This what a day at the office of a Corporate Information Security Officer looks like. The diary of a CISO:
07:30 The first to arrive at the office, drinks coffee, reads the emails that have accumulated overnight, goes over the folder of warnings from the SIEM system. 138 emails have accrued and he goes over them one by one, already in autopilot mode. Accept, routine, accept, routine, another false positive.
08:11 Finishes going over all the emails, connects to a few blogs to see what’s new in the world, a second cup of coffee. People are beginning to arrive at the office, the SOC inspector, cyber analyst, the new recruit who signed on last week, another talented kid who’ll learn and move on.
09:00 Weekly staff meeting. Going over the week’s assignments. Two significant planned upgrades, Patch Tuesday, implementing the install policy tonight and on Thursday we complete the POC and take a decision regarding the EDR system we examined.
10:20 A few reports of network slow downs, a conference call with the communications team and the system team, exchange mutual accusations, take up the gauntlet and assume responsibility to lead the investigation.
10:37 Receive a report from the Help Desk of users at the Lod branch who are unable to access the application. Don’t see anything in the SIEM System. Go over system by system and don’t find any special warning.
10:42 Another report of users who are unable to access the network and file-sharing. Send a technician to the site to see what’s happening. The analyst begins to research the Internet to see if there are any new attacks, pick up the telephone to Bynet to check if they’ve heard anything.
11:05 Information flows back to the SOC, the picture is becoming clearer. Zero day ransomware. Forward a report to the Data Systems Manager, have to initiate preventative action, operate Code Red protocol. At least the money we spent on consultation regarding coping with disaster is beginning to pay off. Distribute responsibilities within the team. One will be in touch with the IPS manufacturer to obtain an updated signature, another will deal with the AV manufacturer, and we’re going over the FW trying to find the outgoing leakage, while someone else is beginning to shut down NAC-infected branches. The system team is restricting user privileges to a minimum to try and block the spreading, while at the same time checking for critical OS updates that could help.
15:07 Four nerve-wracking hours and seven cups of coffee later, it seems that we’ve succeeded in blocking the spread. Situation report: 120 stations closed down, back-ups are in order, signatures have been obtained for the AV and we see active blockages. Waiting for the rest of the manufacturers to publish updates.
21:20 Finished reconfiguring, getting back to work as usual. All weekly activities have been postponed for the meanwhile, kudos to the team members for their professional work and we go home.
02:13 Receive an urgent phone call from operations, servers are locked and they can’t access them, the update we distributed within the organization was dispersed only to user stations. If only the signature we received had also been suited to the IPS …
Automation and Security
That was another routine day. A day of unanticipated surprises and dealing with challenges. But can the situation change?
The word “automation” derives from the Greek, and means “of its own”. The intention is the use of mechanical or electronic devices to perform a series of actions, in a planned sequence, without human interaction. Automation frees the human being, among other things, from performing repetitive routine tasks by substituting independent technological means. Utilization of an automatic device is usually more rapid and more precise than human labor. The automatic device can perform measurements, monitoring and feedback on the process being implemented, as well as the product being produced in the process. Compared to a human being, who needs to rest, the automatic device can increase productivity and work 24 hours a day, seven days a week, 365 days a year, except for maintenance breaks.
Until recently, the following scenarios would have sounded like a dream. The first scenario, utilization of all the high-quality cyber capabilities that we have integrated into the organization and specification of work processes and inter-system interfaces, to see them blocking an attack on their own, while incorporating diverse tools. The second scenario, system updates performed automatically and if an error is detected the system knows how to restore, to learn from the mistake and implement the process once again, successfully. The third scenario, servers and new users in the organization automatically receiving the policy appropriate for them, cross organizationally – computer permissions, firewall rules, access to applications. The purpose of automation is not to replace the quality human resources we have recruited and trained over the years, but rather to enable us to invest more time in studying, development, planning and thinking how to protect the organization in real time, how to support the business and not only regarding operations.
The significant advantage of automation in the cyber worlds is not only in the improvement of work processes, but to reduce security imparities generated between various systems. Often, to reduce the imparity between systems we purchase new systems, but the amount of personnel does not increase linearly with the quantity of security products accumulated over the years, and we are left to manage a considerable diversity of solutions with limited staff (see illustration 1).
Automation is nothing less than a revolution, and for a change, this time the revolution is ours. The automation revolution will enable us to reduce the imparities between the manner in which we wish to manage the cyber array in our organization and the way in which we are compelled to control it. In every one of the recent revolutions in the IT worlds, such as virtualization, cloud or digital, we adapted ourselves to the new situation, we introduced more solutions, we customized work methods, we constructed new models and all of this while maintaining the existing situation.
The important questions are how to perform more security in less time; how to provide a response to more threats with fewer systems; and how to free up more time to train the team without expanding the personnel roster. The solution is inherent in the realm of security automation – a solution that provides more with the assistance of fewer resources.
Revolutionary Breakthrough
In recent years numerous tools have developed in the realm of security automation, tools that assist us in formulating rules automatically, tools that integrate business logic with network logic, updating tools, distribution and remediation.
During the past two years, we have witnessed a real breakthrough on the part of the leading manufacturers and with the opening up of APIs more solutions are forthcoming and which facilitate real automation between various systems. The two leading solutions existing currently are Cisco PXGrid and McAfee DXL. In both cases the reference is to Fabric that facilitates exchange of information between the products of the different companies, which in the past were incapable of communicating with one another. However the most significant progress is a collaboration with third party suppliers, who can share the information under that Fabric. A central broker receives the information and, by a set of rules, knows how to distribute it among the various solutions of the different manufacturers. For data security personnel this is a real revolution that will change cyber array management.
This is, therefore, what the alternate version of our CISO’s diary will look like:
07:30 The first to arrive at the office, drinks coffee, reads the emails that have accumulated overnight, goes over the folder of warnings from the SIEM system. A single email in the system: “One critical event was automatically blocked by the Secure fabric solution, for details press here”.
07:35 Leans back in his chair, takes another sip of the excellent coffee, gazes out at the blue skies, stretches and begins to hum: “Is this the real life? Is this just fantasy? Caught in a landslide, no escape from reality. Open your eyes, look up to the skies and see …
