Recently there’s been some chatter about the role of automation in Security and whether it is appropriate or not as a business strategy much less a security strategy. Jeffrey Carr states that EMC’s wrong that automation is an efficiency and security necessity and that you shouldn’t automate because “An automated solution will never stop a customized attack because the attack was designed to circumvent it!” (his emphasis). First, if there’s one thing I’ve learned over the last twenty years you should avoid absolutes when talking about security. Second, not automating something because someone may develop a solution to defeat it is like not brushing your teeth because it may not prevent all cavities. This seems like cutting off your nose to spite your face. Jeffrey seems to conflate EMC recommending automation in security as a necessity for efficiency’s sake and abandoning all other security policies and methods. It certainly makes for good headlines, but I don’t think that people would read the three articles/whitepapers quoted and really think that EMC is going with an “automation is everything” approach.
I do agree that an automated solution won’t protect against a customized attack designed to defeat it, that’s pretty much what I call self evident. To claim this is what EMC is calling for, well that’s the very definition of a straw man argument. Automation is a necessity for efficiency’s sake as well as security’s sake. Back in 2003 I was involved in the design and provisioning of a new data center for a financial services customer. The security and system administration teams turned on just about every last bit of logging, intrusion detection, firewalling and every other policy they could think of to create a secure environment. They redirected all logging to one system to do correlation and analysis and turned everything on. Before there was 1 test/dev, much less production, workload running in the data center they had generated 1TB of alerts and logs in the first three days. Now imagine there was no automation in place, would you really want an administrator or engineer to eyeball 1TB of raw data to figure out if there was a REAL event?
As the amount of data we create grows the amount of automation required to successfully manage the environment must grow. Nearly every industry that’s come before us has implemented automation to ensure that their most talented people are focused on the activities that add the most value to their business rather than mundane, trivial tasks. The auto industry went from handmaking every car to utilizing robots for the majority of assembly. Physicists back in the day used to sit under trees and write page after longhand page of tedious mathematical equations to explain the world. Now we have colliders to help us understand the universe around and within us. When I was a physics research assistant and student back in 1992 I visited Fermilab and one of their researchers shared with me that every run of the accelerator produces enough data to require 50 man years of analysis. These guys were the original data scientists if you ask me.
One of the key philosophies I have about IT, which you can extend to pretty much any business process, is that you want to focus the bulk of your resources on as little as possible in the environment. That is to say, if you treat everything like it is the most important thing you have then nothing is really important. Your most stringent policies, your most expensive hardware and software, your most valuable engineers and architects are more effective and provide more value if they are focused on what is truly most valuable to your business. Now, clearly, I can’t claim credit for this philosophy, commonly known as the 80-20 rule or the Pareto principle, although I like the term “the law of the vital few” best, but I try to extend it a lot further into IT and the enterprise than many of my peers.
Automation is a necessary component of IT management with TB and PB and ZB of data in our data centers, thousands of mobile workloads thanks to virtualization, fat pipes, multiple hot data centers, follow the sun (or moon) policies, 24/7 employees all over the globe, and customer expectations for near instantaneous response to every request. Oh yeah, and hundreds of thousands of hackers and script kiddies out there ranging from merely annoying to outright malevolent testing the perimeters and policies of just about every enterprise and citizen these days. We can’t handle this all manually, but the trick is applying automation where it makes sense from a cost, functionality and security perspective. It may not be the silver bullet but it is an important tool in the toolbox, one you, and more importantly your high value engineers and administrators, don’t want to be without.