In today's enterprise world the environment has outgrown the model the security was designed to protect it. The typical large organization today utilizes three or more cloud service providers, dozens of SaaS services, hybrid on-premises resources, and hundreds of third-party integrations—all of which have their own unique access control and configuration requirements, along with compliance rules. The problem with security is that it isn't a lack of talent or commitment in the security teams. Part of the reason they're failing is that the attack surface is outpacing any process that humans can do. All of these risks are real: new workloads that were never reviewed and don't have a security baseline, IAM policies that were copied and then forgotten about, storage buckets that were poorly configured and left in a non-production account. These are the ones that are live and in operation that threat actors are actively mapping, probing and exploiting. No longer is the question if manual security processes can keep up. That's been answered already, in the evidence. The question is how fast can organisations make the transition to architectures that are machine-speed protection?
How Manual Security is falling apart in a Multi-Cloud World
Security operations of legacy systems were based on a fairly static perimeter. This was due to the fact that the environment itself evolved slowly and engineers were able to audit firewall rules, review logs of access to the environment, and patch the systems on a regular basis. In today's world of single DevOps sprints that can deploy fifty new cloud resources, three new service accounts and a new set of network policies that never touched a security architect's pen, that model can't be used.
Without governance, there will be configuration drift as a result of velocity. It's not happening due to carelessness of the engineers. It's because cloud is an extremely dynamic environment, and because manual security reviews are synchronous points in an asynchronous world. A Tuesday security audit may be conducted on an AWS environment and compliant certification obtained. New exposure has already been introduced by two auto-scaling events, an experiment by the developer in a sandbox account, and an IAC template deployed without a security review, all by Thursday. The Tuesday certification is now a thing of the past, and has no bearing on the operational world.
The worst part of this is not only that it takes a long time to do it by hand, but that, on a large scale, it is not guaranteed to work out probability wise. When a security engineer is working on a number of alerts, dozens of configuration changes, incident tickets, etc. – he or she will miss things. It's not that it's a human problem that can be addressed by employing more engineers. It's a structural issue that comes from the mismatch between the number of signals of security which are generated in a modern cloud environment, and the number of mental bandwidths to process these. The manual model does not scale to keep up with the organization's growth, from 2 cloud accounts to 200 cloud accounts. Attack surface increases in size. The risk scales. That tooling and that people don't.
This can also make the manual audit process a risky game of compliance, relying on regular audits. When a quarterly security review passes, it indicates that the environment passed the security review, but this is only a snapshot in time, with a specific set of conditions, and a specific team of people working from a checklist which may be months out of date. Auditors don't have to be afraid of threat actors. Any misconfiguration that is not detected between review cycles is an "open window" and the sophisticated adversaries have proven time after time that they are patient enough to be able to do so.
To help autonomous enterprises succeed, the pillars of protection are:
- Automated security platforms designed to meet the needs of today's enterprise scale are based on architectural principles that are specifically designed to overcome the shortcomings of manual operations. They are not a series of enhancements to the existing processes. They have been a paradigm change for security guarantees creation and maintenance.- Continuous, real-time compliance monitoring helps you fill in the compliance audit time holes by checking compliance status as configuration changes are made. Automated compliance engines ensure compliance is a continuous snapshot across all cloud accounts, regions and services, and highlight deviations within seconds of when they are introduced, rather than certifying a snapshot of compliance.
- Misconfigurations are automatically remediated so they can't be used by an attacker. If the storage bucket is made public or if an overly permissive security group is used, next week the system automatically rolls back the security change, as per the guardrails set by security policy and logs the rollback for audit trail integrity.
- Policy-as-code enforcement brings security governance to the development pipeline and can help prevent misconfigurations from reaching production, in the first place. Security rules are written as machine-readable code that can be version-controlled, and deployed along with application infrastructure, ensuring that all environments are built with the same baseline level of security, irrespective of the team member who built them or their fast pace of shipping.
- With intent-based policy management, security architects can specify at a logical level (who, what, when, where and how) what a secure state is, and leave the implementation of this intent in platform-specific controls to the automation layer. This separates security policies from the operational intricacies of each individual cloud provider APIs; the APIs are constantly changing, and are quite different between cloud providers.
- Security posture data can be unified across multi-cloud and hybrid deployments to provide a single operational view that hides security posture blind spots created by having different teams using different tools and disparate policies across each environment, including AWS, Azure, GCP, on-premises apps, or SaaS apps.
- There is risk-based prioritisation of findings so automated systems don't just alert the analysts more and more findings to prioritise. Mature automation platforms provide context to the findings based on criticality of the asset, likelihood of attack and blast radius, so that the small number of high fidelity findings are presented to people and not the array of low fidelity “noise.”
- Immutable audit trails and automatic evidence collection eliminate the need for manual work in gathering evidence needed to comply with the standards set by regulators. All policy evaluations, remediation actions and configuration changes are automatically documented, resulting in a tamper evident, continuous record of all policy evaluations that meets regulatory requirements, while reducing analyst time.
- Drift detection and baseline enforcement define what "known-good" configuration is for each asset class and automatically compares the real-time environment with the baseline configuration, highlighting and remediating any changes prior to systemic exposure.
How to minimise the risk for businesses and fill the talent gap.
It's not a fleeting market condition, the cybersecurity talent shortage is a reality. For years the world has been suffering from a lack of skilled security professionals and it’s not structurally bound to change. Growth based on headcount is a shaky foundation for organizations with a reliance on headcount for their security program growth. But automation doesn't take the place of security talent, it changes the job of security talent—and in a very direct way that impacts retention and effectiveness.But one of the biggest issues in today's modern Security Operations Centers (SOCs) is alert fatigue. When analysts are sifting through hundreds of low value alerts per shift, they simply end up seeing the same types of alerts over and over again. At volume they start to triage on heuristics instead of real investigation as there isn't really any other option. Consequently, true alerts - among a multitude of false alerts - are delayed or not alerted at all. Automated platforms can perform a ton of security operations that are routinely done by humans and result in a much smaller queue for the human analysts to handle: configuration compliance, known vulnerability remediation, policy enforcement – these are all deterministic and can be done by automated platforms with a much smaller human analyst queue. The actual challenge is quite real – threat hunting, adversarial pattern analysis, incident response coordination and strategic architecture decisions. These are the problems that are of value to a security engineer who has worked with them and these are the problems that directly decrease the risk of an organization.
The business case for automation isn't just limited to the SOC either. An hour an expert cloud security architect invests in manually auditing IAM policies, investigating misconfiguration tickets and performing other manual tasks is a wasted hour that they could be spending threat modeling, designing zero-trust architectures, or assessing third-party risk. The opportunity cost is great and is typically not seen by leadership as it is a work that was not performed and not a work that failed. Automation frees up that capacity and puts it into value-add initiatives; strategic initiatives that invest in the security of the organization in ways that will solidify the risk posture as opposed to maintaining the status quo.
The decision is a simple economic one from the point of view of financial risk. Data breaches are getting on average more expensive, due to regulatory fines, incident response expenses, damage to reputation, and disruption of the business. The losses from a single misconfiguration based attack – which automated remediation solutions can close in seconds – can far exceed years of investment in a full-blown automation solution. Continuing to run with manually driven security procedures isn't a conservative option — when factoring in risk. It's one that's costly.
The path towards a Resilient Continuous Trust Architecture
It will be the organizations that react to breaches the slowest that will cross the threshold in the next decade of change in the threat landscape. It's them that have created settings where most vulnerabilities are not viable for that long. That means security posture needs to be an on-going machine enforced state of infrastructure, and not a periodic audit finding or dashboard metric. Automated security is no longer an optimization project, but instead, must be considered as soon as core infrastructure can be considered stable. It's a fundamental building block of an enterprise architecture, like redundancy or encryption, if business continuity and stakeholder trust is important. The change from reactive, human-centric security to proactive, automated and policy-driven security isn't a technology choice. It is a decision around risk management and the window of opportunity for making the proactive decision, before an incident makes the decision for you is closing.
