Image it: the corporate boardroom, two weeks in the past: As a consequence of “an unsure financial outlook,” the expanded safety price range and new hires for 2023 you requested for have been denied. As the corporate “tightens the belt,” you could even lose current price range and a few headcount.
You had plans to make use of these sources that will help you shore up safety weaknesses and react extra adroitly to adjustments and new environments that appear to look like clockwork with each two-week improvement dash.
So, what’s a CISO to do? Telling your engineers to work tougher will not actually lower it. You want a method to full work extra effectively and do extra with much less. You want automation. Everybody’s first response is that automation would not work in every single place — and that is right — however there are many circumstances the place it really works.
Figuring out What to Automate
Attain for automation when you have got duties which might be repetitive — duties that occur typically sufficient that the time financial savings of automation can justify the upfront value of improvement and upkeep of the answer. Issues to think about:
- Frequency: How typically does the duty happen? Even a brief, 30-second activity is usually a beneficial goal for automation in case you are doing it 100 instances per week.
- Standardization: Is the duty standardized? Repetitive duties which have well-documented playbooks or that your workers really feel like they will do of their sleep are nice candidates for automation, whereas duties that require substantial human consideration should not.
- Sub-tasks: Can a portion of a activity be damaged off and automatic? Finish-to-end automation is not at all times doable, however partial automation could be beneficial. Nevertheless, partial automations are restricted by
- Alternative value: Does this activity have exterior prices that ought to be thought of? A 5-minute activity that interrupts an engineer’s workflow and delays the work by 20 minutes is definitely a 25-minute activity. If this engineer’s time is healthier served constructing vs. accomplished interrupt-driven duties, the duty is a first-rate candidate for automation. Make sure you embrace these components if you weigh the chance value of automating a activity.
If a activity is not candidate for automation however nonetheless takes up a bunch of time, are you able to establish a special, however associated, course of to automate and scale back the variety of instances a activity have to be carried out? For instance, you won’t have the ability to replace weak dependencies mechanically in manufacturing, however flagging them throughout improvement might imply you have got far fewer that make it that far.
Instance: Automating PCI Scans & Reporting
Let’s think about automation within the context of vulnerability scanning, the bane of many safety groups’ existence. At one employer, I wanted to run weekly PCI scans of all of our infrastructure. Every week, earlier than I might run that scan, I wanted to replace the asset stock by manually compiling lists of IPs and hostnames from our cloud infrastructure suppliers, after which updating the goal record within the scanner’s Internet interface. We solely did this as soon as per week, but it surely took about half-hour every time.
Each the cloud infrastructure suppliers and the scanner had an API, so it was comparatively easy to construct automation that might authenticate to each methods and compile the related info. This was an automation win.
As soon as the vuln scanner experiences had been produced, we wanted to assessment and act on the findings — one other weekly activity that took a number of hours. As a result of the experiences had been offered in XML, it was easy sufficient to have them machine-parsed, deduplicated, and summarized through e mail with new points logged as tickets. This was a good greater automation win.
The place to Begin
As with every little thing in info safety, getting began with safety automation boils right down to prioritization. You possibly can’t probably sort out every little thing directly, so establish the record of potentialities; rank them primarily based on how a lot they matter, each when it comes to threat and potential effort financial savings; and begin working your method down the record.
In case you’re completely new to automation, begin with smaller, simpler wins and advance from there.
Take, for instance, a safety operations state of affairs you encounter extra continuously than you need: open S3 buckets. Open S3 buckets appear to occur on a regular basis, regardless of AWS’ greatest efforts to warn in opposition to them. This is usually a good candidate for automation as a result of it’s a customary course of that occurs with excessive frequency. Right here is one method to accomplish this with the AWS command-line interface.
The AWS CLI command aws s3api list-buckets lists all the accessible S3 buckets. From that record, take every bucket identify and use the command aws s3api get-bucket-policy –bucket YOUR_BUCKET_HERE to get the bucket’s permissions.
This may output the IAM coverage that’s utilized to the bucket. Parse the IAM coverage, searching for insurance policies that permit AllUsers (everybody on the Web), AuthenticatedUsers (everybody with an AWS account, even individuals not in your group), or buckets that merely permit the * principal. This manner we generate a listing of all open buckets.
You should use that very same aws s3api get-bucket-policy command with the –policy parameter to add a brand new coverage file that does not have these permissions in an effort to shut these gaps. When you get acquainted sufficient performing these duties on the command line, you can begin to script the repeatable steps right into a Python or shell script. Finally you may mechanically kick off and run your complete course of when you sleep or do different work.
Automating Can Current Challenges
If you’re fearful that your automation will not be prepared for the primetime calls for of your manufacturing setting, begin by automating away duties in improvement and staging environments, and even gross sales engineering and information science environments.
Lastly, if you wish to automate in manufacturing, however have issues about enterprise impacts, concentrate on automating in response to latest adjustments pulled from a CI/CD system or one thing like AWS’ EventBridge. Discovering that you just want an exception for a newly deployed system within the first minute of its lifecycle (when it’s being carefully monitored by the groups that simply deployed it) is way more palatable than discovering it out as a result of it broke per week in the past after working for 9 months and now prospects are complaining.
There are prices related to constructing and sustaining this automation. These prices fluctuate relying on the tooling accessible to you and your group’s skillsets. Some groups choose to custom-script every little thing in Python/Ruby/Perl/Bash and orchestrate it by means of cron jobs and modules in your CI/CD pipeline. Different groups might choose to shift among the upkeep prices onto a remediation vendor — limiting their direct involvement to configuring instruments that interface with a SIEM/SOAR and utilizing that to kick off low-code/no-code remediation workflows constructed into one other instrument.
The selection to make use of an exterior vendor is usually a good method to decrease the continuing upkeep prices of your resolution. That is very true for interactions with APIs and providers whose adjustments would possibly break your tooling.
The Cumulative Impact of Automation
Every particular person activity won’t appear to quantity to a lot. Nevertheless, over an entire group’s value of duties for a whole group, the financial savings begin to add up and the price begins to scale way more favorably.
Automation won’t ever change a safety group — some duties require human interplay and human determination making. Nevertheless, as companies proceed to develop and safety budgets develop tighter, it may possibly assist to empower these people to do extra and be more practical and extra productive.
