions. And that we hear a lot about, you know, why we doing automation in the first place? What what's the whole reason for doing it? And you hear about, you know, we talk about oil is valuable and we talk about how valuable data is and cryptocurrencies, the new cryptocurrency of, you know, like currency in the future. And all of you hear all of the things about what's the most valuable thing.
But in my mind, the most valuable asset we have is time. Time is the most valuable asset that every single one in this room has, we have a finite amount of time in this planet. And I'm sure you don't want to be wasting your time. Resetting passwords, setting up accounts, sifting through our members, spending days, looking through logs for hashes.
I, we don't want to be wasting our time. And the most valuable thing we can give to organizations is making sure that your time is used as best as possible. Whether it being, helping the organization innovate, helping great new strategies, helping educate you and give you new skills. The most valuable asset we have is time. And the reason why we do automation, the reason why we do this is one is to make things repetitive, make it consistent. And at the same time, give you the time back. So you can focus on things that are more valuable and not repeat things that are wasted.
So always remember at the end of the day, automation is saving time and your time, which is the most valuable thing in this world. No, interestingly enough, many people, especially working in security, they fear this idea a lot because they say, well, I mean, I mean kind of going to be out of work soon because that's So, so to your, your question, absolutely, we, we should not fear automation. That's that's and some people fear it. Some people really scared it.
My, my job is to make my job automated. If I can clone myself and make an automated me, that is my job. I want to do that because then it will allow me to, you know, if I can automate my job, it allow me to move to new things and new skills and new learning in other areas, our, our future is about reskilling. We have to be prepared to keep reskilling and your job should be automate everything you do. That's one of the things is that, you know, if I look at a task, my first thing is I need to automate it so I can focus on things that is unique.
That part of my job is research and creative content. So yes, you should not fear automating your job. It gives you a new opportunity to do something new, to do something creative, to look at new areas and re-skill, and that should everyone.
You know, I remember years ago, one of my bosses mentioned to me is if I walked in front of a bus, could the business still continue? I know it's a weird thing to ask, but it made me realize that I need to make sure that even if my time ends, that everything can continue. So my job and my goal is to automate me. So therefore I can actually reskill and, and, and keep innovating and being creative. We're humans, we're creative by nature.
So yes, don't fear automating your job and don't fear bots and artificial intelligence and everything else. We should embrace it, but we should embrace it with responsibility. But at the same time, we had to realize that as I mentioned more, the most important thing is don't waste your time, but use that time to learn as many new things as possible. Exactly. And this is what we did in the past with everything from inventing the plane, the train, the car, the electric vehicle and all that stuff. And now we are focused on talking about security.
I mean, 50 years ago, we didn't know that something that, that this is possible. And that's a cool thing, but we are talking a little bit generic about automation. Is there then for an enterprise, the need for new products to implement security automation, is it a combination or how can we deal with that? It's a very good question. It is about a combination of products.
I, I don't think there's, you know, and I mentioned earlier about de-risking you want to, you don't wanna become very dependent on a single framework or single methodology. So I'm always one I, I years ago, just to give you example, and it's not a great example is that I worked many years ago for an organization that did foreign exchange money markets, and our systems were meant to be high availability and high resiliency. So we had two of everything, two firewalls, two internet providers, two of everything. And last week it was a harsh reminder for me because it reminds me back.
So 1 9 11 happened. Our resiliency was that the two ISP providers that we chose, their transatlantic rooters were in the basements of trade center one and two. So when both of them collapsed, we completely lost all connectivity to north America. So we always had to make sure that when we think about, and those are not great, you know, it's is a horrible scenario, but it also makes you think about resiliency. It makes you think about how do you make sure you de-risk, how do you make sure that you don't become dependent in those scenarios in the future?
So choosing one solution in one company to do everything is a high risk, and we all should look to de-risk. So it means that it's a combination of multiple solutions together working together that might have some somewhat overlapping functionality, but of course, once one solution's unavailable, the other solutions should be able to take over those capabilities. So sometimes it's really important to make sure that, you know, let's say it's, it's like having one car in the garage and the car is not working. You wanna make sure you still have a bicycle to get to work.
So you wanna make sure you always have a means of transportation. So always think about resiliency and think about your options and alternatives. And don't do a hundred percent dependent on one method.
No, I don't think we should even expect that to be, that will ever be one single solution to, to do all of your security. I mean, we've been promised that many times The silver Bullet. So how old is like the idea of seeing 20 years or something 20 years is yeah, it's about, yeah. And then we had like EDR and then we had, well, now we have XDR which supposed to go to everything, all those two quotes and something else. So I'll be showing my age cloud, I'm showing my age.
I mean, I was one of the original people back on compact insight manager. So if you ever use compact insight manager for sending events, that's what I started. A lot of my, my job doing was creating watch dogs and agents for, for correlating events and then sending it into the likes of CA uni center in HB open view. So we created, you know, this is things that we've been doing is not new, but what we're doing is we're, we're definitely getting better at automating it and understanding it.
And rather than just doing it for the sake of doing it, the important part is we're making it much more actionable and you know, and that action is also automation. It doesn't mean actionable that human intervention it's actionable that it's, it's automated such a fashion that we can do it end to end. And again, sometimes it's just kind of letting in the human click, the button to make a decision. Sometimes it's not even, I mean, sometimes we just don't have time even look at the bottom. Yeah. And the biggest challenge is the how, where do you put this?
The limit between those two and every company has, has to decide for themselves, It's a business risk. It all comes down to the, if, if the actionable outcome of a decision or a result, what you're looking at has a kinetic impact in your organization. You may want to have some type of human intervention. So it really comes down to how much autonomous you want to give that system itself. And looking at the outcomes of that potential risk is, do you want to, how much impact does it have in the business? And then it has to be a business decision. It has to be a business input.
You cannot make security decisions that impacts the business without actually liaison with the business itself. As I mentioned earlier, my job is to listen to business and understand risk, and then provide them with the understanding about what security measures we can put in place to reduce that risk and let them decide what risks they're willing to accept. And this is where it's such importance that we have a good relationship with the business leaders and executives to help bring, bring down that gap.
We had to have security leaders that can translate it into business impact and therefore have much more meaningful conversations at a board level to really make decisions about what risk we're willing to accept from security measures or not. So that's, what's critical and that's a vital importance we need to do in the Future. Absolutely. So just a short cross workshop advertisement here in the ransomware workshop, we exactly talked about the topic you need to be aware of your business processes, the assets, the risks related risks.
What does it mean if it's not available and then how to implement the incident response management or the mentioned business continu business continu team management part. So if you're interested, just have a look at the recording. And now it's finally time to come to an end final question. And this is an interesting one. What kind of automation can we implement as a quick w quick win? What is the first step to do? If I want to improve the security force, my people to frequently change their password or not to create a text file on the desktop. That's.
I mean, I was so one of the things, I mean, definitely one area. I look at a lot of the risks from that incident is the more we can actually make sure we move passwords into the background.
We, we, we hear a lot about password lists and we hear a lot about passwords disappearing. They're not actually disappearing and they're not dis you know, there's no magic button that does that. What really is happening is, is we're moving, we're having less human interaction is the humans are less interacting with passwords. And that's what it really means. And we're moving passwords into the background so that systems are automating it.
So if you want a quick win moving passwords into the background by either using password managers or privilege access or identity access, moving those into the background, are you single sign-ons or biometrics? There's lots of ways of doing that is a quick win. It's a quick win, because one is, it reduces cyber fatigue for your employees. That's a definite thing you want, you want employees to actually like security. You want them to embrace it. And a quick win is by taking away. One of their biggest pains is having to select their next password.
I'm pretty sure that it's a difficult challenge for many to do so moving that into the background and providing users with that experience. And it also means that a lot of the techniques that I showed in the ransomware incident would've actually become much more difficult. It forces if you're moving to, to, into the background where there's additional security controls in place in contextual security, it means the techniques that I do, it forces me to tick more risks. It means that I potentially had to repeat password cracking every single day, creating more noise.
I might have to introduce new tools in order to actually hack those passwords, creating more noise. So a quick win is to automate your, your passwords and move them into the background, reward your employees, reduce cyber fatigue, and make the attackers job more difficult at the same time. Perfect. Thank you very much, Joe, for this great insight for your presentation, for your participation in this panel. And also thank you very much Alexei for your insights. When we talked about security automation. So now it's time for a lunch break and a networking break. We will have one and a half.