Automating security event processes

There's no denying that a constantly-shifting technology landscape continues to force IT departments to align themselves more closely with an organisation's business goals. Meanwhile, mergers, acquisitions and layoffs have become more common in today's economic climate, which not only intensifies the complexity of IT systems but greatly increases the threat of security breaches.

Rapid changes in the type and origin of security threats have compelled organisations to deploy a multitude of point solutions to classify, correlate, detect and remediate events. This has done little more than place over-stretched CSOs and their staff under greater pressure to meet stringent compliance and data protection requirements. Meanwhile, budgets for security teams are unlikely to grow much, if at all, over the next twelve months.

Australia and New Zealand have witnessed a growing interest from CSOs looking for ways to reduce the cost of security processes via existing operational expertise, solutions and capabilities. With no room to invest in additional resources and point solutions, CSOs want more from the capabilities they already have.

Despite the doom and gloom there is a light at the end of the tunnel. Using automation - tightly integrated across multi-vendor systems and management areas - CSOs have found they can facilitate a large number of initial security event processes, freeing up experienced resources and cutting costs.

Integrating security automation across the enterprise

What we're talking about here goes beyond simple patch management and anti-virus deployments, although that's certainly part of the solution. Today it is possible to automate critical security event management tasks, and integrate those processes across multiple systems and operational silos. This allows security and compliance teams to focus their efforts on more urgent issues while driving down security risks and costs.

Automated security event management ensures that correct procedures are followed, and that no event is mishandled or overlooked. Controls, such as audit records or segregation of duties between departments, can be automated to ensure compliance with industry or regulatory standards. Highly repetitive tasks can also be automated in order to cut labour and reduce training costs.

Security programs of this maturity require an open-process, 'vendor-agnostic' integration and automation platform. With the number of competing point solutions an enterprise is likely to have deployed, they must be able to integrate these technologies and processes regardless of the third parties and management teams involved. Typically, automated security event management focuses on the following areas:

Controlling and auditing system configuration

In multi-vendor environments, it's a significant challenge to ensure systems are appropriately configured to protect critical data, especially around exceptions to policy and server configuration changes. In many organizations, the bulk of manual effort is spent on configurations, and this is where the greatest labour reductions can be made.

It's possible to automate the assessment process, integrating reports into security and IT processes for policy exception management, remediation and change management. This could allow a misconfigured system to be identified as non-compliant, which automatically creates a service desk ticket, and manages the handling of business exceptions, approvals, and/or remediation. All without staff involvement.

Monitoring and managing user activity

To meet compliance mandates, large enterprises are required to detect and correlate suspicious activity across multiple platforms, and obtain supporting analysis in real-time. Indeed, it is this level of effort that often makes monitoring user activity impractical.

Security process automation can drastically overcome this by, for example, automatically compiling an analysis of updated user information, emailing the suspicious user for a confirmation of activities, and then escalating the incident for review or removing permissions. As security processes become more integrated among systems, the ability to reduce event noise, track user activity and respond in real-time increases significantly.

Managing and enforcing change controls

Even the most well-configured systems change over time as the business evolves. "Configuration drift" must be managed carefully to maintain strong security controls. Organisations must be able to quickly identify when and what changes have occurred, and correlate this with internal change control procedures.

Security process automation for change management can go beyond detection and reporting to, for example, correlate changes on critical systems or applications with authorised change requests. This would automatically revalidate the security of the system by triggering a configuration assessment, and/or escalating changes for review by business owners.

Automated ROI

In a budgetary environment where short-term gains must be demonstrated to justify additional expenditure, security process automation across disparate systems offers an immediate way to realise ROI. Manual workloads decrease, which improves efficiency and reduces costs, while the security of enterprise networks is strengthened.

Outlined above are the more immediate applications for security process automation. Taking a strategic approach to the integration of security processes opens doors to long-term benefits. Automation presents an opportunity to fully deploy event management capabilities, bridge operational silos, and enable the entire IT organisation to adapt more readily to changes in the security and business landscape.

Ultimately, to meet constantly evolving threats, security experts must have the freedom to focus on critical tasks, not manual labour.

David Bell is a systems engineer at NetIQ.