Automating Your Way into More Problems than Solutions
Posted by: Tristan Morris
Guest Author: Neal Humphrey | VP Market Strategist | Deepwatch
A Voyage Beyond the Horizon is a speculative exploration of possible scenarios that could be brought about if current technologies and security issues aren’t addressed. While the following short story may be far-fetched and unlikely, it’s inspired by our conversation with Neal Humphrey and the issues he believes are important to address in the next one to five years.
At 6:37am on Wednesday morning, Stanley Korning stepped off the bus and walked to the entrance of Dunder & Mufflin Synergies Corporation Incorporated to open the office for the day. He swiped his hand across the palm reader to unlock the door, but nothing happened. He tried a few more times before sighing and taking off his backpack to dig his physical keys out of the bottom of the bag. He wasn’t too surprised by the broken reader, his team had been at the office till nearly 3 in the morning implementing the new interconnected security automation system he had spent over a year designing. It tied into almost every aspect of the company’s architecture, from the smallest electronic devices to the physical locks on the breakers. It wasn’t unexpected that there would be a few glitches.
As he stepped inside and the door closed behind him, he waited for the familiar voice of the building’s digital assistant to chime out its usual cheery greeting. When no chipper “Good morning, Stanley! Congratulations on your 1,393rd day as the first employee to clock in!” was forthcoming, he swore softly under his breath. That was two systems in a row he would have to troubleshoot. He could have sworn he’d left nothing unaccounted for, but now he wasn’t so sure. He just hoped the employee performance leaderboard was still up and his record-smashing attendance streak was intact. As Stanley walked back to his desk, he reviewed the mental checklist of automations he had designed, trying to find the flaw. Halfway there, he stopped.
It was quiet. But not just quiet, it was entirely silent. The whole office was completely dark, without a sound to be heard. Slowly at first, but then all at once, the realization hit him: every single system was down. Not a single automated light was on, no computer fans whirred, even the constant hum of the central air filtering system was completely silent.
He looked around the office, searching for any sign of activity from any system. Nothing. Then, on the other end of the building, where his desk was, he saw a dim light. He ran the rest of the way. When he got there, a single line of text blinked across the monitor he had dedicated to monitoring his new, automated system.You are now secure :)
Stanley sat in his chair and watched the blinking text flash its optimistic harbinger of his now doomed career for an hour, until the battery backup unit under his desk eventually died and the screen went dark.
“I don’t think I’m going to get my streak back”.
Don’t think the scenario is possible? Facebook says hello…. A network configuration error in 2021 disconnected Facebook from all their data centers and left their DNS servers unreachable, meaning that Facebook–to the wider internet–was down. BUT, what gets forgotten from the story is that Facebook employees had to basically break into their offices and datacenters, along with using an angle grinder to get into the locked server cages to access systems to bring everything back up.
Now, let’s take that history lesson and consider what is the definition of being secure.
Being secure is the removal of risk and the possibility of intrusion or damage from an outside or inside party.
Let’s set aside for a moment the question of whether or not this definition is reasonable, or attainable in the real world. Instead let’s answer a different question: is it even attainable?
In short: Yes, it is. You won’t like it, but it can be done.
The problem is, you won’t get anything else done. You won’t order anything new, sell anything new, or even browse anything new. But facts being facts… you are now secure.
How could such a thing happen? How could this “you are now secure” scenario come about?
Well, we are getting closer and closer to it being a real possibility through extensible automation, interconnected systems, generative AI and logic trees.
Do not take the above line as a generic “bah, automation bad” statement. Automation is a fantastic tool, and generative AI is going to be a much more powerful addition that guides appropriate responses and identifies what can be automated vs. what should be automated.
This is the real question that we need to keep top of mind for automation: It’s not what can be automated. It’s what can’t be.
Unfortunately, bad days are going to happen. We certainly don’t expect a bad day like the scenario above any time soon, but it is a possibility. The solution is to focus on cyber resilience.
The foundation of cyber resilience is built on understanding or anticipating the risk to the business, withstanding attacks through actionable responses, and the overall ability to learn and improve day after day. Yesterday’s bad day doesn’t have to be today’s all over again.
To reach this lofty goal, it is going to require not just best-of-breed technology but also security experts to get the most out of your installed technologies and to provide guidance and insight that consistently improves security posture.
The industry uses the term “response” a lot, and that makes sense as it can mean multiple things to different capabilities, and expectations. The best “response”–whether it’s an automated response(s), a human response, or both–is the one that reaches out and informs, or guides automated responses.
Remember the point of what you can automate vs what you should automate? Well, here we are again.
Being able to understand the business, system, and operational risks in conjunction with the detection and mitigation of these risks allows the crafting of response plans that look not only at the detection of a bad thing (what most security technologies are currently doing) but rather looking at the type of response that can be taken to common situations. Phishing, ransomware, malware, insider threat–all are common detectable issues in cyber security, and all can result in a combination of actions or responses. It is the process of the response, the context of actions, that allow the creation of a repeatable containment and remediation plan vs a data center locking series of actions that create a 2001 space odyssey version of “Hal”.
The best security experts not only guide responses and provide context, they also review the information available to determine gaps in detection, logging, and detection policies. The goal of cyber resilience in improving also means that you need to be able to correct and improve your detection and protection tools, so that you can move detection and response from a mean time to recovery of a secondary system, and instead enable the tools to do what they were designed to do and respond at machine speed.
A large percentage of edge firewalls, both from the cloud and data center have bloated rules, out of date detection policies, and are capable of more than they are currently providing (Looking at you SSL decryption policies and layer seven web application detection blocking). In complex organizations, endpoint detection response tools are installed but limited in their functionality, not because of what the tool can do, but because of what the business is comfortable in allowing it to do on its own.
Both of these problems come down to understood, and practiced, processes and the communication of both risk and what appropriate responses look like. These aren’t technical issues, these are people issues, and organizations need to start viewing cyber resilience, automation, and expertise as a whole instead of as individual issues to be addressed. If any plan or program doesn’t account for all three, it is destined to fail. Maybe not as spectacularly as “the system shut itself down to protect itself”. After all, that’s almost as unlikely as getting locked out of every office you own and having to break in with power tools just to reset the system, right? .
If you’re interested in the future of cyber resilience, building reliable and secure automation, and adding cybersecurity expertise to your organization, start a conversation with GuidePoint Security about how to get more value from your current security tooling and communicate the value of security to the business more effectively.
Tristan Morris
Cybersecurity Solutions Marketer,
GuidePoint Security
Tristan Morris started his cybersecurity career in 2010 as a cryptologic linguist in the US Marine Corps, where he learned the fundamentals of security and threat hunting. At the end of his enlistment in 2015 he began using his skills, knowledge, and perspective to build training and education labs and CTF events by re-creating advanced attack lifecycles to construct realistic datasets for lab attendees to hone their skills. He has spoken at large security conferences and events from Black Hat to Singapore International Cyber Week.