Gigamon’s 2nd Annual Cybersecurity Summit: It’s Time to Orchestrate and Automate

In the world of cybersecurity, the bad guys have consistently done one thing better: They collaborate and openly share information. While we as cybersecurity practitioners face many constraints that we cannot affect, there are certainly things we can overcome together. 

This week, I spent a few days doing exactly that in Washington, D.C., with our Federal Government team attending the 2^nd annual Gigamon Cybersecurity Summit. Not only was there a great lineup of speakers, panelists and a timely and informative keynote by General James Clapper, but there were also several hundred highly skilled and knowledgeable security professionals in attendance and the conversations at the coffee stations and in the hallways were often just as informative and valuable to me.

Keeping with the theme of sharing . . . here are some of my notes and thoughts from the summit, taken from a great cross section of both the formal presentations as well as many of the peer-to-peer conversations where I had a chance to explore ideas in more detail and gain many new perspectives on topics I thought I understood, but clearly hadn’t fully explored.

The “inefficiencies” in our security infrastructure are a vulnerability that attackers are actively exploiting.

Whether you have best-of-breed security technologies deployed or not, hackers will find vulnerabilities “in the seams in-between” them and exploit any inefficiencies they find to their advantage. Having the best NAC, the best firewall, the best DLP solution won’t make much difference to your overall security posture unless they are optimally working together and you have visibility into not only what’s happening on the devices, but also the actual flow of data in-between.

We’re asking everyone to be an expert in everything.

You can’t just learn to “do security.” The process of becoming a competent cybersecurity professional doesn’t equate to learning to be a Java programmer or a DBA. To be a proficient cybersecurity professional, you not only need to be a highly focused subject matter expert and master of your craft, but you also need to know a little (and sometimes a lot) about many other technologies to do even the most basic job requirements.

As the necessary amount of experience and comprehension on both sides of the equation are expanding exponentially, we are burning out the best and the brightest of our most valuable employees with unsustainable expectations. This is largely because we are still relying too heavily on manual processes and human intervention in a non-optimized way while introducing technology solutions faster than most of us can learn, adapt to and operate efficiently. This scenario puts us, as defenders, at a disadvantage as we become overloaded with too much of everything while the attackers automate, refine and simplify their methods.

Ironically, the sheer volume of new tools and technologies that are being introduced to help cyber defenders can sometimes just add to the overload rather than offload the work. Finding technologies that can help orchestrate the interoperability of these devices and automate as much of the mundane as possible is certainly top of mind with most security practitioners and vendors should take note. Panelist Lisa Schlosser, former Deputy Federal CIO, further reminded us that we need to “fight complacency” and just accept that this will not always be popular with procurement folks; however, we need to be leaders and disrupt.

Orchestration and automation

If there were two words I heard more than anything else throughout the summit, they were “orchestration” and “automation.” Knitting together disparate best-of-breed technologies isn’t going to be enough to stop hackers unless we begin to imply intelligent orchestration so that these devices can work together to defend our networks and organizations with as little human intervention as possible. This is really the only way to scale an active defens, e as it allows our incredibly busy security teams to focus on the problems that require human eyes on them and human intervention to ensure success.

How do we make it a machine-to-machine fight?

Shehzad Merchant, Gigamon’s CTO, asked this question and noted that the attackers currently have the advantage as they are using every opportunity to automate attacks while much of the work we do as defenders requires manual processes and intervention. The key to tipping the scales in our favor and taking back the advantage for the defenders is to figure out how best to make it “a machine-to-machine fight.”

Several conversations that I took part in over the lunch hour centered around what exactly this means. While machine learning and artificial intelligence (AI) vendors are certainly hot right now, most attendees I spoke with favored much simpler solutions centered around . . . you guessed it: orchestration and automation. Rather than an omnipotent and expensive futuristic AI solution, most defenders seemed to want an “if this then that” type app that, for network security, would leverage ubiquitous visibility and allow them to create and share “recipes” to automate and overcome common security processes and problems.

Security automation will force a pivot of our workforce models, providing both an opportunity and a challenge.

Anyone in security who thinks they are going to be automated out of a job is nuts. If anything, the more work we can offload to automation, the more focused we as security professionals can become on what matters most. The more we focus, the more work we’ll likely find we need to do. And that work shouldn’t be catching bad guys doing bad things, which is our focus today, but on ensuring the confidentiality, integrity and availability of technology and data resources so that the organization can fulfill its mission.

If we do ever get to a point where we are consistently getting security right, the nature of the work will most certainly change and that will be a difficult transition for many of us who are attracted to the profession largely because we see chaos as a creative opportunity, not simply as chaos. I expect though that by the time cybersecurity becomes a routine job, I’ll have been long retired! 

“It’s not a given that everything really needs to be connected to the Internet.”

I’ll conclude with this interesting and introspective comment made by Edward Amoroso, CEO of TAG Cyber. Of all the things I heard at the summit this year, this was likely the one observation that I found most profound and instructive.

Right now, especially in the consumer market, there is a rush to connect everything imaginable to the network and Internet whether it makes any sense or not. Take for example all the recent reports of kids’ toys that have been connected to the Internet with little or no thought put into how to secure these devices. Completely insecure endpoints that look like toys and will be literally placed in the hands of our children. Maybe there are some things that just won’t benefit from or need to be “connected” and many more that downright never should be.

We as security professionals need to perhaps push back harder on some of these wild ideas rather than expending time and energy trying to find a way to secure something that has no good reason to be online.