carloscastilla - Fotolia
How can security automation tools keep organizations protected?
Sometimes security teams fall into 'set and forget' habits with security automation. Expert Mike O. Villegas explains how to take advantage of automation while staying secure.
It sometimes seems like security teams rely too heavily on "set and forget" security and don't have enough security professionals to provide human analysis and judgment. What are the risks with security automation in this regard? How can organizations take advantage of security automation, but remain protected?
The purpose of security automation is to facilitate protection, monitoring and identification of assets that would otherwise be impossible to perform manually. The operative word is facilitate -- not set and forget. All software needs to be tailored for the enterprise's unique environment and updated to maintain the level of protection and monitoring required. The key is to find the right balance where maintenance is routine, necessary and sufficient.
Once in place, security automation tools should generate alerts and reporting on anomalies or vulnerabilities for the security team to vet and determine if further follow-up procedures are needed to mitigate or eliminate the threats reported.
No one is void of attacks, and with the proliferation of new attack vectors introduced daily, it is foolish to believe that the security automation tool does not need further attention. Patches alone warrant some interaction from the security team, otherwise the tool would only be configured for attack signatures known since its implementation. Lack of attention would undoubtedly leave the enterprise exposed to unknown vulnerabilities and possible attacks it would otherwise be alerted of.
Some security automation tools require less maintenance than others but all should be reviewed on a periodic basis. Tools are used to ensure patches to servers and software versions are current, agents are installed and active on target devices, alerts correlate to realistic rules, follow-up procedures require proper monitoring, and remediations are timely for high risk vulnerabilities. All of these require time, research and action on the part of security team members to maintain proper protection and monitoring levels. To believe these security tools run on autopilot is not prudent.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)