James Todd, director of SecOps at KPMG, describes his role as converging SecOps, security architecture and cloud security. This is a particularly interesting intersection in terms of automation.
“It’s at the intersection of cloud environments and it’s great for deploying everything as code,” Todd said. “A lot of automation is a big part of that. It’s much easier and more proficient to be able to take dynamic actions in a cloud environment than in a traditional data center or on-premises environment. The controls available to us are much more dynamic.
“It doesn’t prevent us from being able to do things within the security controls of the endpoint or the local data center, but it’s a different approach.”
October research by the Enterprise Strategy Group found that almost half (46%) of SOC teams are “Extensive” automation of security operations processes. Beyond that, more than half (52%) of respondents agree with the statement that operating securely is more difficult now than it was two years ago.
So it’s no surprise that automating efforts within the Security Operations Center (SOC) is a major focus for KPMG.one Last year’s statement from professional services firms persisted Automation can “have a significant and positive impact on the effectiveness of CISOs and their teams.” A month later, another cites automation as one of three key approaches, along with improving skills and diversity Bridging the Cybersecurity Skills Gap.
Todd’s division provides SecOps consulting and operations services to financial services organizations. There are two main types of clients. One is a company that has little to no way of operating security within their organization; they are either an organization that has grown in size and requires a more formalized process. Or, as Todd puts it, they’re more mature and want to draw a line between “dynamic changes in the environment and constant changes in the threat landscape.” The second is for organizations that need to take it to the next level – and this is where automation can come into play.
“Once a given playbook or workbook has been created for how to handle a particular threat or a particular incident, we look at introducing automation, initially reducing repetitive task elements in security operations, and then moving to higher levels to end automation and introduce autonomy,” Todd said. “So the SOC can react to threats in as real time as possible.”
Striking the balance between automation tools and human resources has always been a headache for executives.write on safety week November, Marc Solomon Concisely summarizes the problem: “Use automation to make your workforce more productive, and use your workforce to make automation more effective.”
The easiest part of automation, Todd explained, is the robotic process automation (RPA) element, which frees up SOC analysts to focus on incidents, threat hunting, and other important tasks. The next step is to turn to technologies such as machine learning to enable smarter decision-making — or machine-led decision-making. “The platform builds trust in these actions and understands the impact of specific actions,” Todd said.
“If I see a specific threat intelligence-related indicator file in my environment, and I know the asset that has been targeted, the security posture of that asset, and its susceptibility to attacks against it, I can use the machine Learning informs some of the decisions I can make,” he added. “The whole process from isolating a specific asset, restricting its movement, conducting a specific activity to allow us to gain more intelligence.”
Todd cites the influential MITER ATT&CK matrix, first published in 2015, which catalogs hundreds of tactics adversaries use in enterprise operating systems.Although ATT&CK is in no particular linear order, the first category, “Initial Access,” is the point at which an attacker gains a foothold in an organization’s environment. This is where Todd wants his team to be.
“Our best goal is to act or intervene when an attack is first observed in the cyber kill chain,” Todd said. “Being able to look around and take action around the first point an attacker is trying to get into the environment is really sleek.”
who is todd Global Cyber Security & Cloud Expo, in London on December 1-2 around cloud security, added that the most commonly used form of machine learning in cyber defense is anomaly detection. Now, this is where automation might stay.
“I think [where] The human element is that machine learning is good at spotting outliers and anomalies,” Todd said. “Currently, decision making is definitely in the hands of analysts within the SOC.
“Those analysts [will] Codify and transfer their well-validated, well-executed playbooks, or turn those playbooks into automated methods,” Todd added. “
(photographer Tim Moshold superior no splash)
Want to learn more about cybersecurity and the cloud from industry leaders? Check Cyber Security & Cloud Expo Happened in Amsterdam, California and London.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.