June 3, 2020
automation

How is automation evolving to detect and mitigate cyber threats?

Archit headshot
Archit Lohokare Chief Product Officer

Automation is evolving to address cyber threats. Here's our take on how automation has impacted the stages of development, deployment, and operation/consumption of applications and technologies.

automation hero

The modern enterprise is a complex hybrid environment, with applications, servers, and in general, workloads being run in on-premises data centers as well as cloud. In addition, the applications and technologies used for the management, security and operations of those applications are not just commercial, off-the-shelf (COTS), but in many cases homegrown and developed. As a result, one way to look at how automation is evolving to address cyber threats is to look at not just how it has impacted the management, operations, and security of these applications, but also look at how it has impacted the in-house application development and deployment within many of these large enterprises.

In specific terms, here’s my view on how automation has impacted the stages of a) development, b) deployment and c) operation/consumption of applications and technologies.

a) Development: With the advent of DevSecOps, and the wide adoption of the shift-left paradigm, application developers are looking at a fully automated and secured CI/CD pipeline. This helps them in writing secure code, without having to re-invent some of the key pieces, such as Identity and Access Management, for the applications and are able to easily hook into an existing identity and access management system that their organization may already have. This ensures that developers are incorporating secure best practices in the development stage, resulting in applications, which are ready to be plugged into the IAM system, thus ensuring the right authentication and authorization management policies are set up for the applications from day 1.

b) Deployment: This comes with many choices, on-prem (private cloud, hosted private cloud), hybrid cloud, pure Cloud and with many architectural options (microservices-based, for e.g) and installers like Terraform and Ansible, which can completely automate the deployment of infrastructure through code (a.k.a Infrastructure as code). This equips IT and security ops teams with the right tools for deploying the various components with the right security policies. For e.g. when deploying a new web-based application, the installer automates the configuration/setting up of:

  1. Establishment of trust between systems and services to drive secure machine-to-machine communication
  2. Deploying perimeter-based security for access from within/outside the perimeter. This might involve spinning up firewalls and reverse proxies on the fly with a per-app policy.
  3. IAM systems (for access and governance security) for perimeter-less secure access, such that the application is protected with the right access policies for the various identities accessing the system. For e.g. the system may automate federation of the app with the IAM system, creation of roles or assigning certain pre-configured roles/groups/identities to the application based on the deployment policy for the app.
  4. Log and events collection with risk analytics and SIEM systems for continuous monitoring, User and Entity Behavior Analysis (UEBA) for just in time access policy creation or deletion or for inspection and investigation. A lot of times this comes integrated with the IAM system.
  5. If some of the applications are in a public IaaS (such as AWS, Azure) then configuring cloud access security brokers (CASBs) and establishing/configuring connection with the IAM system such that proper access level policy changes can be made based on the fine grain visibility coming from the CASB.

The above is far from being a comprehensive list of all the automation tasks that happen, but I did try to focus on some of the key steps critical in ensuring timely detection and mitigation of breaches.

c) Operation: This is by far the most vulnerable part of the lifecycle and one which puts to test all the good work that has already gone into the development and deployment stages, one of them being the setting up with the log/events analytics engines for continuous monitoring and risk assessment. This area has evolved by leaps and bounds in the past few years and is critical in the detection and prevention of attacks and breaches. Some of the highlights are:

  1. AI /w ML has been applied very effectively in sifting through gargantuan amounts of data to establish identity profiles, which are then used for detecting not just anomalous but also malicious behavior
  2. Evolving from being prescriptive (providing broad recommendations) on how to mitigate cyber threats) to being directive (providing definite steps and automating them) on mitigating threats
  3. Evolving from siloed, in many cases unsupervised learning to hybrid – combining human intelligence and inputs (supervised) along with unsupervised.
  4. Automated Orchestration of configuration of adjacent and impacted systems to reduce the propagation of cyber threats.
  5. Automated notifications and mitigation steps (for e.g blocking access or reducing to least privilege). Robotic Process Automation (RPA) also brings in efficiencies in this area.

This post originally appeared in a Quora Q&A session hosted in January 2020. Our CPO Archit Lohokare was asked to discuss the state of cybersecurity, Zero Trust, artificial technology and machine learning and working in the security field, among other things. Stay tuned as we share more of his answers in our blog!

Archit Lohokare

Archit headshot
Archit
Lohokare
Chief Product Officer

Archit Lohokare is Chief Product Officer at Idaptive, where he is responsible for product strategy, driving innovation, and bringing new products and services to market. He transitioned over to Idaptive as it was spun-out from Centrify, where—as Vice President of Product Management—he led the Identity-as-a-Service (IDaaS) and Unified Endpoint Management product portfolio. Prior to Centrify, Archit was Vice President of Products at Optymyze, where he led the product management team responsible for the company’s Sales Performance Management and Sales Platform-as-a-Service SaaS and PaaS solutions, securing a Leadership position in the first Gartner Magic Quadrant report on Sales Performance Management along the way. 

Earlier in his career, Archit led Symantec's Cloud Information Protection Security-as-a-Service offering, and IBM's Access Management product line, comprised of Web Access Management, Identity Federation, Enterprise Single Sign-On, and Risk-based Access and Entitlements Management products. Archit joined IBM through the acquisition of Encentuate, a leading Bay Area start-up in the security software space; as an early employee, he had the opportunity to contribute to its successful exit. 

Archit has an MBA from UC Berkeley-Haas School of Business, and a bachelor’s degree in Computer Engineering from NTU, Singapore, where he was awarded the SIA-NOL undergraduate scholarship by the Ministry of Education, Singapore.

Archit is an avid history buff, enjoys reading in his spare time and running breathlessly after his one-year-old, hyperactive son.

CHAMELEON-LIKE SUPERPOWER

If Archit could have any Chameleon-like superpower, it would be the ability to change colors quickly and adapt. “Actually, it would be like the ability of our IAM solutions to adapt instantaneously to a customer’s environment and user behavior. Anomalous user access? A snap! Presto, change-o – like a chameleon from green to red in an instant, adapt to the change in user behavior and request user to assure their identities using multi-factor authentication...”

© 2020 CyberArk Software Ltd. All rights reserved.    Privacy Policy    Terms and Conditions