Automation in Network Security: Friend or Foe?

If you are like most security professionals, you probably feel overwhelmed just thinking about your to-do list: update policies, run reports, extend protections, analyze results, find hidden threats, manage multiple deployments… That list is endless.

Automation seems to be the perfect answer, but most security professionals are torn between the idea of automating and streamlining processes while maintaining manual control to enable human decision-making. There is a fear of simply letting software make security or network management decisions in their organizations. This choice can feel like the conflict in the Matrixmovies: man against machine. Many security professionals hesitate to trust automation because they often prefer to maintain manual control at the expense of a more controlled, predictable, and manageable work environment.

But let’s take a closer look at the pros and cons of automation in security environments. For sure, there are certain concerns about automating processes, especially when it comes to managing security deployments; but, in general, we will see that most concerns are more fear-based than fact-based:

• Perceived loss of control: Let’s face it, we all feel like we can do a better job at keeping our companies secure than technology alone. But the fact remains that there are limitations as to how much analysis can be done manually in any organization.
• Distrust in technology: The feeling that automated technology will overlook threats or overblock the employees in our organizations is another very powerful, yet emotional argument against automation.
• Fear of change: What will automation of security do in my organization? How will it impact my job? Most security professionals feel overwhelmed but have accepted this situation as just a part of their job. A reduction of this stress could feel like they are not protecting their companies efficiently.

Counteracting the cons is a series of very powerful fact-based pros:

• Streamlined processes and less duplication: Many processes in security deployments are complex and often result in the duplication of effort. How many policies do you manage that are duplicated across your network? Do you have to maintain and update all of these policies manually? Automation can go a long way in reducing duplication.
• Reduced complexity: Most security deployments are incredibly complex and span a variety of different technologies, all of them with their own UIs, reporting functionalities, and rule bases. Automation can bring cohesiveness and consistency, and with it, reduced complexity to the table.
• Fewer human errors: Complexity and duplication are dangerous when it comes to human work. Stress, long work hours, and confusion frequently result in human errors that can spell disaster for security organizations. Automation can significantly reduce human error.
• Improved knowledge sharing and fast decision-making: Automation can correlate information across different data sources, resulting in faster threat detection than possible with manual analysis.

Deciding when, how, and to what extent to automate is a decision that is left to each individual network administrator and security professional. When it comes to automation, it can be introduced or expanded to any organization in four main categories across your network security deployments. Breaking out the automation process into these categories will help prioritize any plans for automation.

1. Network Setup – Automation in this area allows for configuration of firewalls and policies by eliminating duplication and streamlining processes with automation tools such as templates, templates stacks, and device groups.
2. Network Management – Automation in this quadrant ensures always up-to-date network and policy with capabilities such as SIEM integration or security policy orchestration.
3. Threat Intelligence Setup – This area focuses on automatic protection against known and unknown threats with thorough analysis and prevention of successful attacks. It also can ensure that differing security technologies can learn from each other. Automated threat correlation, a common security rule base, and similar functionalities go a long way toward making things more streamlined.
4. Threat Intelligence Management – This component focuses on continuous protection with the latest information with automatic and frequent updates to software, signatures and other security components.

To learn more about the pros and cons of security management automation, please see our archived “Automation in Network Security Management – Friend or Foe?” webinar, availablehere.

Joerg Sieber

[Palo Alto Networks Blog]