Automation is often touted as the panacea for countless ills facing the modern enterprise – from labour-sapping paper processes to business-crippling human errors. However, Dr Venkat Balakrishnan, TAL’s chief information security officer (CISO), has cautioned FSIs forcing wholesale automation upon critical cybersecurity functions, believing that, while a crucial part of the infrastructure mix, an end-to-end process could prove both costly and fraught with unresolved integration challenges – at least for now.
Speaking at the 2020 Future of Financial Services, Sydney virtual conference, Balakrishnan examined the expanding threat detection and response capabilities of the Security Information and Event Management (SIEM) system – a centrepiece of cybersecurity infrastructure for most large-scale organisations.
The SIEM platform, at its heart an event logging system, has a well-earned place within FSIs’ backend technology mix, adopted by banks and insurers to meet strict regulatory reporting obligations.
Yet, its key function is rooted within the wider cybersecurity framework. It is, in effect, the ‘nerve centre’ of cyber defence infrastructure, providing crucial intelligence to identify and act on security threats.
While there has been considerable push at senior-levels to embrace end-to-end automation across all core infrastructure – no doubt with the sometimes blinkered notion of slashing costs and reducing inefficiencies – Balakrishnan believes this goal is impractical, and potentially counterproductive, within the multi-layered and highly interconnected SIEM system.
This is particularly so, he said, “with the preponderance of unsupported systems and limited engineering expertise within a typical organisation”.
“Some organisations are really looking towards the higher end of automating the entire [threat] response end-to-end.”
However, with many “organisations yet to establish the foundational elements”, end-to-end automation remains, for many, “unrealistic” goal, Balakrishnan said.
While stressing that targeted and intelligent automation is incredibly valuable within elements of the SIEM framework, particularly in incident triage, he feels the ROI on end-to-end automation is simply not there – at least, not yet.
What’s under the SIEM?
The foundation of SIEM has been existence for over a decade. Evolving from basic log management platforms, the SIEM system has expanded its remit considerably, effectively functioning as an all-in-one threat detection, analysis, reporting, and alert system.
The system works by aggregating data from multiple input sources (for instance, core systems, customer interaction platforms, applications, as well as security devices including antivirus filters and firewalls), creating event logs, establishing benchmark norms, and then using a rules-based or a statistical correlation engine identify deviations from these norms (and thus potential malicious activity), upon which it can prompt cyber defence system to act.
SIEM systems have evolved at breakneck pace over the last decade, often stacking user and entity behaviour analytics (UEBA) and security orchestration, automation and response (SOAR) capabilities on top of its incident logging and analysis core.
Developers (often in-house) are continuing to lay on “rich enhancements” to SIEM, Balakrishnan said, including internal and external threat intelligence, analytics, AI, and visualisation and dashboarding overlays, as well as “extended automated response functions”.
Indeed, beyond its original function as a post-incident tracking and investigation tool, SIEMs are often equipped to deliver real-time threat detection, monitoring and, increasingly, even remediation.
However, as a centralised system, SIEM architectures can be fiendishly complex.
For Balakrishnan, this complexity stands as a considerable roadblock to wholesale automation efforts.
To function effectively, SIEMs must ingest data – or, more accurately, quality data – from a vast array of systems across the business, from the most up-to-date customer service platforms to multi-decade-old legacy core systems.
“We’re not talking about two individual platforms talking with one another. SIEMs are essentially based on ‘a hub and spoke’ model.”
For Balakrishnan, attempting to automate each end of this patchwork of systems, while “doable” he says, remains fraught with difficultly.
“End-to-end automation of the playbook is really, really hard, quite simply because not all your systems are ready to support it.”
Moreover, many “straight out of the box” solutions are not necessarily ready or are ill-suited for automation, he said.
“There are some technologies where they don’t have APIs that can support this system-to-system talk; and, even if they have APIs, they may not have all the APIs relevant for such an activity.”
Without adequate data filtering and controls, an automated ingestion process not only becomes unproductive, but also incredibly cost-inefficient.
There is, indeed, little value in forcing SIEMs to ingest a “laundry list of data sources”, much of which is redundant and unrelated to security controls.
“You’re not going to use all those data sources and those datasets are not tied back to your threat models or use cases,” he said.
“At the end of the day, it’s simply not cost-effective. There’s a lot of effort wasted in managing that data source and maintaining it.”
Where automation counts
Balakrishnan advocates an “incremental”, targeted approach to SIEM automation – one that can offer a much higher yield in efficiency and cost over the short-to-medium term.
“People can put a lot of time, effort, and dollars into end-to-end automation. It’s not an impossible task,” he said.
“But if you look at the value and benefit, the best ‘bang for your buck’, it’s those high-volume tasks… that benefit from automation.”
Incident triage, initiated immediately after a threat is detected, is for Balakrishnan a natural home for automation. This, for instance, could include “data enrichment activities” and high-volume, repetitive tasks such as IP mapping and risk profiling, or reverse DNS resolution.
At the other end, simple, proactive threat responses, such as “pulling [suspicious] emails from mailboxes or inputting firewall blocks” are also well suited to an automated response.
Ultimately, while automation appears an inevitable and unstoppable force in cybersecurity, cyber leaders must take a tactical approach, with due deference to systems complexity and ROI.
“Automation is not straightforward and it’s not easy to do it. Rather, you pick your problems and then prioritise what you want to do to get the most value out of it.”