The complexity and breadth of the threat landscape is evolving at a tremendous rate, such that the security industry cannot keep up with the skills demands this is creating, leaving organisations vulnerable to a widening skills shortage. It’s time to start thinking about the solution. Automation and intent-based security are becoming more timely discussions when considering the future and how to get there. The term ‘Intent-based security’ refers to the process of applying analytics to the information generated by security devices on a network. Individual security solutions are already able to deliver vast amounts of independent, unrelated data. We can begin to bring this generated information together as we build out homogenous, interconnected security frameworks. This integration is the trick to achieving intent-based security as security teams are able to reduce these informatics into manageable amounts. This in turn allows us to automatically refine security in real-time as our network and threat landscapes change. But why is automation so important for cybersecurity and the wider business? And how can we get to where we need to be in order to reap the benefits?
From the perspective of the business owner or the person responsible for security policy, it’s important to be able to simply define or update business intent. The security policy and related infrastructure needs to understand that information and implement a reasonable and appropriate response. Security policies should automatically limit systems to just the information and services that they should have access to. This will require more exact network designs in order to reduce the challenge this poses.
Another perspective when it comes to intent-based security involves rethinking how we solve the security problem. A key factor in creating a joined up and responsive security framework is to implement security tools that can automatically evaluate and determine if a system is performing activities that are normal or intended. This is why there’s an emerging set of security practices referred to as intent-based. Again, a simplified description of an approach like this is that it is able to report and automatically respond to whether or not the system is doing things that are intended by that user on that system or not.
An intent-based system in the context of automation
The main motivation for organisations to embrace automation and intent-based security is to reduce costs, complexity, and errors. For businesses, the Lean movement is all about maximising customer value while minimising waste. For IT, the motivation is to reduce operational expenses and allow them to faster respond to threats and actual breaches.
Automation empowers IT teams to implement proactive actions which enable the network to adapt to demands instantaneously. This enables a form of self-service for both the end user and IT teams. Automation can then become the foundation for the next step, which is an intent-based system which can learn from reflexive actions and can minimise the need for human intervention.
Goals for automation
Automation is a building block. Much like training a guard dog, the system needs to understand what is normal, interpret when something unexpected happens, and then decide on the best course of action.
The next step is to use data to inform this process. By feeding in data based on what we know about the outside world, how our networks should operate, and what has taken place before that is vital. This set of constantly updated data will drive which decisions are made, which brings ‘intelligence’ into automation.
Without the standardisation of the interactions between technologies the system won’t function. By implementing an integrated security framework, which is an architectural framework built around open APIs, organisations can cover off many of the touchpoints which need to be standardised.
What will it take to get where we need to be?
- Logging– Data collection needs to be fixed to a standard that allows everyone to collect and analyse data efficiently. This should include features that allow the application of extensions in a simple, self-documenting and self-supporting manner.
- Threat-Intelligence– This doesn’t relate to just the data that we are producing ourselves, but also the data about the wider world around us. For a system to become self-aware, it’s vital to be able to differentiate between itself and other. This is where threat intelligence comes in. This intelligence must be provided in a standardised format, allowing it to be correlated, processed and acted on.
- Open Development– Standardised APIs need to be adopted and expanded into everything, not just the many types of interactions between data and devices, but also the interactions between architectures. If a security system is capable of firewalling, how can it be interacted with in order to empower, restrict, or enhance its behaviour based on real time events and data? Abstraction can always be used to bring about this kind of standardisation, much like with DevOps.
- Authentication– Open architectures must have the ability to identify themselves and others, identify and share critical information, and catalogue things properly in order to safeguard them. This is essential for both nomenclature and taxonomy. For different technologies to work together, it’s imperative that they speak the same language.
By Shane Grennan, Director, UK&I, Fortinet
from The Journey to Security Automation