Skip to content ↓ | Skip to navigation ↓

Very quietly, in 2011, the US Department of Homeland Services published a paper entitled “Enabling Distributed Security in Cyberspace,” a paper that was then way ahead of its time. The paper “explores the idea of a healthy, resilient – and fundamentally more secure – cyber ecosystem of the future, in which cyber participants, including cyber devices, are able to work together in near-real time to anticipate and prevent cyber attacks, limit the spread of attacks across participating devices, minimize the consequences of attacks, and recover to a trusted state.”

In exploring this concept, the paper draws “inspiration” from the immune system of the human body, which itself is a mini-defense system that helps the body ward off illness and disease automatically, generally without the need for human intervention (maybe just a little chicken noodle soup from your mother to “help things along”).

Think further of the concept of how the body reacts to a deep paper cut on your finger. After the first sign of blood, your body springs into action. Platelets first rush to the scene to help stop the bleeding. Another body chemical alerts the cells on the finger to start healing themselves, and it sends a message to other cells hanging out close by to respond to the scene and to help reduce the inflammation associated with the cut. The macrophages also alert immune cells hanging out in your lymph nodes to respond and “eat” any infected cells that might be forming.

Our “paper cut” example illustrates the point of the 2011 DHS article and its reference to the body’s auto-immune system:

“A healthy cyber ecosystem might employ an automation strategy of fixed local defenses supported by mobile and global defenses at multiple levels. Such a strategy could enable the cyber ecosystem to sustain itself and supported missions while fighting through attacks. Further it could enable the ecosystem to continuously strengthen itself against the cyber equivalent of autoimmune disorders.”

Can a cybersecurity defense network replicate the precision of the human body’s reaction to a paper cut? Our answer is “sort of” and “maybe,” depending upon the network involved and the people charged with protecting it. Ultimately, there is sometimes a huge difference between a self-inflicted paper cut on your finger and a purposeful “attack” on your finger, which forces your finger to “click on the link” and start a cascade of calamities like ransomware.

What is the main difference? Well, generally it is the intention of an unknown third-party (meaning not you!) to do harm and inflict pain and suffering in ways that might not otherwise be anticipated as “normal.” Multiplying the paper cut on your finger by thousands of endpoints generating nearly 100,000 security alerts a day for some major organizations gives you a picture of both the similarities and differences between the human body and a large organization’s computer network.

The Rise of the Machines – Network Automation and Orchestration

Fast forward to today, only five years from the 2011 seminal DHS paper. Several cyber consultants have by now bridged the gap from the coordinated response of the body’s immune system to the automated and orchestrated response of a computer network. In fact, a March 2016 survey by the Enterprise Strategy Group entitled “The Shift to Incident Response Automation and Orchestration” observed that “more than half (57%) of enterprise organizations are already taking actions to automate and orchestrate incident response processes while 42% are currently automating/orchestrating incident response processes….”

Here is how such automated systems generally work:

  1. Replacing cells and body chemicals are thousands of sensors that sit on a large network and that monitor all sorts of network traffic flowing to and from the network and the organization’s endpoints (desktop computers, laptops, IPads, etc.). These sensors monitor what the “normal” state of the network would be on any given day, at any time of day, and from any given endpoint (e.g. a POS system, desktop computer). [Note that these sensors can also be placed in complex manufacturing facilities that are operated by Industrial Controls Systems or SCADA systems, giving enhanced visibility into these systems.]
  2. Rather than looking for known signatures, automated solutions look for anomalous behavior, either on the network or an end-user’s mobile device. For instance, based upon its observations, an automated system might detect internet connections seeking to make data transfers at unusual times. Or it might detect a company’s device seeking to establish internet connections with servers in unusual places where the company did not do business. Finally, such an automated system might detect a user attempting to log in to his computer between 2 and 4 AM every morning, when it was previously observed that he only logged in during normal working hours between 8 AM and 5 PM.
  3. Continuous monitoring is done 24/7 through existing tools already on the network (the automated hardware is generally interoperable with other security hardware) or through tools added later on as network professionals up their game.
  4. For added context, cyber threat intelligence feeds from whatever source to which an organization subscribes are also incorporated into the automation and orchestration hardware through an open API (as not every cyberattack is just a “paper cut”).
  5. The key to these systems is the human incident responder who, when presented with a batch of alerts, can determine when, a real attack is occurring much faster than he or she could have before.
  6. Finally, some security automation and orchestration platforms have the ability to learn from past examples of both false positives and real attacks. They can thus fine-tune their ability to interpret the various feeds running into the platform as well as help the human incident responder react quicker and faster than they could before.

Automation and Orchestration Will Not Replace the Humans!

I know what you are thinking. With all this automation and orchestration (as set forth above), why do they still need me, the human incident responder? For a very good reason.

Most advanced automation and orchestration systems available today (many of which have some form of artificial intelligence or machine learning built in) filter only a percentage of security alerts that register on a company’s network. Indeed, a recent article noted with respect to a pre-production platform the following: “AI2 that can detect 85 percent of attacks. It also reduces the number of ‘false positives’ – nonthreats mistakenly identified as threats – by a factor of five….”

Thus, for large organizations, incident responders are still required to sort through lots of alerts and to make the tough calls as to whether an attack is truly occurring. Though machine learning will help decrease alerts (and thus reduce alert fatigue), the parallel inquiry remains whether or not automated incident response systems will be able to handle “blended attacks,” e.g. where there may be both a diversionary distributed denial-of-service (DDoS) attack and an attempt to distribute malware at the same time. That may take a human judgment to appropriately respond to such a complex attack.

Note finally that automated systems will certainly help companies for other reasons. For example, many struggle to monitor tens of thousands of endpoints in their network, all of which could be an attack vector. Automated systems can provide greater visibility into a network than other hardware appliances like SIEMS. And finally, many organizations struggle with hiring enough qualified people to protect their network.

Automation and Orchestration is the Future of Cyber Defense

As many companies struggle to keep up with endpoint detection and the large amount of cyber threats and alerts they face daily, there is another group of individuals watching what is going on in the cyber-ecosystem – the regulators. Based upon the potential for systemic risk to the markets and the financial system, regulators like the SEC, the FDIC and the Treasury Department are closely watching market participants for signs and trends of escalating cyberwarfare.

Indeed, in November 2015, the SEC enacted Regulation SCI, which in general provides distinct rules and regulations for securities exchanges and other market-trading participants. Part and parcel of those regulations are a general mandate for continuous monitoring of network systems that run the trading platforms.

For these specific regulated entities, and maybe a broader category of them down the road, cybersecurity automation and orchestration is likely not only “nice to have” but also a “must have,” especially for large institutions dealing with a massive amount of endpoints, including mobile customers. Thus, for both large and small institutions, automation and orchestration hardware can allow them to try to get ahead of the attack curve and help protect their network systems.


Paul FerrilloAbout the Author: Paul Ferrillo is counsel in Weil’s Litigation Department, where he focuses on complex securities and business litigation, and internal investigations. He also is part of Weil’s Cybersecurity, Data Privacy & Information Management practice, where he focuses primarily on cybersecurity corporate governance issues, and assists clients with governance, disclosure, and regulatory matters relating to their cybersecurity postures and the regulatory requirements which govern them.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.