The accelerating pace of change in enterprise security and the speed with which new attacks move and mutate means that some degree of automation of enterprise security is now essential.
To put it even more bluntly – attackers are using automated tools to attack your organisation so there is no choice but to use similar tools to help your defences.
Some staff may fear this will lead to deskilling of their jobs but really the opposite is true.
Automation of repetitive tasks means freeing up time for more interesting and important work.
It should allow staff to keep skills and knowledge up-to-date and to take a more proactive, less reactive, role in the organisation.
It also means reducing demands on staff already being pulled in several directions at once. New applications, new cloud contracts and shadow IT all put fresh demands on the security team. The skills shortage means that even with unlimited budgets finding and retaining staff is getting harder every day.
Defending an enterprise successfully requires more than just keeping patches up to date. It means keeping up to speed with evolving threats and in some cases carrying out specific and proactive surveillance of likely attackers.
You cannot just wait for threats to arrive at the perimeter any more.
Hewlett Packard Enterprise’s Cyber Security Report found almost a third of enterprises scanning applications for security problems, this rose to 43 per cent which actively monitored external-facing applications.
Once you have monitoring systems in place the next step is to decide what those systems should do in the case of attack, or suspected attack.
Traditionally this would have meant alerting staff who would then review the data and take necessary action like reconfiguring a firewall. But all this takes time and rather undermines the advantages of an automated system.
There is no point having active, always-on application surveillance if nothing is done when a problem is found. If systems spot an attack at 2am but no action is taken until staff return to the office the following morning there was no point having the system switched on at all.
Instead enterprises are increasingly relying on some sort of artificial intelligence.
Allowing a system to automatically switch off or restrict some applications makes more sense.
Intelligent systems do more than check against a list of pre-known threats.
They look for behaviour which is out of the ordinary and they learn from their mistakes.
Of course there is still a need for human oversight but sometimes making a decision quickly is more important than getting it right every time. False positives are annoying, but not as annoying as a successful ransomware attack. Parameters need to be carefully set, and systems are still improving, but still it is sometimes worth annoying some users in order to stop attacks before they get started.
The other benefit of automated systems is that even if the worst does happen they will provide a rich source of data to help you resolve or at least minimise the impact of the attack. A detailed log showing how long malware has been present will give a clearer idea of potential damage.
This data will give you a better chance of taking better advantage of the ‘golden hour’ – the first few minutes after an attack is spotted.
If you have the data at your fingertips, and a detailed plan in place, there is a good chance you might even be aware of your breach before your attacker is. Certainly you have a chance of hugely reducing the impact of that breach on your organisation.