Why are security professionals so darn afraid of automation? We continue to hold on to the idea that people have to be integral in the real-time decision process to protect ourselves from the technology we deploy to protect us.

Subscribe to CISO Series Podcasts - Defense in Depth

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, and Steve Zalewski, CISO, Levi Strauss, with our guest Edward Frye (@edwardfrye), CISO, Aryaka Networks and president of Silicon Valley chapter of ISSA.

Got feedback? Join the conversation on LinkedIn.

Thanks to our sponsor, AppOmni

AppOmni is building the future of SaaS security. We empower our users to enforce security standards across their SaaS applications, and enable them to remediate in confidence knowing they’re fixing the most important SaaS security issues first. Contact us at www.appomni.com to find out who – and what – has access to your SaaS data.

Full transcript

David Spark

Why are security professionals so darned afraid of automation? We continue to hold onto the idea that people have to be integral in the real time decision making process to protect ourselves from the technology we deploy to protect us.

Voiceover

You’re listening to Defense in Depth.

David Spark

Welcome to Defense in Depth. My name is David Spark, I’m the producer of the CISO series, and, joining me for this very episode of Defense in Depth, is Steve Zalewski, who is a CISO over at Levi Strauss. Steve, thank you so much for joining us.

Steve Zalewski

As always, it’s a pleasure, David.

David Spark

It’s awesome having you on the show. Love having you on the show. Our sponsor today, Steve, is AppOmni, and I will say, if you have SaaS security issues, which, let me tell you, whether you know it or not you’ve got them, because all of us are using some type of SaaS app, and if you’re using any SaaS Apps, which probably everyone here who’s listening is, you’ll what to hear what AppOmni has to say about SaaS security. Steve, now, quoting you in the opening I did right here, you believe that cyber security people are afraid of automation, now, one way that I believe that this is actually happening is all the heavy lifting they feel they need to do to get automation rolling. The promise of automation, which we’ve heard again and again, is to reduce the workforce. I don’t buy it by the way. But, in previous reports I’ve seen, most people believe they need to actually staff up in order to deploy automation. What say you to that?

Steve Zalewski

So, when I had a moment of frustration and made this post, and used the nine box from Malcolm Harkins, who I want to thank for letting me borrow that, I had a completely different perspective of the question that I was asking compared to where many of the responses came. So, the first thing I want to say is, when I was posting the question, I was thinking, if you look at that nine box of detect, prevent, contain, and no automation, semi automation, full automation, why is everybody up in the upper right hand quadrant, where there’s very little automation, a lot of manual processing, and that there was not a lot of appreciation for detect, respond or contain. That was what I was thinking. And in my mind, I looked at myself as pushing my organization towards heavy automated containment, but I wanted to get that right, and therefore I could minimize detection and prevention to a certain extent in thinking about where to put my automation resources. Clearly I got that wrong. What I heard from people, and think what we’re talking about is every one of those nine boxes is important to different people for a different reason as to why they can, will or can’t automate.

David Spark

Good point, and it’s not a simple answer as we will see very shortly. But I want to address one issue regarding automation, and that is the fear of automation around, oh, I’m not doing it to protect my job, and I kind of want to put that to rest here at the beginning by reading this one quote from Kyle Monteagudo, of Rackspace, who said, quote, “If you’re well versed in automation I don’t think you’d be worried about losing your job,” and I think he hit the nail on the head with that one, because, if you avoid it, yes, you should be worried about your job, because, as we have seen, technologies evolve, we have to keep our knowledge base up, and if you want to stay stuck in the past you’re essentially not one who’s going to succeed much in technology. Steve?

Steve Zalewski

So, to me, it’s almost an oxymoron to worry about it, right, that’s just it, which was we’re going to have to automate, and that was my whole point was we have to automate. So what are we scared about? And what am I missing in the conversation? And again, one facet here is, alright, I’m going to lose my job, yes, you might lose your job because the company’s going to be breached and your company goes out of business, it’s not going to be because we don’t need security practitioners.

David Spark

Well, the person who’s going to help us with this very conversation has got a lot of insight on it, is Edward Frye, who’s the CISO over at Aryaka Networks, and also the President of the Silicon Valley chapter of the ISSA. Edward, thank you so much for joining us.

Edward Frye

Thank you David, I’m glad to be here.

What’s going on?

00:04:41:11

David Spark

Yaron Levi, the CISO of Dolby, said, quote, “I don’t think they’re afraid to automate, in many cases they don’t know what to automate or how. Moreover, many are just buried in operational tasks day in and day out, and it is difficult for them to raise their head above the water to do something different. It is hard to create and chase a vision when you are so busy doing.” And I will say, just for my own work, that totally rings true. Alex G of H&R block says, quote, “It takes a dedicated approach to the automation problem to solve it effectively,” and Jeffrey Wheat, CISO of Team Alpha, said, quote, “Takes a lot of talented effort to tune the automation tools properly.” So, what they’re kind of all saying is, yes, if you want to do automation you’ve got to do it right, and you need the time to do it right, and you can’t be busy with all your darned manual processes in the meantime. Steve?

Steve Zalewski

Yes, right, I mean, part of it is, you know, when I look at Yaron Levi you could see me pause for a minute, I’m like, yes, you need more potentially to get the automation going, because you’ve got a thousand things to do, my counter to that is, okay, wait a minute, what are you going to stop doing so that you can automate? Because I’m going to argue a lot of what you’re doing today is not effective use of your limited resources, so, stop doing that and let’s get to the automation so that your overall posture is better.

David Spark

Edward, where do you take this, the idea of what can you stop doing to be able to focus on automation?

Edward Frye

Well, first I’d like to say that I absolutely agree that you need to be able to focus on that for at least a few moments, you need to stop doing what you’re doing, but, you also have to have a process in place to automate, you can’t just automate something that doesn’t already exist. So, being able to focus on one of those things, picking something that you’re already doing and saying, okay, this process is taking a lot of time, and we need to be able to reduce the amount of time that that’s taking. So, from a detection and or post-detection perspective, those types of things are easy to automate, you follow the same process of creating tickets or following up with different teams, and kicking off processes and stuff. If you’re already doing those things manually they’re error prone, you should focus on automating those because it’ll save you a lot of time and energy. But, to Steve’s point, there’s other things that should be automated that maybe they’re not yet, and a lot of people are afraid of doing that.

Why are they behaving this way?

00:07:28:18

David Spark

Michael Chelen, of the U.S. Department of Veteran Affairs, says, quote, “Does the diagram,” this is the Malcolm Harkins diagram we were referring to, “say that automation is less expensive?” That is true long term, however, creating good automation takes a bigger up front cost than manual process, and your Yaron Levi alluded to this kind of issue in the beginning, and, Michael goes on to say, “So, even though manual is error prone, and risky, it gets used by default due to cost constraints,” and just hold onto that thought because I’m eager to know if you agree that that’s what happens, not that you agree that that’s a good idea, but that’s what happens. And then, Richard Moormann said, quote, “Those with a seeking slash entrepreneurial bent are quicker to try slash fail emerging technologies, if you’re an agile leader have have encouraged your staff to bring forward new opportunities for efficiency, you are leading the shift.” And Norman Hunt of GEICO said, “Most folks I talk to do automate, most reservations that I hear about are related to AI based, and off of machine learning specifically, given the amount of bias that can exist there.” So, I’m going to throw it to you here, first Edward, do you think that a lot of manual is continuing to happen just because of, hey, it’s easier to deal with OPEX than CAPEX?

Edward Frye

So, I think that a lot of it is the time that it would take and the amount of time that you would have to pause what you’re actually doing, the events are still coming in, the work still needs to get done. If you were going to automate those processes you’re not taking those processes and actually following through, addressing the tickets, addressing the vulnerabilities or anything like that. So, you have to stop, and that’s going to build up. But, the pay off is, is if you do that automation correctly, then you can work through that backlog and get ahead of it, and then address more things later. So, there’s a trade off there. But, I also wanted to focus on the decision making aspect of that, you know, a lot of people are automating their SAR processes or the manual tasks that are being done, but, then they’re still having that human in the decision, and they’re afraid of the AI or ML.

David Spark

Steve, where do you stand on this? And I also love Richard’s comment of the entrepreneurial seeking leader.

Steve Zalewski

Agreed. This gets back to why we had 24,000 people read this Linked-In, right, with almost 150 responses. What I realized, again, it came back to where are you starting from, okay? My head set was at one place, many others are coming from different, and here’s what I learned, if you have a big organization because you’ve been around a while, you have a lot of legal regulatory compliance, so you’ve built out decent sized teams of analysts and you rely on bodies, because that’s the only way we used to do it. You’re comfortable with what your capabilities are and you want to live within that. If you’re coming from environments, so I’ll say retail, I’ll use myself as an example, where we don’t have big teams, and yet we have a big environment to protect, okay? Then acknowledging what I can do with my limited set of analysts, and simply say I’m going to live within that domain, it doesn’t work, okay? Four analysts trying to address the three to five incidents I get on phishing, or on equivalent types of social engineering, they’re drowning, I can’t keep up, and so, therefore, it became life or death for me to force them to automate, because the path I was on was not sustainable. And so, again, it kind of comes back to where is your organization maturity? How have you traditionally done it? And where is that entrepreneurship either being force upon you or given to you to embrace?

Sponsor – AppOmni

Steve Prentice

The Verizon Data Breach Report came out very recently and looked at more than 1600 incidents and breaches over the past year. Brendan O’Connor, CEO and co-founder of AppOmni, a leader in the security posture management space, has some concerns based on what he sees.

Brendan O’Connor

80% of breaches are being discovered by external parties, so, 80% of the time, when, as defenders, our assets are compromised, someone outside of our organization is letting us down. That’s a big problem. They were not aware of where our gaps are and we’re not aware of where we’re getting compromised.

Steve Prentice

But that’s not the only problem.

Brendan O’Connor

With applications or applications that are available on the internet are by far the number one attack factor used by external hackers. There were 839 breaches that had human error as a cause of breach, or a contributing cause to breach in the Verizon Breach Report.

Steve Prentice

It’s time, he says, for companies to become more proactively aware.

Brendan O’Connor

So now, more than ever, we need to be looking at the applications that we have that are running in the cloud, we need to have visibility and we need to be looking at the configuration of those applications and ensure that the controls we expect to be in place, and that we rely on being in place, we trust that they’re going to be in place, that things actually are configured and set up correctly. The truth is, right now, people aren’t looking, and that’s why they’re being notified after the fact by external parties that there’s been an incident.

Steve Prentice

For more information visit AppOmni.com.

If you looked at this problem this way.

00:13:03:07

David Spark

I have just one quote here, and I liked it so darned much I’m letting it just live by itself, and that’s from Phil Huggins, CISO at the Department of Health and Social Care, and he says, quote, “I am a huge proponent of the idea that the skills gap isn’t actually an automation gap. We keep trying to automate human judgment when really we should be automating supporting human judgment.” So, this kind of, in some areas, goes contrary to what you were posting, but, you had this line of the levels of automation, if you will. I know there’s this intense desire to have a human somewhere in the decision making process. Do you think it could be fully boiled down to what Phil says here?

Steve Zalewski

Eventually yes, it will. Now, five years or 50 years, let’s not go there, right, but it will get better. Here’s where I like what Phil had to say, and it’s something I’ve thought about, which was, it’s one thing to be able to say automate the human process, it’s another thing to say I need to automate human behavior. It’s automating human behavior I think is where we have to be careful, right, and where, like, social engineering, to understand why it’s successful we have a lot more research to do, as opposed to the other point which was, we can automate human execution, and we should focus there for the most part.

David Spark

But he focuses on the staffing shortage issue that we comes up again and again and again, like, and you were saying, you know, look out way into the future. What if the security person’s job was purely a decision making job, which I know they’re making a lot of decisions, but, not a process mechanical job that all the processes were being handled, and all the security professionals were doing, was making decisions, making critical decisions based on the information given to them? I mean, I would assume that’s sort of the Nirvana we’re looking for, yes Steve?

Steve Zalewski

Yes, and now I’m going to say it again, which was prevent, detect, contain, right, one side of that nine box. In my mind, what I want my professionals to do is, I need containment to occur through the automation, I need to know, if somebody clicked on a link and got phished that we disable that link, we purge it out of all of our existing systems, we verify if anybody else clicked on that link, we deactivate access for all those individuals, all that within the first two seconds of notification. I then I have my smart guys going in to figure out secondary containment, which is, okay, how soon can I release those controls once I’ve got a breather to figure out just how extensive that attack permeated my environment. That, in my mind, is optimal. But, many look at it as, I want my protect and my detect environments to be automated, and then have my humans try to do that analysis, and that’s another legitimate way, and many are there in maturity, that was why I found that nine box so interesting.

David Spark

Edward, jump in here.

Edward Frye

So, I’d definitely like to agree with the automation portion of that, a lot of folks have automated the detection but then, having the human do the what do I do with this? And I see where Steve is coming from on this, where you need to be able to prevent the actual breach. Let’s take data loss protection for example, if you’re just detecting that something went out, and you’re like, hey, that happened, and then somebody has go to and investigate what happened and why it happened, versus, preventing that from happening and then getting in there and stopping it from going out. If you’re just detecting it, it’s already gone.

David Spark

And also, we’ve talked about this before, detection is one of the easiest darned things to do, isn’t it?

Steve Zalewski

It’s the easiest to sell, but, the so what now what conversation hasn’t gotten any better.

Nothing will happen until we take action.

00:17:23:11

David Spark

Jeremy Hurst of Accenture Security said, quote, “I think there should be a list of no regrets on automation use cases, for example, automated provisioning of services in the cloud to minimize misconfiguration, standardized assessments for third parties, with some tailoring to service being provided,” and Simon Goldsmith of Altius said, quote, “Automation is kind of like security in that if we don’t design for it we’ll pay for the added complexity and disappointment later.” So, I like this sort of no regrets automation that Jeremy throws out, Edward, do you have any no regrets automation? Like, oh, this we can simply automate and nobody should argue about it.

Edward Frye

Oh absolutely. In a past position I had a data loss protection tool, and we had a manual process of investigate the events, create compliance tickets and kick off a whole bunch of processes and such. There was still a human element in the detection process and deciding how to handle the disposition, but, the automation of building out, and the response once it’s happened, needed to be automated. And we cut it down from 16 man hours a day worth of work on just critical events, to being able to get all of the previous 24 hours events in about two hours.

David Spark

Steve?

Steve Zalewski

Okay, I’m going to tip my hand with Simon, which was, I think Simon is spot on. If you don’t design for it you’re going to be disappointed. But, the key is the design. We’ve got to design to contain. We designed for detect and that was relatively well understood, and we keep designing for detect. We’ve got to move onto design for prevent and design for contain, and understand where that automation fits and where it fits within the maturity of your organization. If we can’t get to that conversation, Simon is exactly right for what we’re going to see, I guess my point in frustration is, why aren’t we going there now?

Close

00:19:36:09

David Spark

And let’s conclude right there. Excellent points, Steve, thank you very much, Edward. And now it comes to the point of the show where I ask you, what is your favorite quote? And why? Steve, your favorite quote and why, was it Simon’s quote?

Steve Zalewski

It absolutely was Simon’s quote, and I think that’s why, that really, for me, even as we have this conversation, helped gel in my mind, and hopefully for our listeners, what that nine box can mean to different people. But, at the end of the day, you’ve got to design for automation, but let’s get there along the path of the risk management and the detect, respond, containment.

David Spark

Alright, Edward, your favorite quote of the night?

Edward Frye

My favorite quote in this is Kyle’s quote, if you’re well versed in automation I don’t think you should be worried about losing your job. There’s still the human decision, there’s still the you need to automate more and more of the things. There’s a whole lot of things going on, and if you’re worried about the automation then you should be worried about your job.

David Spark

It’s a good point. I love it. Alright, let me thanks our sponsor, AppOmni, remember, if you have issues with SaaS Security or, my guess, by the way, you don’t know if you have issues or not, they do, by the way, an amazing assessment to reveal what configuration issues and other sort of loopholes you may have in your SaaS environment, I highly recommend you check that out, just contact them, they can set it up, literally they can do a scan in as little as an hour or as much as 24 hours. It works very, very well, and I just have to say they always find something. Edward, I’m going to let you have the very last word, one question we always asks our guests is, are you hiring? So make sure you have an answer for that question, I hope you are. Steve, any last words?

Steve Zalewski

I really want to put a thank you out to the audience, I had no idea on such a simple topic that we would get such an engaged set of responses, and I want to thank people for helping me see some of my own blind spots.

David Spark

So you have a pretty low opinion of our audience, okay. I know they’re smart because I’ve been doing this show a while. I quote them constantly. Edward, any last thoughts on this topic? And please, if you’re hiring at Aryaka, or also a plug for the ISSA as well too.

Edward Frye

Yes, so, I’m always looking for good talent, I don’t have any open recs at this time. We are working on developing some recs, but, the Silicon Valley Chapter of ISSA has monthly chapter events on the third Thursday at 6:00 p.m. Pacific Time. And you can find all of that information our website, sv-issa.org.

David Spark

We did a live recording at one of your events actually. It was a lot of fun, I had a blast. I’m hoping that we can get back to doing ones like that again. In fact, that was our fourth to last recording that we did, it was in January of 2020, and then we went to Tel Aviv and did one, then we did one in New York and then we did one in Boston, and then I flew home in early March of 2020 and then didn’t step on a plane again.

Steve Zalewski

Well I got my shot, so I’m ready.

David Spark

Alright, good, excellent. I’m getting my second next week. We’ll see. I want to thank our audience, our incredibly smart audience, for which Steve originally had a very low opinion of you, he has come around, he does not feel that way anymore, so, Steve thinks very highly of you. Prior to this show he did not. But now he does.

Steve Zalewski

That’s right. And don’t disappoint me, so now you all have to listen and give me more feedback.

David Spark

Awesome. Thank you very much Edward, thank you to our sponsor, AppOmni, and thank you, as always, I cannot stress this enough, thank you, as always, to your contribution and for listening to Defense in Depth.

Voiceover

We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site: CISOSeries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@Cisoseries.com. Thank you for listening to Defense in Depth.