Analytics generate actionable intelligence. That’s lovely, but can we take it further – automate the action based on that intelligence? The more action that is automated, or at least partially automated, the more efficient, accurate, and repeatable an action becomes. This is a normal evolution we’ve seen (and nurtured) elsewhere in security. Just as we have moved from detection to prevention with IDS to IPS and monitoring to blocking with DLP, we are moving operational systems from an “alert only” model to an “active response” model.
Automation is enabled by integration and is critical for efficiency. This integration across security and compliance solutions also delivers an unprecedented level of real-time visibility into an organization’s security posture. This visibility helps CISOs understand trending of patterns and risk in the organization, and report out on changes and priorities to other stakeholders in IT, line of business, and the executive team.
There are many shades of automation. Long-time McAfee users will recall tags and scripts becoming a feature of McAfee ePolicy Orchestrator several years ago. With these tools, an approved series of policy changes can be applied to users and systems individually or in groups, replacing manual, repetitive tasks and freeing administrators to do other things. When these capabilities came online, users reported being 35% more efficient, needing fewer hours in the week to handle the same number of nodes.
Today, we need these efficiencies even more, as more alerts, attacks, and log events overwhelm decision processes. Many operations teams have more data than they can sift already, yet they would like to take advantage of new sources such as industry threat intelligence and context.
Again, our approach is built to help. We already make similar efficiencies possible beyond the scope of the endpoint through McAfee Enterprise Security Manager, our SIEM solution. Today, operations teams can define workflows that will take assorted actions on controls and policies outside the scope of McAfee Enterprise Security Manager itself, yet automated from the McAfee Enterprise Security Manager dashboard. These outbound effects are the key – and something made possible because of our focus on integration and our footprint in protection, as well as the unique and proven centralized management within McAfee ePolicy Orchestrator and McAfee Enterprise Security Manager.
Some potential actions are obvious, and we provide out of the box integrations to make them easy. McAfee Enterprise Security Manager can tell McAfee products to quarantine, block, scan, and update software on systems to contain and remediate a problem. There are three dozen SIA partners integrated directly with McAfee Enterprise Security Manager, in addition to the 100 or so SIA partners enabled through McAfee Enterprise Security Manager integration with McAfee ePO. The new McAfee Data Exchange Layer integrations enable real-time communications that can spawn actions with these partner applications instantly.
These and other actions can always be manually launched by a person. “Human assisted automation” may be the best choice when the decision involves prioritization, escalation, case management, and live intervention. For both automated and human-assisted actions, many users tailor the provided options, or build their own actions using scripting and APIs.
Looking ahead, the Intel Security strategy is to create even more tight integrations and open workflows that match key customer use cases in advanced threat defense, data protection, and cloud services. Many will attach to the centralized and automated policies and processes built with McAfee ePO and McAfee Enterprise Security Manager. This action-oriented strategy is part of our effort to help customers continuously adapt and embed optimization into operational programs.