{"id":98608,"date":"2022-11-29T14:57:22","date_gmt":"2022-11-29T14:57:22","guid":{"rendered":"https:\/\/www.cloudcomputing-news.net\/?p=98608"},"modified":"2022-11-29T14:57:25","modified_gmt":"2022-11-29T14:57:25","slug":"james-todd-kpmg-on-automation-and-machine-learning-as-the-future-of-security","status":"publish","type":"post","link":"https:\/\/www.cloudcomputing-news.net\/news\/2022\/nov\/29\/james-todd-kpmg-on-automation-and-machine-learning-as-the-future-of-security\/","title":{"rendered":"James Todd, KPMG: On automation and machine learning as the future of security\u00a0"},"content":{"rendered":"\n

James Todd, SecOps director at KPMG, describes his role as a merging of SecOps, security architecture, and cloud security. It is a particularly interesting crossing point with regard to automation.\u00a0<\/p>\n\n\n\n

\u201cIt\u2019s at that intersection of the cloud environment, being very much aligned to deploying everything as code,\u201d says Todd. \u201cA lot of automation is a big part of that. Being able to take dynamic action within a cloud environment is much easier and well-versed than within a traditional data centre or on-premises environment. The controls available to us are much more dynamic.  <\/p>\n\n\n\n

\u201cThat doesn\u2019t preclude us from being able to do things within security controls on the endpoint or within on-premises data centres, but it\u2019s a different approach.\u201d <\/p>\n\n\n\n

Research from the Enterprise Strategy Group in October found that almost half (46%) of SOC teams are automating security operations processes \u2018extensively.\u2019<\/a> Alongside this, more than half (52%) of respondents agreed with the statement that security operations were more difficult now than two years ago. <\/p>\n\n\n\n

It is not surprising, therefore, that getting automation to work within the security operations centre (SOC) is a major point of emphasis for KPMG. One note from the professional services firm last year insists<\/a> that automation can have a \u2018significant and positive impact on the effectiveness of CISOs and their teams.\u2019 Another, a month later, put automation, alongside upskilling and diversity, as one of the three key approaches to bridging the cybersecurity skills gap<\/a>.\u00a0\u00a0<\/p>\n\n\n\n

Todd\u2019s unit provides SecOps consultancy and operations for financial services organisations. There are two primary types of client. One is a company that has little in the way of security operations within their organisation; they are either an organisation which has grown in size and needs a more formal process. Alternately, they are more established and want to tread the line between \u2018dynamic change within their environment plus continuous change in the threat landscape,\u2019 as Todd puts it. The second are organisations that need to go to the next level \u2013 and this is where automation can come in.\u00a0<\/p>\n\n\n\n

\u201cOnce that established playbook or workbook has been created in relation to a particular threat, or a particular way that incidents are handled, we look then to introduce automated processes that reduce the repetitive task element within security operations initially, and then move to the higher end of automation and introduce some level of autonomy,\u201d says Todd. \u201cSo the SOC can react to threats in as near real-time as possible.\u201d <\/p>\n\n\n\n

Getting the balance right between automated tooling and human resources is a longstanding head-scratcher for executives. Writing in Security Week<\/em> in November, Marc Solomon sums the problem up succinctly<\/a>: \u2018using automation to make your people more efficient, and using your people to make automation more effective.\u2019 <\/p>\n\n\n\n

The simplest part of automation, Todd explains, is the robotic process automation (RPA) element, which frees time for the SOC analyst to work on incident handling, threat hunting, and other vital tasks. The next step is to move towards technologies such as machine learning to lead to more intelligent decision-making \u2013 or machine-led decision-making. \u201cThe platform builds trust in those actions and understands the impact of a particular action playing out,\u201d says Todd.\u00a0\u00a0<\/p>\n\n\n\n

\u201cIf I see a particular indicator file within my environment that is correlated with threat intelligence, and I know the asset that has been targeted, that asset\u2019s security posture and also its susceptibility to the attack that\u2019s being aimed at it, I can then use machine learning to inform a number of decisions that I can take,\u201d he adds. \u201cAll the way through from quarantining that particular asset, limiting its movement, playing out particular activities that allow us to gain some further intelligence.\u201d <\/p>\n\n\n\n

Todd references the influential MITRE ATT&CK matrix first released in 2015, which catalogues hundreds of tactics adversaries use across enterprise operating systems. While ATT&CK is not laid out in a particular linear order<\/a>, the first category, \u2018initial access\u2019, is the point where an attacker gets a foothold in an organisation\u2019s environment. This is where Todd wants his team to be. <\/p>\n\n\n\n

\u201cThe optimal goal for us is to get to a point where we\u2019re taking action or intervening at the point that the attack is first observed within the cyber kill chain,\u201d says Todd. \u201cReally being slick around being able to observe and take action around the first point that an attacker tries to enter an environment.\u201d <\/p>\n\n\n\n

Todd, who is speaking at the Cyber Security & Cloud Expo Global<\/a>, in London on December 1-2 around cloud security, adds that the most commonly used form of machine learning within cyber defences is anomaly detection. Right now, that\u2019s where automation is likely to stay.  <\/p>\n\n\n\n

\u201cI think [where] the human element comes into it is that machine learning is good at spotting outliers and anomalies,\u201d says Todd. \u201cThe decision making, certainly for the moment, will reside within the analyst, within the SOC.  <\/p>\n\n\n\n

\u201cThose analysts [will] be codifying and transferring their well-proven, well-exercised playbooks, or converting those playbooks into an automated approach,\u201d adds Todd. \u201cBut I don\u2019t think that we\u2019re quite yet at the time where we\u2019ve got full autonomy on decision-making.\u201d<\/p>\n\n\n\n

(Photo by Tim Mossholder<\/a> on Unsplash<\/a>)<\/em><\/p>\n\n\n\n

\"\"