You can’t automate every business process. While I love automation and promote the concept, I know its limitations. This viewpoint needs to be recognized and observed as more security officials implement automation within their organizations.
I’d estimate that for most enterprises, the first 80 percent of migrating and integrating processes to automation is easy to do. The last 20 percent is hard to accomplish.
This breakdown helps you set realistic expectations about automation. I enjoy how automation saves time by generating useful data through repetition. But right now, data compiled from some activities still require a human being to examine the results and make a decision. You will still need a critical eye from your security operations team or managed security services provider when looking at the useful data or anomalies.
We still need to address the 20 percent and realize that the situation may not be as much of a challenge as we think initially. Here are some examples of what I mean.
Where Automation Needs a Human Touch
Your automation detects and notes that one of your executives is connecting to your network from Russia. How do you know whether that executive is actually in Russia or if someone there is impersonating that executive? For optimal security, there needs to be human interaction to review the information and determine whether to let that person should be allowed to connect.
Or consider when IT officials at a hospital used the McAfee Enterprise ePolicy Orchestrator (ePO) console to automate a deeper level scan of physicians’ laptops. This scan occurred before the physicians began their daily scans by sending over someone from the hospital’s operations department to clean the laptop and comply with HIPAA regulations. To collect the events compiled from the laptops, the IT officials used IBM® QRadar® Device Support Module (DSM) for McAfee Enterprise ePO. This platform integrated from IBM Security™ uses analytics for insights into potential threats to data.
With this setup, whenever an anomaly appeared in QRadar, such as some unusual behavior at the network level, an IT official at the hospital would right-click and add the IP address to a different scan group in ePO through the application programming interfaces (APIs). Automating that initial first pass of scanning the laptop finds these discrepancies quickly. But ultimately humans like IT officials must review the notification and send a message to McAfee Enterprise expert to clean the anomaly from the laptop themselves and confirm the anomaly was removed.
So, it’s hard to automate the 20 percent done by humans in your organization as shown here. But what the 80 percent of easy automation does for the rest of your business processes can outweigh that perceived drawback.
How and Why the 80 Percent Easy Automation Matters More
You can easily find yourself at work engulfed in an ocean of data. Indicators from your automation help you find out what’s important. Activity from the endpoints of your network gives you or an MSSP a view of what’s happening with your data.
Most systems today have everything connected to the internet. The endpoints interact with your network. Having broad visibility and detection across your network — whether it’s looking at DNS logs, proxy logs, traffic and so on — allows you to correlate information and identify what’s taking place right now.
The real-time aspect of automation for data on your network is vital important. Threats to your network depends both on how much time they require to activate and how long before they are detected and remediated. Automation that’s easy to implement helps find attacks quickly with a real-time detection engine that can minimize the damage that takes place.
Experts at McAfee Enterprise and our partners at IBM Security can help with troubleshooting by providing support for the 20 percent automation you can’t fulfill. You can investigate a full lifecycle of endpoint events using McAfee Enterprise MVISION and IBM QRadar integrated together. And you can automate remediation with the IBM Security SOAR (security orchestration, automation and response) platform.
With these tools, you can integrate the data available from threat feeds in one platform for better visibility and context. IBM’s managed security services experts can help you answer questions around how to best configure, administrate and manage endpoint security incidents based on that data collected by automation.
We can also help you learn about other technologies and trends that are happening that our experts deal with every day. Consultants can help you identify how to lower or minimize costs of attacks and breaches as well as work proactively to address these issues. Automation can’t provide you with these resources, but we can.
What to Expect for the Future
We have researchers at work looking how to merge that last hard 20 percent of automation implementation into the 80 percent of easy migration and conversion. For now, accept the notion that automation can handle most tasks for your organization and save you time and costs in the process. And what automation can’t do in those areas, we at McAfee Enterprise and IBM Security can help fill in the gaps.
Learn more about what automation with expert support can do for you by reviewing the features of MVISION Endpoint Security and IBM Managed Security Services. Or schedule a free 30-minute consultation with IBM Security by clicking the “Let’s talk” button on the IBM Managed Security Services homepage.