Automating security event processes

There's no denying that a constantly-shifting technology landscape continues to force IT departments to align themselves more closely with an organisation's business goals. Meanwhile, mergers, acquisitions and layoffs have become more common in today's economic climate, which not only intensifies the complexity of IT systems but greatly increases the threat of security breaches.

Rapid changes in the type and origin of security threats have compelled organisations to deploy a multitude of point solutions to classify, correlate, detect and remediate events. This has done little more than place over-stretched CSOs and their staff under greater pressure to meet stringent compliance and data protection requirements. Meanwhile, budgets for security teams are unlikely to grow much, if at all, over the next twelve months.

Australia and New Zealand have witnessed a growing interest from CSOs looking for ways to reduce the cost of security processes via existing operational expertise, solutions and capabilities. With no room to invest in additional resources and point solutions, CSOs want more from the capabilities they already have.

Despite the doom and gloom there is a light at the end of the tunnel. Using automation - tightly integrated across multi-vendor systems and management areas - CSOs have found they can facilitate a large number of initial security event processes, freeing up experienced resources and cutting costs.

Integrating security automation across the enterprise

What we're talking about here goes beyond simple patch management and anti-virus deployments, although that's certainly part of the solution. Today it is possible to automate critical security event management tasks, and integrate those processes across multiple systems and operational silos. This allows security and compliance teams to focus their efforts on more urgent issues while driving down security risks and costs.

Automated security event management ensures that correct procedures are followed, and that no event is mishandled or overlooked. Controls, such as audit records or segregation of duties between departments, can be automated to ensure compliance with industry or regulatory standards. Highly repetitive tasks can also be automated in order to cut labour and reduce training costs.

Security programs of this maturity require an open-process, 'vendor-agnostic' integration and automation platform. With the number of competing point solutions an enterprise is likely to have deployed, they must be able to integrate these technologies and processes regardless of the third parties and management teams involved. Typically, automated security event management focuses on the following areas:

Controlling and auditing system configuration

In multi-vendor environments, it's a significant challenge to ensure systems are appropriately configured to protect critical data, especially around exceptions to policy and server configuration changes. In many organizations, the bulk of manual effort is spent on configurations, and this is where the greatest labour reductions can be made.

It's possible to automate the assessment process, integrating reports into security and IT processes for policy exception management, remediation and change management. This could allow a misconfigured system to be identified as non-compliant, which automatically creates a service desk ticket, and manages the handling of business exceptions, approvals, and/or remediation. All without staff involvement.

Monitoring and managing user activity

To meet compliance mandates, large enterprises are required to detect and correlate suspicious activity across multiple platforms, and obtain supporting analysis in real-time. Indeed, it is this level of effort that often makes monitoring user activity impractical.