Yoni Leitersdorf

Cybersecurity is a top priority for organizations due to its increasingly important financial and public-facing ramifications. Experts predict cybercrime will cost the global economy upwards of $6 trillion annually by 2021, with the frequency and severity of threats expected to increase. In response, companies will spend more than $1 trillion before 2021 to safeguard their mission-critical digital assets. Managing this growing liability requires cybersecurity to be effective and affordable in equal measure.

To strike the right balance, many companies are rethinking the strategy of their security operations centers, or SOCs. These centers, staffed by security analysts, work collectively to identify risks, analyze and mitigate their consequences, and prevent problems from reoccurring. Until recently, SOC teams did not perform the care and feeding of security infrastructure. They instead work on the front lines, engaging with threats that directly imperil IT infrastructure management.

SOCs have three primary responsibilities: They develop enterprise wide security management policies, identify and respond to in-progress attacks, and ensure that all security-related technologies are configured and compliant with best practices. Each of these tasks is a significant responsibility, which means that focusing on one could detract from the others. In addition, a lack of information sharing between these process could lead to greater risks for businesses.

Security infrastructure automation, or SIA, is bridging the gap between security engineering and operations, automating the detection and triage of infrastructure issues in security devices. SOC administrators can put operational assurance on autopilot and instead focus on refining policies and removing threats.

SIA is still a burgeoning technology, but it has matured enough to provide comprehensive cybersecurity risk mitigation strategies. The core components of SIA include:

  • Collecting performance and configuration data from physical and virtual security devices.
  • Automatically performing tasks on behalf of administrators.
  • Providing automation elements such as rules and scripts out of the box.
  • Connecting with existing ticketing, monitoring, and email systems.
  • Using a system of open APIs or development platforms for integration purposes.

The simplest way to understand how SIA relates to other security technologies is to imagine a nightclub bouncer. Firewalls and other traditional security technologies act like bouncers to control access; SIA makes sure the bouncer is healthy enough to combat any threats and work against any looming dangers. To reverse the analogy, an IT infrastructure without SIA is like a bouncer who continually falls asleep on the job.

As security operations become more of a priority, the work needed to maintain security has increased significantly. Companies must simultaneously control traffic based on policy, deter hackers, prevent outages and slowdowns, and manage configuration and compliance issues.

Technology helps with those imperatives, and it creates a scenario where the SOC is entirely dependent on the efficacy of the underlying technologies. SIA helps those technologies stay up and running with minimal input from internal security professionals.

Some confuse SIA with configuration management, but they are entirely different in practice. Configuration management focuses on policy, helping companies become systematic about how they engage with IT. SIA, by contrast, is all about the security devices themselves. Configuration management would not (and could not) identify a firewall that was likely to fail, but SIA would bring this issue to the immediate attention of SOC team members.

SIA ensures that companies are as secure as they think they are. In a business world where success or failure is closely aligned with cybersecurity, a resource like SIA will be critical to facing the challenges of IT infrastructure management.

Making the Case for Security Infrastructure Automation

With security spending on the rise, it might be hard to justify new investments in yet another security technology. Unlike other emerging security technologies, however, SIA optimizes a company’s existing cybersecurity strategy rather than replaces it.

The gulf between the network team and the SOC illustrates how. A Vanson Bourne survey found that 78% of respondents said data is siloed between these two groups because hybrid cloud environments lack clearly defined administrative ownership. Worse, 67% of respondents felt that poorly coordinated cybersecurity is a “major obstacle” to data protection.

These numbers show that decision makers with sophisticated cybersecurity operations know their organizations become less secure as time goes on. Why? Due to a lack of infrastructure visibility and coordination between teams. That should alarm everyone, but it should be particularly troublesome for companies with fewer resources to invest in technology and staff.

In the interest of streamlining security management, Vanson Bourne respondents want the SOC to take the lead in identifying vulnerabilities in network security. They believe the SOC is better equipped to control network traffic and data or to detect and respond to threats — even if the exposure was caused by a device setting. Respondents also recognize that relying on one department with limited resources could compromise the speed and certainty required during a cyberattack.

SIA is the missing piece. Network automation does the heavy lifting of security administration, systematically verifying that security technologies function correctly and sending notifications only when something requires attention. This automated approach means administrators are instantly aware of operational security issues without the need to spend time manually verifying system states or triaging issues when they arise.

SIA enhances people, processes, and decision-making. On the people front, SIA empowers SOCs to crowdsource their operational understanding of various security technologies and techniques.

Similar to threat intelligence, security is such a vast subject that no company can employ experts on everything. Automation condenses the wisdom of the crowd into a package that replicates the expertise of myriad security engineering and operations professionals.

Processes improve because SIA does much of the work those processes are meant to systematize. For example, it can continuously pull data from the infrastructure to diagnose system health and alert administrators to a wide variety of issues. SIA can even diagnose and triage problems — and eventually will be able to automate changes to the solution. In short, SIA replaces reams of detailed security operations.

Finally, SIA can help eliminate difficult decisions. Since this technology verifies that security technologies are performing optimally and according to best practices, companies know that they’re maximizing the effectiveness of existing defenses. As a result, there are fewer incidents for decision makers to debate and less wasted CapEx and OpEx, which makes conversations around cybersecurity network and security operations spending more manageable.

Related Article  Network & Security Automation: When the Lego blocks don't fit

Most companies already know they need SIA. The question many now ask is, “Are we secure without it?”

The Nuts and Bolts of SIA

SIA is a blanket term that covers several different features, functions, and protocols — all related to cybersecurity risk mitigation strategies. Understanding what SIA is and how it helps is much easier once you explore its constituent parts:

  • Data Collection: SIA interacts with network and security devices, issuing commands that allow it to collect data artifacts called “metrics.” Some metrics are significant — containing whole sets of performance and configuration data — while others are more limited. Collectively, metrics give the SOC a complete cybersecurity performance overview.
  • Data Processing: A processing engine inside SIA instructs it how to interact with devices, which credentials to offer, and what data to collect based on the model and operating system of the device. Data processing lets administrators control how and why SIA interacts with the broader cybersecurity infrastructure.
  • Automation Logic: Automation is the “intelligence” underneath data processing. Administrators create or leverage a repository of rules that govern how data is processed. Changing these rules allows the SOC to adjust how SIA operates based on changes in the security infrastructure, innovations by security vendors, or the evolving threat landscape.
  • User Interface: Like most technologies designed for accessibility, SIA runs through an intuitive user interface. This interface allows users to change settings, add devices and users, view any identified issues, and run customized reports. Having one place to manage access control and administrative privileges prevents SIA from becoming a security liability of its own.
  • APIs: SIA needs to collect data from diverse systems and possibly feed it into just as many disparate locations. Leveraging third-party APIs allows SIA to work seamlessly within the entire cybersecurity ecosystem.

SIA’s components are essential, but so are the protocols it runs on. Technology that cannot support all the security protocols on the market will fail to deliver insights throughout an enterprise and only lead to friction. For SIA to fulfill its full potential, it must be fluent in the following protocols:

  • SNMP: The simple network monitoring protocol, or SNMP, has been around for more than 20 years and remains an industry standard. It’s a simple protocol for confirming the “health” of a specific device that can also be used to reconfigure its settings. Without SNMP, SIA would not be able to diagnose machines based on what is exposed in MIB files.
  • APIs: SOAP and RESTful APIs both allow SIA to communicate with devices and web services. SOAP, in particular, ensures that systems can “speak” to one another even when they are written in different programming languages and running on different operating systems.
  • Syslog: System logging protocol, or syslog, was developed in the 1980s but remains in use because of its integration with major operating systems such as Linux, MacOS, Unix, and Windows. In conjunction with network devices, syslog sends a variety of event messages to a centralized server to manage and audit security. As more computing infrastructure moves to the cloud, syslog works with APIs to provide essential insights into IT assets that could be too difficult to understand otherwise.
  • CLI: At times, it’s impossible for SIA to connect with applications or datasets through other means. Command-line interface, or CLI, is another way SIA extends its reach across the entire security infrastructure so that critical data, insights, and issues never get overlooked.

Getting Started With SIA

Any new IT initiative requires careful vetting. When it comes to something like cybersecurity with potentially existential implications, the evaluation requires extra rigor.

A thorough network security infrastructure audit should be the first step. Inspections reveal when and where network security devices such as firewalls, web proxies, and load balancers no longer adhere to industry and vendor-specific best practices. Once complete, it’s clear which portions of the infrastructure SIA could alter to improve an organization’s overall security posture.

After the audit is complete, the next step is evaluating various SIA vendors. Indeni is a global market leader in the space as we provide unprecedented visibility through our automated, globally accepted best practices. We turn insights from the world’s leading cybersecurity experts into reusable code to ensure companies can avoid disruptions proactively. Once security operations are automated, companies gain the agility and confidence necessary to pursue bold initiatives and embrace the benefits of automation.

Along with transparency, Indeni also improves accessibility. Solutions can be up and running in a matter of minutes, instantly generating actionable information. Users also don’t have to worry about creating automation elements such as rules and scripts to link SIA to everything within the network architecture. Every supported security device looks the same on our integrated platform, allowing users to focus on security rather than the mechanics of security technology.

The benefits of system automation are undeniable, but whether the technology is essential may still be in question. Instead of making assumptions, look for objective evidence in the form of key performance indicators. If security concerns prevent companies from supporting revenue-driving initiatives, for example, those businesses will either ignore security policies or lower their ambitions. Neither option promotes long-term growth, though.

Similarly, companies that struggle to find talent, eliminate errors, or streamline communications tend to have troubling weaknesses within their security operations. When security technicians feel overwhelmed with work and continuously scapegoated, the situation is unlikely to improve without a comprehensive new approach to security threats.

In all cases, SIA is the solution. Realistically, the only situation where it’s NOT the solution is in an environment with fewer than 20 devices where everything can be managed manually. When the number of devices passes that threshold, however, SIA proves to be more cost-effective than even the most exceptional in-house teams in forecasting cybersecurity business risks.

What Decision Makers Must Know About SIA

As with all technologies, decision makers must look beyond what a product can do and focus instead on the impact it will have. While plenty of offerings can improve cybersecurity, can they make a company demonstrably safer while significantly reducing security costs?

Related Article  What Is Missing From Your Security Operations Strategy?

Those are the questions that matter to security professionals with significant concerns and limited budgets. With that in mind, consider five essential facts about SIA:

1. Devices are the foundation of cybersecurity 

Cybersecurity refers to a complex matrix of professionals, policies, and technology strategies. Beneath those items is a foundation of security devices that stop threats, block unauthorized access, keep data encrypted, and perform other functions.

Whether data and applications are safe ultimately depends on the availability of those devices — everything else is secondary. Understanding that accessories are the first and last lines of cybersecurity underscores the importance of SIA.

Automation can ensure that every device is online and optimized or send out an immediate notification when something goes awry. This technology reduces cybersecurity workloads significantly, and it actively analyzes and automatically triages the health of critical security assets.

2. Cybersecurity professionals are underused. 

By 2022, it’s expected that there will be about 1.8 million unfilled cybersecurity jobs. Many companies lack the quantity — and quality — of team members required to meet their needs. With a small talent supply and high demand, adequately staffing cybersecurity teams is almost impossible.

Companies can maximize their teams by using their true talents rather than their necessary abilities. With SIA automating time- and labor-intensive workflows, security professionals can apply their expertise where it matters most. Not only does this maximize the value of their efforts during talent shortages, but it also keeps skilled professionals engaged with their work instead of looking for other job offers.

3. Automation excels in certain areas.

 In many cases, automation improves the work done by human security professionals. Consider first- and second-level data analysis, which typically involves a substantial volume of data. Working through this information requires a massive amount of human input, which naturally increases the risk of errors and omissions.

With SIA in place, security teams can complete higher volumes of work in less time. They can also trust that the data they use to make complex decisions is complete and accurate at every moment.

4. Visibility doesn’t stop at the MIB. 

Keeping an eye on the MIB for possible security issues is just part of a comprehensive monitoring effort. Security agility requires a much broader perspective, which SIA provides by automatically expanding the amount of data being collected beyond the boundaries of the MIB.

5. Look beyond policy changes. 

In complex security environments, administrators are often overwhelmed with policy changes. It’s only become worse now that administrators are trying to actively manage firewalls with points of contact that spread across on-premise and cloud-based environments.

Automation is ideal for streamlining policy changes, but that shouldn’t be its only purpose. It’s just as useful for making changes to settings or handling hard-line failures because it makes any complex process more efficient and systematic. Focus on how automation can affect the entire security infrastructure rather than how it can expedite familiar responsibilities.

When companies implement SIA, the impact is broader, deeper, and faster than they might expect of a new technology implementation. That’s because SIA addresses the critical points of friction that make cybersecurity devices unreliable and unmanageable.

The Real-World Benefits of Infrastructure Automation

Indeni is a market leader in SIA because of the tangible results we deliver. To give you a sense of what SIA does in the real world, consider some of the benefits of infrastructure automation our clients have engineered into their security infrastructures.

• Increased Visibility for Sustained Confidence: Trinity Health manages a network of 94 hospitals equipped with thousands of medical devices. Cybersecurity is a huge priority and an ongoing challenge for the company, particularly considering how much sensitive data travels through its network.

Trinity’s security team has smartly chosen to focus on identifying and removing problematic firewalls, and it has implemented SIA to help. The team is now able to discover broken firewalls quickly and predict problems long before they happen. It can also track traffic requirements and promptly locate bottleneck issues.

Most importantly, SIA helps the Trinity Health team locate problematic issues on single devices and address those problems. Now that the team has broader and deeper visibility into the entire infrastructure, decision makers throughout Trinity Health can proceed without fear that cybersecurity issues (and the compliance breaches they often trigger) might put their ambitious plans at risk.

• Improved Productivity From Existing Devices: We work with major clients in financial services, healthcare, retail, and government. Our services are not limited to those areas, but many of our clients come from those industries because of their heavy cybersecurity burdens — including massive amounts of sensitive data and strict regulatory requirements.

Companies in these industries invest heavily in cybersecurity and work diligently to reinforce those investments. SIA has been a tremendous asset because it optimizes the performance of security devices. Simply stated, it helps devices function better for longer. Once productivity and performance are improved, companies realize the full value of their investment in security automation and are able to delay additional investments.

• More Agility for Ongoing Adaptation: O’Reilly Auto Parts is a retail giant with more than 5,300 locations and 200 new stores opening each year. The company also employs 17,000 people and has a rapidly expanding digital footprint. Despite this growth, the company’s cybersecurity team included only five people. O’Reilly wanted to make the most out of this small group, so it chose to implement SIA to improve its firewall administration.

Before SIA, firewall issues often went undiscovered until someone accidentally noticed them. It wasn’t feasible for the company to dedicate a person to monitoring and investigating those issues, so the security team has turned to automation to detect problems. In addition to enjoying the saved time and energy, the team appreciates that SIA can be customized in countless ways. For a high-growth company like O’Reilly Auto Parts that is blending digital with brick-and-mortar locations, cybersecurity requires that flexibility.

Indeni’s security infrastructure automation platform is engineered for adaptability. This means users can tailor the platform to their needs today — and tomorrow.