Q&A: It’s Time To Automate Security. Part 1

By John Welton | April 07, 2017

As the threat landscape continues to evolve and the cyberskills gap remains a challenge, automation and intent-based security are becoming timely discussions when thinking about the future of cybersecurity. Fortinet’s James Cabe shares some perspective from the trenches. What follows is Part 1 of a two-part overview of the path to automation, beginning with where we need to be and what it will take to get there. Part 2 will discuss a realistic timeline to get from an intelligent network to truly automated, intent-based security, as well as what that intent-based security will look like.

Why is automation so important for cybersecurity?

At a high level, while many parts of the business are becoming data driven (Enterprise Resource Planning [ERP], Customer Relationship Management [CRM]), for many organizations IT is just getting started. Which means we can't get to intent-based security (bringing wisdom to IT decision-making) without starting with automation, which will free IT personnel to shift from babysitting technology to becoming data scientists.

For many, button pushing became a thing of the past once scripting and the DevOps movement started years ago. But while some sectors (like cloud and malware) have embraced this new paradigm, typical IT infrastructure folks have not. That doesn't mean they aren't good at what they do (many coders have no idea how routing actually works, either), but simply that they never grew into any programming roles, largely because of the high-touch nature of the technology they need to manage. To reap the benefits of the data-driven digital economy, however, there needs to be a road to get from point A to point B.

Typically, I would say training, training, training, but that doesn't really help here. For many IT professionals, we aren’t just talking about a skills gap. We are talking about two different mindsets about how to manage an IT infrastructure. So, how do you motivate a group of people not comfortable with DevOps or coding to embrace and enable automation? You need to start by building an ecosystem around some new standards, and within an integrated technology framework that makes sense for a large variety of companies. And that is simply step one of many.

What is an intent-based system in the context of automation?

Organizations in general automate to reduce costs, complexity, and errors. For businesses, the Lean movement is all about maximizing customer value while minimizing waste. If we are discussing IT people, it was to reduce operational expenses and enjoy some down time. Why keep pushing buttons and reading log files after hours when you could be at home throwing a baseball to your kid? So, many IT workers began to automate what they did.

This next round of automation, however, is different. Networks now adapt to demands in the blink of an eye. Automation allows IT teams to implement a "reflexive" or proactive action that occurs when something happens, whether bad or good. It enables a form of self-service for both the end-user and the IT person.

Once you have fulfilled that immediate need, automation can then become a building block for what’s next, which is an intent-based system that can not only tell what something is doing, but also for what reason. Then, based on some wisdom from past known "good" things, it can automatically take that reflexive action you created without the need for human intervention.

Where is security as an industry now, with regards to automation?

I think this warrants a discussion not only about where the average organization is, but also where we, Fortinet, are currently in terms of the variety of options we offer for security automation. These are two very different things.

Identifying the delta between where you are and what is possible is important because most organizations simply don’t have the freedom to scrap everything they’ve already invested in and replace it with “everything Fortinet.” But within that gap, it is clear that the industry is lacking a single good way for different technologies to interact with each other in order to put automated actions in place. Anyone paying attention understands that an integrated and collaborative security system is a critical goal for defense. But trying to make that happen in a highly competitive space has unfortunately tended to lead to more fights than solutions.

What can organizations do now that will have the biggest impact?

Once you have adopted the corporate mindset that you simply can’t afford to keep doing things the way you have been doing them, then training is always important. Start sending your people to coding classes at night or give them an hour a day to work on their skills. Then track it through a Kanban board. The organization as a whole will start reaping immediate rewards as engineers find interesting ways to get things done that weren't possible before. IT management would be surprised what could happen in a very short amount of time with a little sacrifice and some reallocation of existing resources.

Where are we going/what is the goal for automation in this space?

Automation, as mentioned before, is a building block. The set of actions to be taken is similar to what happens when training a guard dog. It needs to understand what is normal, interpret what is happening when something unexpected happens, and then decide on the appropriate course of action.

Then, we need to build data. Lots of it, based on what we know about the outside world, how our networks need to operate, and what has taken place before that is both good and bad. That set of constantly updated data will drive what decisions are made, bringing "wisdom" to automation. That is the way we get to an automated, intent-based defense for our world.

What will it take to get where we need to be?

Without the standardization of the interactions between technologies – and there are many that are needed to make this happen – it won't ever work right. Fortinet’s approach has been to create an integrated Security Fabric, which is an architectural framework comprised of both Fortinet and third-party solutions, built around open APIs, that includes the many touch points that need to be standardized.

1. Logging - The collection of data needs to be fixed into a standard that allows everyone to collect and analyze data efficiently, and if it needs an extension, we include the features that allow the implementation of extensions in an easy, self-documenting, and self-supporting fashion.

2. Threat-Intelligence – This includes data about the world around us, and not just the data that we ourselves are producing. For something to become self-aware, it has to realize there is a difference between itself and other. This is what threat intelligence brings to the table. This intelligence needs to be provided in a standardized format that allows it to be effectively correlated, processed, and acted on.

3. Open Development - We need to adopt and expand standardized APIs into everything, not only for many types of interactions between data and devices, but also between architectures. If something is capable of firewalling, what does that mean, and how can it be interacted with in order to enable, disable, or refine its behavior based on real time events and data? This sort of standardization can always be brought about through abstraction, like what DevOps accomplishes.

4. Authentication - Open architectures need to be able to identify themselves and others, recognize and share critical information, and categorize things properly in order to protect them. This is required for both nomenclature and taxonomy. For different technologies to work together, they have to speak each other’s languages.


Next: Part 2 will present a step-by-step timeline to get to intent-based security, and what that security will look like, with explanations of signature-based, adaptive, and behavioral security measures.