Whether you’re a security professional looking at automation for the first time, or an ITops veteran tasked to support corporate secops teams, the following blog provides an overview of how Red Hat Ansible Automation can support your security automation program throughout all the different stages of its evolution.
Security Automation: A maturity model
Automation is becoming more and more pervasive across the entire IT stack.
Initially introduced to support ITOps, automation has been a well-established practice for years.
Today, thanks to modern automation platforms like Red Hat Ansible Automation, IT organizations are more capable of coping with the unprecedented scale, and complexity of modern infrastructures and finally have access to a level of flexibility that allows for extending automation practices to entirely new areas.
As an example, Ansible Network Automation enabled network operators to be the next group approaching automation in a structured fashion, to help simplify both maintenance and operations of their ever-growing, multi-vendor, brownfield infrastructures.
The security space started looking at automation in relatively recent times to support the already overwhelmed security teams against modern cyberattacks that are reaching an unparalleled level of speed and intricacy.
In fact, if we factor in the aforementioned scale and complexity of the IT infrastructures to be protected, it’s becoming virtually impossible for human operators to investigate and respond to the multitude of threats hitting large corporations every single day.
According to Gartner, “In addition, organizations continue to struggle with staffing and skills for vulnerability management, security monitoring and incident response.”
Although automation brings a well-established set of values, like mitigating human error, reducing time to task and increasing the ability to manage a large scale, multi-vendor infrastructure; an exercise of self-analysis is necessary when introducing this family of technologies in security operations. Every organization must assess its level of maturity to avoid implementing advanced tools at an early stage. Introducing a disproportion between the complexity of tools and the existing minimum organizational requirements, such as the need for predefined processes for automation or the presence of technologies to integrate, is at risk of wasting time, resources and in extreme cases even become less efficient.
If we look at large enterprises, the recommended journey of automation for security response can be mapped on three main stages. On one hand, these closely resemble the experience both ITOps and NetOps previously had and on the other, introduce an entirely new set of goals for each one of these stages that we will explore in this blog post.
Stage 1: Opportunistic
At this stage, most organizations focus only on security operations. Investigation and remediation processes tend to be spread across different, siloed teams, sometimes located in different physical sites.
It’s not uncommon to see different teams respond to similar events in an ad-hoc fashion. Additionally, if present at all, cross-team communication and cooperation is formal and managed through mails or tickets.
When approaching an automation project at this stage, the most common goals are:
- standardising security tasks: streamlining the actions taken on a similar group of devices or technologies;
- reducing time to task: automating those last mile processes that often are performed manually across many different products from different vendors.
In this scenario, Ansible Automation offers its human-readable YAML language as a tool to easily describe these processes, compare them and identify the best workflow to be used as a base for standardization. The outcome of this standardization process is a series of roles and playbooks that can be consumed immediately through Red Hat Ansible Engine and become the base for a library of response workflows which we expect to grow over time as more actions and processes are added.
When security automation projects are successful, the resulting automated workflows can be split and assigned to different teams in the security organization, which maintain control and responsibility on their part of the process.
Stage 2: Systematic
More mature organizations tend to move to a holistic approach to security operations. A security governance entity is generally in place at this point, in the form of a dedicated team or a decision table with representatives from all the different security practices.
Many of these security teams see the benefit of implementing and operating a cohesive portfolio of security operations tools and services which, potentially, also interoperates with their larger IT practice.
When either automation is introduced at this stage or a security organization transits from the previous step, we generally see a new set of challenges:
- standardising security operations, aggregating last mile processes in higher-level workflows, with participation by all the relevant teams involved involved;
- centralizing response processes, assigning roles and responsibilities to different groups as part of an integrated process.
Introduced at this stage, Red Hat Ansible Tower can integrate multiple security teams, helping them work more collaboratively through enterprise features like centralised access to the entire library of response workflows and RBAC.
More importantly, Ansible Tower offers the ability to connect multiple playbooks, from different teams, in structured and conditional workflows that reflect the higher-level security processes.
Among enterprises, a popular first step towards these goals is introducing a Security Information and Event Management (SIEM) solution to centralise investigation activities, and to make decisions easy to share across all the teams involved in a specific attack response. Thanks to its REST APIs Ansible Tower can more easily integrate with a SIEM, making automated actions available straight from the same tool where these actions are decided.
Stage 3: Institutionalized
Security organizations which have created a security operations program, such as the incident response program and its playbooks, can aim for the last set of goals:
- automating security processes, creating workflows which help support an end-to-end security process and programmatically operates across the security tools with minimal manual intervention;
- integrating the security and IT portfolios, providing a more consistent and stable way to perform remediation tasks through the command and control of a wide variety of security technologies in place in an enterprise infrastructure.
This is the stage where security teams approach Security Orchestration, Automation and Remediation (SOAR) tools to design and orchestrate the higher-level security workflows identified in previous steps.
Like for SIEMs, Ansible Automation can be integrated with SOAR tools to extend their native capabilities. In combination with Ansible Automation, a SOAR can leverage thousands of modules to create automated investigation and remediation plans. These modules are contributed by the Ansible community, Red Hat partners, and Red Hat itself, and allow customers to automate the actions and configurations of enterprise security solutions as well as operating systems, applications, and network appliances. Ansible’s automation workflows, written in a human-readable language, make the customization and maintenance of automated investigation and remediation plans simple even for professionals without a developer background.
Only some organizations today reach the Institutionalized stage of this maturity model, but building a fully mature security automation practice remains an objective paramount to address increasingly sophisticated cyberthreats.
To support the journey described in this maturity model, we’ve developed Ansible security automation, a solution to automate multiple enterprise security solutions, enabling their orchestration through a third party specialized cybersecurity product or custom approaches developed in-house by our customers. Ansible security automation aims at reducing the investigation and response time in large enterprises by unifying the security ecosystem under a common automation language.