This blog is an excerpt from GovLoop’s recent industry perspective, "Using Automation to Advance Federal Network Efficiencies." You can download the full perspective here.
Two areas where federal agencies can gain the most immediate benefits from network automation are security and compliance. The federal government faces increasingly sophisticated cyberattacks that can cost millions – the average consolidated total cost of a data breach is $4 million, according to the 2016 Ponemon Institute Cost of a Data Breach Study. And the government must routinely defend its information assets from diverse threat types, from relatively innocuous, nuisance viruses that users might incidentally encounter, to malicious and targeted campaigns created by criminals or nation-state-funded hackers armed with the latest advanced persistent threats (APT).
The government, like most organizations, needs capabilities to quickly identify and mitigate actions of threat actors. The longer attackers are able to remain undetected inside any network, the more harm they potentially can do. They are aided in this effort by the sheer number of threats assaulting most networks. Security teams working in Network Operations Centers (NOCs) generally spend their days staring at computer screens, looking at hundreds or thousands of events and logs, or responding to every alert sent up by their security information and event management (SIEM) system. The volume of potential concerns is too much for most teams to handle effectively. This reality provides attackers with a distinct advantage as defenders grow weary of having to respond to constant, repetitive and unending threats.
This alert and manual-response fatigue has led to a disturbing trend where networks are not only infected, but infections remain undetected for significant time periods. According to the Mandiant M-Trends 2016 Report, the median number of days an organization was compromised before it discovered a breach, or was notified about a breach, was 146.
Automation has the ability to reduce the detection-to-remediation time significantly, in many cases down to a few seconds. In an ideally designed automated system for cybersecurity, human analysts can train their systems to react exactly how they would respond if a low-level threat is detected. Thereafter, those threats can be handled automatically based on that training without further human intervention.
For example, in an automated cybersecurity system, if an endpoint on a federal network becomes infected with a virus, that event will trigger a set of automatic processes, such as the elimination of the threat, a reinstallation of the core operating system, or a number of other pre-programmed responses that a human analyst would normally take. Handled using automation, there is no need for the problem to queue up waiting for a NOC security specialist to respond. Significantly, the potential threat does not go overlooked for days or weeks while the security team addresses more pressing matters. The threat is remediated at machine speed without requiring the attention of busy cybersecurity personnel. Automating the drudgery or sifting through lower-risk threats ensures they are responded to while freeing up analysts to focus on higher-risk potential intrusion or system compromise.
Automated security actions are not carried out without the input of security analysts who direct and set in advance the responses they would take when faced with certain events. Control of the NOC is never lost to automation. Instead, the customary human responses to many of the low-level events that tend to jam up operations can be automated for timely and predictable response.
An offshoot of security for many agencies, compliance, is another area that can directly benefit from automation. Instead of asking NOC teams to examine every system to ensure compliance with security and other regulatory requirements automation can be used to confirm that best practices are being enforced across the network. When a device is found to be non-compliant with agency guidelines or federal regulations, such as the November 2016 NIST guide to Dramatically Reducing Software Vulnerabilities, the National Industrial Security Program Operating Manual (NISPOM), and a number of other government guidelines, it can be automatically flagged or reconfigured to bring it into compliance. Automation also can be used to continually monitor new devices as they are connected to the network, ensuring sustained compliance with current and evolving requirements.
Other extremely tedious and often thankless security tasks, like patch management, cry out for automation. Although not an appealing task scanning devices and servers, applying patches as needed, is an undeniable cornerstone of good cyber hygiene. According to Verizon’s 2016 Data Breach Investigations Report, most attacks still exploit known vulnerabilities that have never been fixed despite patches being available for months or years. In fact, the top ten known vulnerabilities accounted for 85 percent of all successful exploits over the past year. Instead of subjecting humans to this tedious but vitally important process, leveraging automation technology to handle these routine updates will improve any organization’s cybersecurity posture, while saving time.
To learn more about how you can improve security and compliance through network automation, download the full perspective here.