There’s no denying that there’s a massive talent gap in tech, and this is especially true in security. Blackstone’s Jay Leek, at the Structure Security conference in San Francisco, explained how his company is using automation to offset that skills gap.
According to Leek, Blackstone started with their operations teams. He said that he wanted one security operations analyst to be able to operate with the same amount of productivity of three analysts.
The firm started with alerts for security investigations. Initially, they were spending 30-45 minutes for each investigation. Because of the monotony of these investigations, Leek found that many security professionals weren’t following the checklist and began cutting corners. So, they began automating that alert response because the standard steps were repeatable.
They got it down to 40 seconds per investigation.
SEE: Cybersecurity Research 2016: Weak Links, Digital Forensics, and International Concerns (Tech Pro Research)
Once Blackstone was able to automate these alerts, their security employees were able to go straight to remediation, instead of spending all that time on investigation.
Next, the company began to automate more procedures that were boring, or also easily repeatable. One example of this is account lockout. While most of the time, it’s a messed up password, it could be evidence of an attempted brute force attack. So, Blackstone automated the process so that, if it fits a certain list of points indicative of a flubbed password, it automatically sends it to help desk and opens a ticket so the password can get reset. This frees up security professionals to investigate the potential attacks.
Leek said that the company wrote it all in Python, and brought it into a standardized orchestration platform so they aren’t dependent on specific employees and their individual contributions. So, even if an employee leaves, the company can keep their automation happening.
While Leek said the company began with the 3x improvement on analyst productivity, the biggest value was actually the consistency brought to standard operations. With consistency of investigations, for example, low-level employees get to do more interesting work, and senior employees can be freed up to do more in-depth work.
Orchestration also plays a key role in the automation of security jobs. Leek said it’s the “connective tissue” that allows his organization to leverage platforms in different ways, maybe even ways that the vendor didn’t originally intend. They bought into a third-party platform and they are building on top of that.
However, there are new problems that exist because of automation. By automating with an orchestration platform, Leek said, they’ve created a more critical single point of attack, as it is connected to everything in his organization. So, keeping that secure has become one of his main concerns.
He’s also increasingly concerned about insider attacks, as the next generation of employees can more easily find ways around the system, Leek said. These incidents might not even be malicious, as it could just be these employees looking for ways to automate his or her own work.
So far, Blackstone is “laser -focused on any kind of alerting mechanism” as well as “routine tasks,” Leek said. They’re automating tier 1 operations now, but want to get more tier 2 operations automated in the future as well.
The 3 big takeaways for TechRepublic readers
- According to Blackstone’s Jay Leek, automation can help CXOs weather the cybersecurity skills gap that is growing in enterprise IT.
- Blackstone started with automating alerting, which freed up senior level employees to focus on bigger issues, and allowed junior employees to do more interesting work.
- Orchestration is key to automating security, but it creates its own problems in that it builds a more critical attack vector.