Ansible-Blog_Security-Automation

 

In 2019, CISOs struggle more than ever to contain and counter cyberattacks despite an apparently flourishing IT security market and hundreds of millions of dollars in venture capital fueling yearly waves of new startups. Why?

If you review the IT security landscape today, you’ll find it crowded with startups and mainstream vendors offering solutions against cybersecurity threats that have fundamentally remained unchanged for the last two decades. Yes, a small minority of those solutions focus on protecting new infrastructures and platforms (like container-based ones) and new application architecture (like serverless computing), but for the most part, the threats and attack methods against these targets have remained largely the same as in the past.

This crowded market, propelled by increasing venture capital investments, is challenging to assess, and can make it difficult for a CISO to identify and select the best possible solution to protect an enterprise IT environment. On top of this, none of the solutions on the market solve all security problems, and so the average security portfolio of a large end user organization can often comprise of dozens of products, sometimes up to 50 different vendors and overlap in multiple areas.

Despite the choices, and more than three decades of experience to refine how security solutions should address cyberattacks, various research studies and surveys describe a highly inefficient security landscape. VentureBeat, for example, reported that, “the average security team typically examines less than 5% of the alerts flowing into them every day.” In another example, Cisco reported that of all legitimate alerts generated by security solutions, only 51% of them are remediated. As a final example, The Ponemon Institute reported that 57% of interviewed organizations said the time to resolve an incident has increased, while 65% of them reported that the severity of attacks has increased.

 

So why do we struggle to counter cyberattacks?

A full analysis of the state of the security industry goes beyond the purpose of this blog post, and we certainly believe that there's concurrence of causes, but we also believe that one of the main factors impacting CISOs capability to defend their IT infrastructures is the lack of integration between the plethora of security solutions available in the market.

The products that CISOs buy and implement as part of their security arsenals are almost never working in an orchestrated way because, by design, they don’t talk to each other. Occasionally, 2-3 products could share data if they are delivered by the same security vendor or if, temporarily, there’s a technology collaboration between the manufacturers. However, for the most part, the IT security solutions out there are completely disjointed from each other. Which is, to use an analogy, like saying that we invested in multiple security solutions to protect a commercial building, such as a CCTV system, security guards, and patrol dogs. But, the security guards don’t look at the CCTV cameras and the patrol dogs are kept locked in the basement. 

 

How can we fix this industry-wide lack of integration?

In an ideal world, the whole security industry would embrace an open standard (there have been many proposals on the table for years) and each security solution out there would embrace that standard allowing any software or hardware solution to orchestrate the CISO arsenal in a harmonious assessment or remediation plan. Unfortunately, it seems we are still far from that day. 

Until then, the idea is to leverage IT automation as a connecting tissue between security solutions across various industry categories, from enterprise firewalls to intrusion detection systems (IDS) to security information and management (SIEM) solutions, and many others. If security products across these categories can be individually automated through a common automation language, then the latter can be used as the “lingua franca” to express an orchestrated remediation plan. 

To succeed, we believe that this plan requires an automation language that has three fundamental characteristics:

  • It is already widespread and highly adopted across the IT industry, to minimize the implementation friction
  • It is not in control of any security player, to maintain an unbiased approach to solving the problem
  • It can be easily extended by any industry constituency, to integrate and support a long tail of security solutions out there

The industry can already count on a similar automation language: Ansible. As an open source automation platform and language, Ansible already integrates with a wide range of security solutions (and network solutions, and infrastructure solutions, and much more) and is driven forward by a global community of thousands. Ansible, in fact, is the 7th most contributed open source project worldwide on GitHub according to the 2018 Octoverse report.

At Red Hat, we believe that Ansible could become a de facto standard in integrating and automating the security ecosystem and we stand by this belief by committing commercial support for a number of enterprise security solutions widely used by CISOs around the world. 

 

What can we do when multiple security solutions are integrated through automation?

Security analysts around the world understand how difficult it is to conduct an investigation about an application’s suspicious behaviour. Security operators know how difficult it is to stop an ongoing attack before it’s too late or how to remediate the mayhem caused by a successful one. 

When every solution in a security portfolio is automated through the same language, both analysts and operators can perform a series of actions across various products in a fraction of the time, maximizing the overall efficiency of the security team.

For example, a security analyst that must evaluate suspicious behaviour from a production server, might need to increase the verbosity of the logs across all deployed firewalls and/or enable a rule on the deployed IDS to better understand who’s doing what and why. This seemingly trivial activity often involves the collaboration of multiple security professionals across the organization and can be slowed down by a series of support tickets/emails/phone calls to explain and justify what to do and how.

A pre-existing, pre-verified, pre-approved automation workflow (an Ansible Playbook in our case), that security analysts could launch anytime they are conducting an investigation, could significantly reduce that inefficiency.

This is just one of the use cases that we’ll support. At the launch of Ansible security automation, with the upcoming release of Ansible Automation, we’ll deliver the integration with enterprise security solutions across multiple product categories:

Enterprise Firewalls
  • Check Point Next Generation Firewall
  • Fortinet Next Generation Firewall
  • Cisco Firepower Threat Defense
Intrusion Detection & Prevention Systems
  • Check Point Intrusion Prevention System
  • Fortinet Intrusion Prevention System
  • Snort
Privileged Access Management
  • CyberArk Privileged Access Security
Security Information & Events Management
  • IBM QRadar SIEM
  • Splunk Enterprise Security

Over time, we plan to extend support to more security categories and more products across those categories. In fact, security vendors are welcome to reach out to us and explore how we can cooperate to increase the efficiency of security solutions out there. 

If you are interested in the details of how Ansible security automation works, we have an entire security track at AnsibleFest Atlanta 2019 from Sept 24-26, 2019. Let’s meet there: https://www.ansible.com/ansiblefest