enterprisesecuritymag

Automate, Orchestrate, and Delegate

By Ian Hill, Global Director of Cyber Security, Royal BAM Group

Ian Hill, Global Director of Cyber Security, Royal BAM Group

You know it is going to be one of those days, when your Special Operations Manager calls you at half-past midnight on a Monday morning. “We’ve got ransomware”, and so we had. By chance one of our infrastructure engineers had been working late on the Sunday, provisioning some new virtual servers, the cyber team being inherently nocturnal were awake anyway, and new security tools we had commissioned over previous months were already doing their job. By 1 am, a full major incident response was in progress, at which point you quickly learn that von Moltke the Elder’s military maxim, “no battle plan survives contact with the enemy”, similarly applies to the cyber world.

In these strange times, one of our UK subsidiaries was hit along with another major UK construction company because we were building a number of the UK’s temporary Nightingale hospitals for the NHS to treat critically ill COVID-19 patients. As the UK Government had previously warned, the agenda of these attacks was less about the money, and more about causing as much chaos as possible in order to undermine confidence in the UK’s response to the Coronavirus pandemic.

This is symptomatic of the perpetually moving & evolving threat landscape, where the bad guys are always one step ahead, ready to exploit any new angle. The COVID-19 pandemic has exasperated the situation, with tactical necessity forcing many businesses into risking rushed and unplanned transitions to home-working and cloud environments. For many businesses, both small and large, this unplanned-for state has taken them beyond their existing security postures ability to monitor for and respond to attacks. While the most mature companies with the strongest postures are not immune to a compromise situation, what von Moltke was actually arguing is that what really matters is how quickly we are able to respond and adapt in any given situation.

For many businesses, their IT function is not 24/7 because the business itself is not 24/7, or at least not in the true sense, yet many of them rely on information systems that are available all the time. Something breaks over the weekend, then it will have to wait till Monday to get fixed, which could mean anything between inconvenient and catastrophic. In the same circumstances a cyber-attack resulting in a successful compromise, will almost certainly be catastrophic, particularly if ransomware is involved, and will invariably happen at stupid-o-clock in the morning, when no one is about to respond.

“Regardless of what line of business you are in, the world we live in is 24/7 and so are the threats, requiring solutions that never sleep.”

We are a construction and civil engineering group, not an IT services company, therefore like most organisations, IT is a support function for the business, not the business. So, here’s the dilemma, we don’t have the business need, or the budget to justify in-house 24/7 NOC’s & SOC’s, but at the same time the shifting threat landscape is demanding an ever-increasing level of monitoring and response capability.

To satisfy this requirement, many businesses are turning to the relatively simple and cost-effective strategy ofAutomate, Orchestrate, and Delegate.

Over the last few years, the shift to automation has been dramatic, particularly with the advent of more AI-driven solutions able to detect and assess a security threat, and take an instant action to not only mitigate the immediate threat, but then implement measures to the prevent a reoccurrence. With Zero Trust being the new norm, we have seen a shift of emphasis on end-point security, from traditional AV/IPS type products to more comprehensive EDR (Endpoint Detection & Response) type solutions, Microsoft’s Defender ATP being one such example. We also see in the data space, products such as Varonis DatAlert (which happens to be one of the products that helped us out), which has the ability to automatically detect and block ransomware attempting to encrypt files. With any incident, time is of the essence, effective automation can at best stop an attack in its tracks, or at least reduce the impact.

Orchestration can be the trickier issue. If you’ve chosen to go down the route of the complete Microsoft E5 Security stack, then it’s straight forward because solutions like Azure Identity Protection & Information Protection, Exchange Online Protection, and Defender ATP etc., are all somewhat symbiotic by design, and can be centrally orchestrated via their Sentinel product. Orchestrating solutions from different vendors, in order to effect a wider detect and automated response capability, invariably requires yet another solution, though this has improved significantly with the advent of SOAR (Security Orchestration, Automation, and Response) solution stack compatible solutions. The importance of orchestration cannot be overstated, because it facilitates the ability of one vendor solution to detect a threat, and where appropriate, initiate a response from another vendors solution.

We still need the human element, which brings us to Delegate. When we think of outsourcing security, we typically think of a SIEM/SOC scenario. Outsourced SIEM solutions, the staple of most SOC’s, traditionally tell you something doesn’t look right, but won’t necessarily do anything about it apart from alert a human, who then analyses and instigates a response, which invariably will involve calling a businesses on-call IT function. In a large and technically diverse organisation, effective SIEM is notoriously difficult to get right and can be very noisy and frustrating. Indeed, there is growing consensus that SIEM is dead (or at least dying) and that MDR (Managed Detection & Response) is the way forward and is the route we have chosen. MDR builds on the automate and orchestrate, and wraps it up with the 24/7 human expertise, and the ability to take control of a situation. This is more than just outsourcing which is why I prefer to use the term “Delegate” instead.

When we had our incident, we had already started along the journey towards Automate, Orchestrate, and Delegate, and our ability to respond, along with lessons learnt, reinforced that decision. Regardless of what line of business you are in, the world we live in is 24/7 and so are the threats, requiring solutions that never sleep.

Weekly Brief

Read Also

Digital identity - improving security and customer experience

Digital identity - improving security and customer experience

Margo Stephen, Head of Digital ID at Australia Post
Securing Telco Cloud for the 5G era

Securing Telco Cloud for the 5G era

Srinivas Bhattiprolu, Head of Advanced Consulting Service, Nokia Software
Risk Management in Times of Chaos. How To Survive It All?

Risk Management in Times of Chaos. How To Survive It All?

Magdalena Skorupa, Cyber Risk, Data Privacy & IT Compliance Director, Reckitt Benckiser Group
2021 - Are You Ready for the Future?

2021 - Are You Ready for the Future?

Sebastian Fuchs, Managing Director Manheim and RMS Continental Europe, Cox Automotive
How to Build A Successful Identity and Access Management (IAM) Program?

How to Build A Successful Identity and Access Management (IAM)...

Carlos Rodriguez, Director, IT Security & Risk, Citizens Property Insurance
Making Vulnerability Management Relevant to Your Organization's Needs

Making Vulnerability Management Relevant to Your Organization's Needs

Mike Holcomb, Director-Information Security, Fluor Corporation