It’s well versed that finding the right cybersecurity approach for organisations is becoming increasingly difficult with the fundamental challenges facing the market today.
Things like cloud migration, IoT and interconnectedness have increased the attack surface, while the number and scale of attacks also continue to increase in velocity and scope.
Oracle has recognised these changes for a number of years and they believe the best tool to address these challenges is automation.
At OpenWorld, Oracle’s CEO Larry Ellison talked about the cybersecurity war and that - with skill shortages plaguing the industry - it will only be won if we pit computers against computers.
To talk about how Oracle is using automation to fight back, we talked to Rohit Gupta, Oracle VP of cybersecurity.
Gupta talked about how he has seen a change in the market over recent years and how automation is the key asset in the cybersecurity war.
If you look at the types of security threats that were typically impacting enterprises 10 years ago, it would mostly be around defacing a website or other things that were generally considered to be annoyances more than anything else.
In 2017 the reality of the world is completely different. It’s about highly organised and funded organisations - in some case nation-sponsored attacks - that are targeting the ‘crown jewels’, being things like sensitive or private data, PII information, healthcare data or financial data.
In many situations, these attacks start from in a sort of benign way and remain latent in your network for days or weeks before rearing their ugly heads. These are the challenges that organisations are facing every day and the landscape has never been more intense than it is right now.
With the talent war, and the shortage of folks that generally have the deep triaging and forensic acumen, the reality is that the enterprise can’t rely on the human workforce at every single step of the way to be able to conduct security activities and essentially remediate the environment back to a steady state.
To work on that, Oracle’s focus is really around 2 specific anchors, one is focusing on analytics powered by machine learning. The other is providing a whole set of automation capabilities that allow an organisation to conduct orchestration with supervised approval - or completely automated remediation - which facilitate the restoration of the environment back to a steady state.
I think the velocity, depth and volume of the attacks have made it almost impossible for traditional approaches of forensics and remediation to be tenable. The reality is that security teams are overloaded with alerts, and they see hundreds of thousands of alerts every day - every hour in some cases - and so automation plays an incredibly critical role.
It’s important that automation is delivered in a couple of different flavours. Those are automation for forensics and then automation for remediation, you need both. Once analytics can be delivered against a data set that consists of a telemetry coming from security and operational data events, automation can play a role.
You can orchestrate changes with approvals, for example, if you detect suspicious activity for a specific user, you can take remedial action and suspend the user's account. However, if the user is an executive maybe you’ll want to essentially ensure there are another set of eyeballs looking at it before taking that action.
The other aspect of automated remediation is where you can deliver the change without human intervention. In some cases, this might be appropriate, such as when there is a particular vulnerability that was detected and a patch needs to be implemented and through policy that can be done whilst the system is alive.
It generally just accelerates the ability of the enterprise to respond to potential threats, so that's how I see it playing a fundamental role.
I do think it's a combination of 2 things. The first one is, the reality is that a lot of these algorithms that essentially work in an automated fashion have to be trained, and in many cases human intervention in the form of supervised, algorithmic work is really what will assist in making sure that both the analytics and the automation is conducted in the right manner.
I do believe that there are certain types of automated remedial changes that could be conducted with minimal supervision, and examples of that would be solutions that are much more deterministic in nature. So if we think about encryption, and if an automated solution detects that it isn’t turned on, we don’t really need another set of eyes to tell us that we need to turn it on.
In some scenarios, automation absolutely will be the appropriate path to take in order to accelerate productivity and dramatically reduce the required manual effort that is time-consuming. However, there are going to be certain activities where human intervention and approval is absolutely required.
There are a range of capabilities that make up the management and security cloud offerings. Some of them include security monitoring and analytics capabilities, our configuration and compliance cloud service as well as Oracle’s Cloud Access Security Broker (CASB) offering.
In several of these, there are automated capabilities built-in around analytics, machine learning and the ability to conduct forensic triaging to essentially determine why there are specific outcomes that are being suggested. For example, if there is a user behaviour anomaly that is detected, the service has a native ability to go in a conduct an investigation and come up with a risk score for a user which tells you what happened and why the user's risk score is high.
Additionally, the security and management cloud also includes - very specifically - what is known as an orchestration and remediation service, which is purpose-built for automated changes. So if you have a situation where you need supervised automated change where user privilege needs to be updated or their role needs to be augmented for a certain thing, that can be done.
This additional service gives enterprises the ability to deliver automation across forensics, behavioural analytics and also both supervised and truly automated remedial changes.
We’re certainly going to push the envelope in automation. We truly see that this particular cyber war results in such massive exposure to enterprises, and our customers are dealing with a serious lack of manpower. So we will absolutely continue to push the innovation agenda on automation.
My personal belief is that there will always be room for supervised automation with supervision, for instance, if we get to a point where 70% of the workflow could be automated, we will still require 30% to consist of human approval. Although with organisations increasingly taking workloads to the cloud, automation is going to become a key factor in the next phase of the cybersecurity war.