Welcome everybody. My name is Donnie went. I am a principal security researcher at MasterCard and also an adjunct professor at Utica college. And like I discussed this, presentation's actually going to combine some of that practical experience I have, along with the doctoral research I did, which focused on security automation and adaptive cyber defense in the financial industry. So for those of you old enough to remember, excuse me, in 1987, this is actually how we envisioned security automation Robocop, right? But in 2020 here was kind of the reality.
The HP Robocop, this was deployed by Huntington park police out in California to, to patrol the area. Now there have been a few mistakes along the way. There was a close relative of HP Robocop. You see here who chose to drown himself in a fountain to avoid doing any more work. And in New York, they had to recall this creepy little robot dog they had after significant public backlash.
Now I'm not really here to discuss security robots, although that would be a lot of fun.
Instead, my focus is going to be on security automation within our digital environment. So why are we doing security automation? Why are these companies interested and why have they implemented it?
Is, is it perhaps to reduce cost or, or to save money? And I guess what I'm here to tell you today is that if that's why you're pursuing security automation, you're probably in for a very rude awakening. And we're going to revisit this question a little later in the presentation before we dive into it, though, I want you all to, to kind of think about and consider where your organization sets with security automation, orchestration. Hopefully you're closer to that right side.
You know, that's where automation is your default and not to the left side where your quite frankly, your lack of automation is, is very disturbing.
Most of the organizations I talked with during my research were somewhere near the middle, where they have some automated practices, maybe they're planning on starting, and they've implemented a few automated scripts in that. So let's briefly look at the current state and what, what, what, what are those driving forces behind security automation?
Of course, we know the attackers enjoy that asymmetric advantage because they can choose the time and place of the attack. And then we, we have to respond. They can also acquire and use exploits as we've seen with grade E.
And when we couple that with the low likelihood of detection, all that strongly favors the attackers, the use of SIM similar operating systems, hardware applications, all that increases the reward for attackers and also the, the well known static defenses, as we've seen, they've become increasingly vulnerable to threats from well resourced attackers engaged in very targeted attacks.
We also have that increasing sophistication of attacks, which is really making the identification of both the unsuccessful and successful attacks, much more difficult.
You know, the, the attackers who are investing in the advanced persistent threats, they're highly motivated and they're going to map out multiple paths. They're going to pivot their attack as necessary to achieve their goal.
Of course, the cyber, the, the, the kind of human centered cyber defense practices that they just can't keep pace with with all the threats that are targeting us. So we have to drastically increase that speed of both detection and response to decrease the attacker's advantage. And finally, perhaps the chief driver security automation is that shortage of cybersecurity professionals like us to deal with the increasing threats. So what do we do? This is actually the conceptual framework that I, I based my doctoral research on.
And it's where we look at cyber defenders have to address both sides of the equation to effectively narrow that gap between the attackers time to compromise and the defender's time respond.
A lot of the leading research addresses the, this disadvantage through things like community sharing of security, intelligence, automation of security responses, and using innovative defenses, including deception and active defense today's discussion really focuses on that top half.
How, how we increase the time to respond or decrease the time to respond through intelligent sharing and automated response. And perhaps in a, in a later day, I, I will go over some of the, the, the bottom side of that, where we talk about deception and active defenses and what role they play.
So when we look at the, the complexity of technology and, and the business and information assets in, especially in large organizations, demands that we automation tools right to, to assist those humans in gaining and maintaining that situational awareness full awareness of the current situation within such a complex cyber environment is quite frankly impossible without automation alerts concerning anomalies, that they inundate the security Analyst who have to quickly triage security events, that triage analysis, which requires the Analyst to review, analyze and interpret vast amounts of security.
Data is one of the most labor intensive task performed automated enrichment can allow the Analyst to make informed decisions based on better situational awareness within their environment.
Security automation can also execute automated responses, leaving humans to do what they do best, which is to discern and decide right, that this increasing move that we're seeing cyber security automation will require the workforce to adapt from what is typically described as human in the loop processes, where we're actively involved in every step to human on the loop processes, where it's more of a supervisory role. Now sharing cyber threat intelligence is also another way that can help organizations to respond and prevent malicious activities.
And we'll look at that a little bit as we go as well. So back to the question about why, if not to save money, why have all these organizations invested in security automation?
And I'll say the, the quotes you see throughout here, they they're from participants in my doctoral research. So those all came from there.
Now, there are many benefits that the organization that, that, that these organizations I, I talked with have derived from security automation, I'd say the most frequently mentioned benefits were time savings and efficiency gains for the security Analyst. Now, perhaps the most important interrelated benefits are the increased visibility and the decreased time to detect and respond security automation provides that increased visibility into security events by increasing the volume of events that can be processed before automation.
Honestly, the, the Analyst just did not have time to review all the events, right? So organizations leverage automation to respond to many of these routine events perform the enrichment of events and then filter out non-relevant events. This leads to, to the ability to free security Analyst for more advanced work, such as threat honey and improving the automation.
So instead of cutting costs, the efficiency gains allow organizations to redeploy their security Analyst to hunt for those of more advanced threats or to respond to events, not seen before we implemented automation.
Also, of course, it's important to, to recall the, the current shortage of cybersecurity professionals. So the use of automation allows us to redeploy those scarce resources to further enhance our security posture. Another benefit we've seen from it is the consistency of the process, right? When Des when responding to alerts security automation, playbooks can ensure that analysts follow a standard process consistently and effectively. Also these standardized playbooks can then be used to help train new analysts in our environment.
So when we look at the use cases for security automation, there, there are many that where security automation has been applied within the financial sector, the use cases for security automation that I identified when going through the study included things like event enrichment intelligence, processing detection, and prevention of security incidents and automated response. The most frequently cited use cases were for that event enrichment and correlation to provide the situational awareness.
The concept behind the enrichment use cases is to perform those repetitive lookups and provide the Analyst with all the related data or that situational awareness, so that the Analyst Analyst can make an informed decision. Automation searches through those internal sources, such as say, your security incident and event management or seam system, your secur security tools, which may be firewalls, web proxies, whatever, and your internal data sources, right. To provide that data relate that that relates to the, say the prevalence within our environment.
And also the details on the possible impacted host and users. Automation also then collects all the external data, right, such as reputation scores and contextual information concerning the threats. We can understand that threat better. Another related use case to the enrichment is the ingestion and processing of indicators of compromise or IOCs from many intelligence feeds, cuz the volume of those IOCs that in and date organizations requires that automation to filter out the IOCs and discard. Those that do not apply.
And we talk about automated response use cases, those included things like implementing blocks, quarantining host, or users and malware remediation automation course can apply that block at the firewall, the intrusion prevention system, web filtering solution host based security solutions. And so on the, the we also using. So automation's also used to before applying that block, check the internal sources to determine what the possible impact may be on business operations.
Before, before doing that block security automation can also assist with detection and prevention use cases. We've seen companies applying automation to combat things like fishing campaigns or to detect and prevent leakage of sensitive data and to detect and alert on insider threats.
Oh, now the, the financial sector, it became clear when doing this also realizes the importance of intelligent sharing, right to counter sophisticated threat actors. So I really wasn't surprised to see that all, all the institutions I, I talked with actively participate in intelligence sharing, especially within peer to peer agreements and industry organizations like the financial services, information sharing and analysis center or FSI SAC.
However, what I found is the automation within the context of intelligence sharing is almost exclusively focused on ingestion and enrichment. A few companies are yet using automation to really harvest and send original intelligence out to their peers or industry organizations to help help protect the, the, the environment as a whole.
Now, as I talk about those volumes of IOCs received by these institutions far exceeds the capacity of any humans to analyze them. And also those IOCs often have a very limited period of usefulness. So they have to be active upon immediately to thwart a possible attack. So these organizations use automation to filter the incoming IOCs from the various intelligence feeds as soon as they are received. And then the automation checks internal systems for prevalence and relevance. It speeds farer passing human Analyst Analyst.
Now, despite the act of participation we see in intelligence sharing, there are still several impediments to more effective sharing. And these impediments typically fall into two categories. Didn't mean to go on. There we go typically fall into two categories, right? It's either concern with the intelligence feeds or of reluctance to share intelligence. Now the main concerns with intelligence feeds typically relate to the quality relevance and recency of that data.
Fortunately, this is where security automation can actually help with each of these issues because automation can quickly filter out. IOCs are not relevant, which addresses the relevancy issues. The source providing the IOCs can use automation to disseminate the indicators quickly ensuring recency. And from a quality perspective, automation can help score the intelligence feeds and apply confidence ratings based on the source and type of indicator. The reluctance to share remains an impediment and probably more difficult to address, especially in highly regulated sectors.
See companies may be reluctant to share data with the government or governments responsible for regulating them though. The findings, you know, for my research suggested that there's a lot of peer to peer intelligent sharing is really common within the financial sector. We look at other sectors companies may be more reluctant to participate in widespread sharing with their potential competitors.
So this, this is a quick case study.
I wanna look at actually was, was able to participate in this one. It was conduct a pilot of the, what was called the integrated adaptive cyber defense framework. It was conducted by Johns Hopkins university applied physics lab and was sponsored by the department of Homeland security in the us. So the Fs IAC generates and scores all these IOCs that they're gonna send out to the financial institutions. And then those financial institutions have to respond to those IOCs take action within their environment.
Now in this pilot, there were three, three institutions that participated along with the Fs IAC. And we, we each implemented our own security orchestration platform to meet whatever our specific needs were. And then the results after we did this pilot, we saw that the overall process to went from that was to generate the IOCs at the Fs IAC and respond to them at the, at the respective financial institutions went from approximately 10 hours down to four minutes where we saw a real gain was in that generation of IOCs.
So hitting that, that, that the recency aspect where it went from six hours to about one minute. So we saw a lot of gains from doing this automating, that threat Intel process.
So what are our keys to success, or if you're trying to, if you're thinking about implementing security, automation, orchestration and response, how do you help ensure success?
Well, I would say before you begin, you really have to understand the resources necessary. Security automation is certainly not a side gig or a part-time responsibility for people currently working in the so or security operations center.
I, I have witnessed organizations, struggle struggles, severely to get automation off the ground due to a failure, dedicating the appropriate resources, right? Having a team focused on security automation is going to significantly enhance the chances of success.
Now, the main roles that are going to be necessary on this team, you're gonna have of course have to have leadership. That's going to set the directions and the priorities and align those with security. And with external teams, you're going to have to have automation engineers, right?
The, the automation, engineer's gonna have to understand whatever security orchestration platform you're using. So they're going to develop, maintain, and test those playbooks, right? They're going to analyze the processes and also define any requirements for custom development. Of course your SOC Analyst have be involved because they are going to be the subject matter experts as required. And they're also gonna be the consumers and users of, of this platform and then development.
So you have to have some development, resources were needed because most likely you're going require some custom development as you develop your, your security orchestration. Now it's important to note that all the major automation platforms I look at are all based on Python. So that's where a lot of your development resources will come in.
Now, once you have that team successful implementation is going to require very careful planning. And perhaps the most important factor in success is building that sport and trust throughout the organizations.
So focus, use cases that are entirely under the purview of security team, and that approach is gonna allow you to develop trust and confidence and automation before attempting automate use cases that take actions outside of security. Now you can expect to face some significant barriers when implementing automation that reaches into other parts of the organization.
Therefore take the time to develop trust with those organizations such as networking it legal human resources, and look for those mutually beneficial use cases. Also when implementing automation outside of security, proceed with great care, you know, one automation mistake that impacts another team such as the networking team is gonna quickly derail your security automation implementation. And that's really well. I guess the last thing would be selection of the processes to automate, make sure those are clearly understood and ready for automation.
If you don't already have well defined processes, spend the time to analyze and define them, make sure you're not just doing the wrong thing faster, actually improve your processes as you do it. And look for those low risk processes to start with that. I believe that is all I happen today.
