Automation and Integration have been successfully changing the face of the cyber security industry and the entire IT sector for a long time. The saying „work smart, not hard” was coined by Allan H. Mogensen almost a century ago, and yet many people were surprised by the results of the experiment that Microsoft carried out in 2019 at its branch in Japan. The giant from Redmond reduced the working time to 4 days a week, while increasing the income per employee by 40%. Since then, many other companies and governments from different countries have set out to conduct similar experiments and observe their results.
Are there employees who would not like to spend less time working while receiving the same salary? Does measuring work efficiency and the level of commitment with the number of hours devoted to work and the level of fatigue make sense in the 21st century? Do similar measures make sense in the cybersecurity industry? In this article, we outline the benefits of automation and integration in bridging skill gaps in cyber security and how to leverage these facilities.
Table of Contents
Automation and Integration — the Mantra of the IT Industry
The IT industry relies heavily on automation and integration to increase efficiency. In the 1990s, a large number of companies used Novell solutions to efficiently manage large numbers of machines, services and users. Two decades later, Microsoft announced its dominance in this segment, as 95% of Fortune’s Top1000 companies used its solution called Active Directory — a directory service that enables convenient management of corporate infrastructure of any scale.
The trend related to automation and integration also affected software development, where the flagship acronym is CI/CD, which stands for Continuous Integration and Continuous Delivery. Continuous Integration means continuous integration of the created and modified code. In this case, this integration consists in running a series of automated processes, the purpose of which is to determine whether a given change in the code meets the assumed quality criteria. Tools are launched that assess the quality of the code, calculate various types of metrics. Automated tests are also run to assess whether a given code change has caused an error in another part of the application.
The term Continuous Delivery, in turn, refers to the automated process of delivering a fresh version of an application to pre-production test environments or even directly to end users. Typically, Continuous Delivery is the stage that takes place after the completion of Continuous Integration, and the purpose of which is precisely to deliver the current version of the application to its destination. Continuous Delivery depends on the publishing cycle of a given product. Web applications are updated every day or even multiple times every day. Of course, applications that require users to download updates do so much less frequently. The approach of releasing new versions of an application relatively frequently is called Rapid Application Development (RAD).
The existence of this type of approach would not be possible without the transition to a more flexible, iterative model of project development, in which even relatively short periods of work bring significant changes in the form of new functionalities, improvements or fixed bugs. You can get the right impression that everything revolves around increasing efficiency while maintaining the right quality, with automation and integration at the heart of these activities.
From Scripts to SOAR — Automation and Integration in Cyber Defense
Automation and integration is an important element that allows to increase the effectiveness of activities of people responsible for security in companies. However, it is easy to overlook various elements related to this area, as many of them have long become normal and common.
Antimalware software installed on workstations automatically analyzes launched applications and opened files for threats. Endpoint Detection and Response (EDR) applications go a step further by sending data on suspicious events to the appropriate places and taking more complex remedial actions in an automated manner. Mail server protection software automatically updates lists of suspicious source addresses and automatically evaluates each email processed against a long list of attributes. If the email contains an attachment, it will be automatically analyzed for potential harmfulness. Security teams implement Security Information and Event Management (SIEM) tools that allow for better aggregation of information and correlation of security events.
Companies that are particularly interesting targets for attackers enrich their sources of information about threats by purchasing access to Threat Intelligence from specialized providers of this type of solutions. This information is automatically updated on an ongoing basis and can be successfully used by all security solutions used in the organization. As a result, the time between the detection of a threat and blocking its source can be significantly reduced, with relatively little involvement of employees in this process.
In recent years, a set of many automated and integrated solutions and processes has been hidden under the collective name of Security Orchestration, Automation and Response. The easiest way is to picture it as an autonomous factory where all processes take place without the direct participation of people. Thanks to a properly implemented SOAR, security specialists in a given organization can focus on proactive activities and stay one step ahead of potential attackers. Thanks to this, a really small margin of error is left, which may turn out to be impossible to use even for advanced attackers. The popularity of this approach is best demonstrated by the fact that nearly 40% of respondents to last year’s SANS survey said that their company’s cybersecurity automation level could be considered high or medium.
Purple Revolution — Automation and Integration in Security Testing
The industry connected with the implementation of security tests also benefits from the positive impact of automation and integration. Still most of the key decisions remain in the hands of security testing specialists. In their work, they use a wide range of solutions that allow them to save time by delegating monotonous tasks to specialized tools that will bring results in a clear form.
You can get a list of open ports on a large number of machines with the nmap utility. The Nessus Vulnerability Scanner will provide information about the weaknesses it finds. Burp Suite will support you during web application tests with its web application vulnerability scanner or with tools such as Intruder (generating a large number of HTTP Requests with carefully selected parameters) or Sequencer (automatic examination of the quality of randomness of session tokens). Examples of such applications or smaller scripts can be multiplied, and the effect of their use is to reduce the costs of conducting security tests and increase their quality thanks to the fact that experts in this area can spend more of their time finding less obvious errors that are beyond the reach of machines.
Integration can bring benefits in this area as well. Many companies still operate in a model based on strong separation between the security team and the security testing team. An approach called Purple Teaming has been gaining popularity for several years and reverses this trend. In this model, the security team and the security testing team work in close cooperation. Security circumvention specialists try to find further potential attack paths, and based on this information, security specialists implement mechanisms that prevent given attacks or rules to detect and counteract them. The positive effect of such cooperation is a much faster increase in the security level of a given organization.
Increasing the efficiency of operations also applies to cybercriminals. Although their actions lack ethics, they certainly cannot be denied the fact that in most cases they are also exceptionally bright and efficient individuals. It is difficult to imagine managing botnets, often consisting of millions of hijacked computers, without a sufficiently high level of automation and integration of elements responsible for various stages of the criminal practice.
Anyway, cooperation or integration in this profession is no wonder. Underground market researchers noticed the trend of specializing in certain areas of cybercriminal activity and selling their services a few years ago. Some cybercriminals specialize in hijacking computers and selling these accesses, others specialize in extracting valuable data from compromised machines, and others in the monetization of this data (e.g. credit card data) and money laundering.
Learn Smart, Not Hard
Since automation and integration bring benefits in so many areas, it is not surprising that this trend is slowly creeping into the area of cyber security education as well. A large part of this market is still occupied by entities offering classic trainings based on theoretical presentations played from a projector and supported by very simple practical tasks implemented in the Bring Your Own Laptop (BYOL) model, where each participant comes with their own laptop, on which they install one or two virtual machines which act as an amateur “laboratory”.
Fortunately, cybersecurity courses using dedicated online platforms have been gaining popularity for some time. More and more people see the benefits of such solutions — a greater number of regularly updated audio-visual materials and much more extensive practical laboratories at a price comparable or lower than classic training.
Online platforms for raising competences in the area of cyber security are not yet the peak of modern technology. For several years, solutions under the name cyber range have been created. There are two categories to which this term is used.
First of all, cyber range are advanced training centers consisting of both physical locations, instructors, but above all a set of cooperating applications used in the teaching process. For example, such training centers are at the disposal of NATO, large NATO countries, as well as every major country in the world with sufficiently high ambitions in the area of cyber security.
The second category to which the term cyber range is used are multifunctional platforms designed to conduct advanced and realistic training of varying complexity and scale. Typically, such platforms are the heart of the aforementioned training centers, and it is in this context that the term cyber range will be used in the rest of the article.
A frequent simplification is the perception of cyber range platforms as solutions intended solely for training. Meanwhile, the range of possibilities is much wider. First of all, apart from training in the area of cyber security, you can use platforms of this type to carry out training on basically any issues from the IT world, and often also ICS (industrial control systems). Secondly, such platforms are a great place to conveniently create digital twin fragments of the organization’s infrastructure to be used in the form of a test environment. Another application worth mentioning is evaluating various cyber security products before purchasing and implementing them on an organization-wide basis. Cyber range with the appropriate level of automation and extensive possibilities of integration gives great benefits on many levels.
Automation and Integration to Eliminate Cyber Security Skills Gap
For several years we have been successfully developing our proprietary cyber range called CDeX. This platform is based on the experience of using the cyber range of earlier generations. At the same time, each aspect of the CDeX platform operation has been thought out in such a way that it clearly works much better than previous solutions. An extremely important distinguishing feature is the placing of strong emphasis on automation and integration, which is visible from the mechanisms responsible for the installation of the platform, to fully automated training.
The platform can be implemented in an organization in any way. It is possible to install the on-premise variant, where public computing cloud of any type may be used, as well as private computing cloud of a given organization. On the other hand, full automation allows the installation of the cloud variant in less than 30 minutes.
Training can be fully automated. Appropriate software, overseeing the course of training, triggers individual attacks that are the subject of a given training at appropriate times. These attacks are, of course, carried out with real tools used by cybercriminals. This allows a high degree of realism to be maintained.
Carrying out attacks is preceded by the reconnaissance phase, and after its completion, post-exploitation activities are performed. The training participant can observe the entire process carried out by the attacker and limit the effects of the attacks, counteract them or detect attempts to implement them. Automation in the area of cyber security training also applies to neutral events that take place in the infrastructure launched during training. This strengthens the realism, because the trainee can find in the results of various tools not only the attacker’s activity, but also information related to the activity of neutral users.
By tracking the actions of participants, the training platform allows you to generate a report after training, containing information on the actions taken. This, in turn, allows you to draw conclusions from the training performed, learn about strengths and weaknesses, and plan the next stages of development. Full automation of the training process also means the implementation of advanced training for a huge number of participants. There are also no contraindications for trainees to repeatedly consider a given issue, learning new things that might have previously escaped their attention.
In accordance with the principles of automation and integration, cyber range can be integrated with the systems used in the company, which is possible thanks to the extensive API. Users can log in using their Active Directory accounts, and the mechanisms responsible for running training can be connected to the e-learning system used in the company. This system can also integrate with the platform through the API in order to download training results. The API has many other possibilities. For example, it can be used to conveniently load your own images of machines used in training and modify training scenarios.
What else is worth mentioning when talking about automation and integration in the fight against cyber security skills gap? Certainly the possibility of modifying the existing training networks or creating your own based on: virtual machines provided by the platform, self-created virtual machines or images of real systems used in a given organization. These types of networks can be used to create original training tailored to the specificity of the company. They can also be used to create test or evaluation environments.
The connection of virtual networks with physical elements that for various reasons cannot be virtualized or their virtualization is not profitable, is also not a problem. You can connect to the platform physical routers, switches, firewalls, Wi-Fi Access Points, devices using USB or even ICS drivers. A wide range of technical possibilities means that cyber range can be used in many areas. First of all, it allows you to raise the competences of cyber security experts, as well as specialists in other fields, such as IT or ICS.
It is possible to more effectively check the effects of potential changes before implementing them in production environments. However, before purchasing products and their implementation in an organization, you can also make a more reliable assessment of them. High-quality cyber range is another step after SOAR that allows organizations to achieve even greater cyber resilience.
Automation and integration save experts valuable time by reducing repetitive and tiring activities. This allows more attention to be given to tasks that require real skill and creativity. On the one hand, this approach increases the quality of work, and on the other hand, it increases the level of employee satisfaction.
Automation and integration have proven to be effective, both in the IT industry and in cybersecurity, in which it has contributed to reducing the negative effects of the so-called cyber security skills gap. It is becoming obvious that the skillful use of automation and integration is a trend that will limit the skills gap.