The perils and promise of automated security

Automating security can lead to streamlined, yet powerful, security operations. But it also can create a false sense of security for the New Data Center. In this roundtable, three enterprise security leaders discuss how organizations can ensure the best results. They are: Bernie Donnelly, vice president of quality assurance at the Philadelphia Stock Exchange; Kim Jones, vice president of global security services at eFunds in Scottsdale, Ariz.; and Doug Torre, IT director of Catholic Health System in Buffalo, N.Y.

Automation is a basic tenet of the New Data Center. So far, how have you applied automation to security functions?

Donnelly: We have an extremely high percentage of automation. I’m not sure how you can run security without a high amount of automation today. With all the firewalls and the different tools you need in place, it’s got to be automated. It’s impossible to manage any of that on a manual basis. But one of the downfalls is that you can get so automated that you start taking your protections for granted. The key is updating your filters to make sure you don’t get too comfortable with your automation.

Jones: Given the extent of the electronic funds transactions we handle, [personal] data that I secure and the depth and breadth of my network, there is no way we could do our jobs without automation. But you have to set the rules, set the filters correctly. You can’t lose sight of the fact that that manual interface is still critical.

Torre: It’s not like somebody could individually check each packet traversing the network. So you become reliant upon certain controls – network controls, network-access controls – that are fully automated. And there have to be really good policies and assessments to correctly tune and implement those controls. There needs to be a roll-up of or dashboard to this telemetry across the network so that it can be put into a useful format. A lot of folks who tried to implement intrusion detection found out early the noise-to-signal [ratio was too high], and they couldn’t interpret the data.

How do you handle event management?

Donnelly: For a number of years, the Securities and Exchange Commission has been hounding us to perform security reviews on our logs within the various systems. We run a three-platform system: the IBM mainframe, the Stratus [Technologies’] trading engine and a Sun peripheral base going out to the trading floors. We worked with Consul on a package that would allow us to bring the logs from those three platforms into a single server and aggregate them into a single language. That certainly helped with manpower. But these paper logs each ran around 8 feet long. It’s impossible not to have that automated.

Does too much automation provide a crutch?

Jones: Automating a bad or ineffective process just gives you a very fast and very efficient bad and ineffective process. There is a tendency, particularly as security decisions move back into the boardroom, to jump toward a tool or a black box or an appliance that can make this all go away. If you haven’t taken those fundamental steps toward defining your processes and controls and what you’re trying to get your hands around, then maybe even a little bit of automation may be too much.

Torre: [Automation] doesn’t replace a security program. So building up and designing and architecting the appropriate security levels for what you’re trying to do, that’s not something you automate. That takes critical thinking and adjusting to the institutional policies and leading people and relationships and businesses to get to the desired level of security. Once that part is done, which frankly is a difficult part for a lot of organizations, you have to reach for and use every tool available to implement those controls. Then, on a periodic basis, assess how you’re doing. None of that gets replaced through automation. The automation can only support what’s been architected.

Jones: When I came here three years ago, there was a whole lot of pressure from the board to use technology to make security- and compliance-related problems go away quickly. I said, “If we jump and throw technology and automation at a problem, we’re going to be fixing this problem again a year from now, and you will probably be fixing it with a new CSO, because you will be annoyed at me because it broke again.”

Torre: If you automate before doing due diligence, you could end up giving a false sense of security or a false acceptance of risk. So there’s a danger there, too.

Jones: You build an effective security program, then no regulation [will force] you to change course.

How do you know when a security function is ready for automation?

Jones: There is no universal automation-fits-all. Automation is a force multiplier, allowing you to do things more effectively. But you still have to know what it is you’re trying to do before you get down and automate it.

Do you find regulatory bodies trying to govern security automation?

Donnelly: Automation isn’t on their radar. They are concerned about yes or no – do you have this covered? And how a company covers that aspect of security is pretty much up to [its discretion]. The challenge is figuring out which appliances fit best without introducing an additional layer of challenges. Nobody has that one box that does it all. So when you start building security devices upon each other, you’ve got to be careful that you don’t get too cute in your architecture. You don’t want to create a situation where you have boxes working in conflict with each other and possibly giving you false positives. Auditors will pick that up. To them, that’s a problem.

Torre: Regulators first frowned at our automated policy compliance, but finally understood the benefit. We bought Elemental Security’s Elemental Compliance System, which correlates our policies to various regulatory controls like ISO 1799. Initially, they said, ‘What’s the benefit to that?’ I said, ‘Well, let me ask you, how do you know that we’re complying with the guidelines that you’re setting? We give you a stack of papers to look at, but how do you actually know that that is meeting your requirements?’ So now reviews go a lot faster.

What metrics do you use to gauge the effectiveness of security automation?

Jones: I had one senior leader tell me it’d be really nice to talk about how many virus attempts were thwarted in the environment on a monthly basis. That sounds like a neat statistic, but what does that statistic mean? How do we translate that into revenue generation within my overall framework? There are a lot of things we can pull out of the environment, but in the end, my difficulty is generating metrics that are truly meaningful to the people that are asking for them.

Has security automation changed your role?

Donnelly: Automation brings visibility to the need for security at a higher-than-ever level. When you’re trying to automate these processes, you need to get capital funding, you need to add to your budgets to put on additional personnel – you’re not getting clerks anymore; you’re getting people pushing six figures. So that draws a lot of attention. The positive thing is that this has been driven by executives being sensitive to the auditors and driven by Sarbanes-Oxley and the regulators’ influence over the boards and the finance committees. Security has become more than just an issue of passwords and is now a whole different level. That’s a challenge for everybody in security to rise to.

Gittlen is a freelance technology editor in Northboro, Mass. She can be reached at sgittlen@charter.net.

Previous story: Mercantile exchange uses automated change management | Next story: Grid computing comes of age >