Automation tools are changing the cybersecurity game, but still can’t detect all adversaries alone. By sequencing and coordinating those automated tasks, the Homeland Security Department hopes to enhance its threat detection processes.
Where automation uses IT to replace manual processes for cyber incident response and security event management, the concept of orchestration integrates security and IT tools to streamline Security Operations Center processes, and enhance that security automation. Doing this frees up analysts’ time to look for adversaries or breaches technology misses, reducing the manual and repetitive tasks IT staff have to handle.
For DHS, automation and orchestration bolster the department’s cybersecurity, according to Paul Beckman, DHS deputy chief information security officer.
“Automation is nothing new,” he said at the ICIT Winter Summit on Jan. 29. “Now, I have all of these things providing these automated tasks, but they’re still not perfect.”
Even with machine learning advancements, level 1 SOC analysts in DHS still need to identify and detect what AI doesn’t about 30 percent of the time.
“So, I still need that human interaction to go in and do that piece that only a human can do, and that’s where the orchestration is,” he said. Right now, the human orchestrates all of those components together.
The understanding and need for automation and orchestration will become more apparent as more automated tools make their way into SOC environments.
“We have all this technology out there, but we haven't figured out this orchestration piece,” Beckman said, “it’s surprising it’s taken this long.”
DHS is exploring and deploying automation and orchestration tools. It already implemented one system, and after pilot, licensing and development costs, DHS spent about $1.5 million on it. The system has been up for six months and DHS identified more than $300,000 in savings on ROI.
And calculating ROI was the easy part. After identifying repeatable tasks, Beckman said he used activity-based costing to identify the steps, people and processes necessary to complete these tasks, and the average hourly rate of those employees, to find the savings for each time that process is automated.
And once the cost-benefit analysis and the number of man hours saved is calculated, it’s easier to get leadership buy-in. Activity-based costing is how Beckman recommends other agencies and departments introduce automation and orchestration into their organization. Not to mention, speaking in terms of dollars is the best way to talk to a non-IT person.
DHS is still at the “tip of the iceberg” with how much it’s been automating, but the ROI in just six months of that deployment is going to pay for itself, Beckman said — but there is more to it.
Automation and orchestration tools are already scalable running on open architectures, but to ensure today’s security investments won’t be outdated in a few years, Beckman said the acquisition process needs to become agile. Similar to technology, Beckman said, “I don’t know what my security requirements are going to be in four to five years, so I need to be able to build contracts in some degree that have flexibility to be agile, so I can buy what I need, when I need and where I need.”
One thing that would help acquisition is embedding cybersecurity subject matter experts in federal acquisition offices. That’s something Beckman is just now proposing to DHS, so acquisition teams can understand the requirements and capabilities are needed.
DHS is also leveraging Security DevOps, or SecDevOps, to manage automation securely. The concept includes integrating secure development practices and methods into the development and deployment processes from DevOps.
This is making being agile easier, too, because all security requirements are addressed from the very beginning — meaning, what the system needs to do from a security perspective and how that needs to be integrated within the software is already known. It took time to consider how to move something from development to testing and production securely in DHS gateways, but “we’re starting to leverage it very effectively,” Beckman said.
Aside from capital resources, people can be hindering new technological processes. In terms of threat detection, Beckman noticed level 1 analysts tend to gravitate toward certain types of incidents they enjoy working with, deprioritizing other alerts that might not be as sexy.
For example, after looking at a report of one of his top analysts, Beckman said he was “infatuated with misuse and unauthorized software.” The analyst would try find new unauthorized software and bad websites on the network, so he was was zeroing in on misuse alerts rather than prioritizing alerts as they come in.
“That’s the kind of human obstacle that I’m facing,” Beckman said. Any one of those alerts could be the next breach, so it’s important for analysts to respond and focus on all incoming alerts, not just the interesting ones.
“That’s the beauty of automation and orchestration,” he said. "It kind of takes a lot of these nonsexy incidences out of the equation, have it done automatically.”
In fact, 90 percent of these incidences are repeatable response processes that can be identified and automated. Once that process is automated and orchestrated, analysts can divert their attention to larger possible threats or larger, more complex alerts, improving DHS’ overall security posture.
-- Sign up for our weekly newsletter to receive the latest analysis and insights on emerging federal technologies and IT modernization.