Ep. 9: Automation May Be the Best Kept Secret of Security Teams

Summary

If anyone can benefit from automation, it’s cybersecurity teams, which have been understaffed and overburdened for the past decade. Finally, relief is in sight. A growing number of automation tools are taking pressure off security pros, by handling repetitive, tedious, and low-level tasks. So why have so many organizations not yet used them?

HOST: Doug Thompson, director of technical solutions engineering and chief education architect, Tanium
GUEST: Steven Blankenship, IT director, Salisbury University

Show notes

Check out these articles from Focal Point, Tanium’s new online cyber news magazine, and an info-packed video from our To The Point webcast with Forrester’s Renee Murphy.

• A Security Automation Playbook for 2023
• Healthcare CIOs Must Pair Automation With Security
• The Future of Risk Management is All About Automation (webcast)

Transcript

The following interview has been edited for clarity.

Steven Blankenship: Social Security numbers, credit cards, driver’s licenses, passports. We have an obligation to protect that data. And I’ll tell you, those are our crown jewels. Those are the things that if we lose those, if they’re stolen, they’re breached—that’s what’s ruining people’s lives.

Doug Thompson Automation is everywhere today. You know, you can’t deposit a check in your bank account without taking a picture of it. You can’t grab your favorite hamburger at a fast-food place in the airport without bumping up against some form of kiosk. This automated technology is so prevalent that even IT leaders are starting to worry whether algorithms may soon put them out of a job. But there’s one group within IT that’s actually embracing this new trend. And if you’re not, you probably should.

Hi, I’m Doug Thompson. And today on Let’s Converge, we’re talking automation and cybersecurity.

If anyone could benefit from automation, it’s the security teams that have been understaffed and overburdened for the past decade. The cybersecurity ranks have grown a bit in recent years, but nearly 3 million cybersecurity jobs still remain unfilled. Last year’s workforce report from (ISC)² revealed that the number of cybersecurity workers needs to grow by 65% to adequately defend enterprises.

Thompson: Meanwhile, cybersecurity hacks are through the roof. But there’s relief in sight: A growing number of security automation tools are taking some pressure off these security pros by handling repetitive, tedious, and low-level tasks. But a surprising number of organizations have yet to use them. What gives? I have my theory: I think it’s just human nature, people not wanting to change.

Joining us today is Stephen Blankenship, IT director of Salisbury University in Maryland, who is here to share a case study in tools and digital transformation. Stephen worked his way up at Salisbury, starting off as an undergrad, earning a bachelor’s degree in computer science, then a master’s degree, and then moving up the ranks through desktop support, networking, and system administration. Steven, how are you doing?

Blankenship: Good, good. Glad to be here.

Thompson: It seems you arrived at Salisbury as a freshman and just enjoyed college life so much that you just couldn’t tear yourself away .

Blankenship: I’ve been here for about 23 years. We’re a regional, traditional liberal arts college on the eastern shore of Maryland, a few hours east of D.C. Been in higher ed my whole career. Love supporting educational learning environments and setting up opportunities where students can succeed.

Thompson: So, you got your degree and went right into that?

Blankenship: Yeah, they trapped me, right from internships. Worked my way all the way up through the department from the late ‘90s up to today. So they ran out of places to put me,

Thompson: We were talking before we started recording: I had been at Microsoft before this and we were talking about the history of what’s been used [for network management]. You were at the very early days of being able to manage PCs. I mean, before that, it was just sort of a nightmare managing your environment.

Blankenship: Oh, yeah. You know, all the way back to Novell days and NetWare Application [Manager].

Thompson: Ah, yes. Novell. For those who don’t geek out on the history or didn’t live through it like we did, Novell was a pioneer in corporate networking back in the 1990s. Their core product, NetWare, was a leader in networking software. Then Microsoft, my former employer, swooped in, realizing they could build networking into their operating system. And there went Novell. SMS 2003 must have been a real game-changer for you, too. The SMS, or System Management Server, had traditionally been a go-to desktop management tool, but this version focused on cybersecurity in a whole new way: spotting security vulnerabilities and delivering critical updates.

Blankenship: You know, initially, SMS 2003 was our first real deep dive into trying to wrangle our desktop environment. We’ve used many tools, many point solutions over the years here to try to solve problems on our desktop environment.

Thompson: And that’s what you sort of had to do. It was, OK, here’s the problem du jour, I’ll call it, and they didn’t really have a nice platform, which gave you this sort of end-to-end way of being able to do thing in a holistic manner.

Blankenship: Yeah. It’s solutions; it’s not platforms. And that’s our whole experience, my entire career here. And it can be incredibly frustrating.

Thompson: Yeah, I know! I’ve talked to people who said, you know, this solved this one problem, but it brought up four other problems. So it’s a whack-a-mole, is probably the best description for it.

Blankenship: Oh, yeah .

Thompson: You recently became one of our customers here. So tell us how that evolved. I talk about it from the story perspective of you have to get people who are thinking outside of silos. It’s a broader picture of what needs to happen and sort of this holistic view of what life could be. And again, it’s more like: you’ve been there long enough to know life’s gotta be better. Right? . You’ve been having this Groundhog Day, reliving it, for too long.

Blankenship: Yep. And I’ll tell you that operational needs, like administering desktops and solving some of these challenges, it’s not a sexy thing and it’s not something that administration wants to invest in. It’s a very tough thing to budget. And at Salisbury, the way that we were able to get Tanium in here is that we had a very specific security need that we had to address to meet our legislative audit requirements.

So a little bit about how that came about: We were told by our legislative auditors that we had to identify all the sources of PII on all of our servers’ endpoints—you know, file shares, cloud storage, you name it. And when I say PII, that’s “personally identifiable information,” such as Social Security numbers, credit cards, driver’s licenses, passports. We have an obligation to protect that data. And I’ll tell you, those are our crown jewels. Those are the things that if we lose those, if they’re stolen, they’re breached—that’s what’s ruining people’s lives.

And you know, even outside of our legislative requirements, these are what we care about most and want to protect the most. So we have to remove PII from anything that’s not an approved encrypted repository. And we had tried several point solutions over the years, really unmanageable for the amount of man-hours and effectiveness of those tools.

Thompson: This is a serious problem and a common one, and one that most enterprise leaders don’t even realize exists.

Blankenship: It’s more than we ever imagined . Everybody and their brother wants to keep all the contracts all the way back to the ‘80s on their computers. So we actually bought the security tool that is capable of looking inside all of the files inside of archives and doing pattern-matching within them for us to identify and confirm legitimate PII hits. And then it’ll automatically pull that PII off the endpoints, leave a little stub there that says, Hey, we took your file, call the help desk if you need it, and then move it to an encrypted central NAS [network attached storage] repository that then we have entirely separate ACLs [access control lists] and separate permissions and processes for people to regain access. And that met our audit requirements and really cleaned up millions of records off of people’s endpoints, far more than we ever would’ve imagined.

Thompson: Yeah. Higher education, I’ve found, is a place for data hoarders , like, we had a researcher back at a previous role that had kept every submission for a grant that he’d had. And his mailbox size was like in the terabytes. I mean, I discovered that nobody ever throws anything away in education.

Blankenship: No, no one wants to throw anything away. And it’s not always the people that we suspected, it’s not always the HR people or the registrars or the people that you have a legitimate reason to work with. PII. Yeah. Every one of them has downloaded a report and left it on their desktop. Yeah. Then they’ve copied their documents folder over from their last four or five machines. We have PII going back to the ‘80s. But it’s also everybody in the departments that ran their TurboTax and saved their tax file on their desktop. It’s the contracts, it’s the procurement orders, the credit cards, the scanned PDFs that we’re finding. It is far more than we ever imagined and more than any of the previous tools we’d attempted to utilize was able to find.

Thompson: No one from the C-suite on down recognizes the magnitude of this problem. Heck, this shocks even those of us in security. Until you go searching for it, you have no idea how much vulnerable personal data is sitting on your endpoints and servers. And even if you think you have a sense of how much original data your outfit collects, you really have no idea how often it’s been duplicated and where those copies live within your system and who has access to them.

Blankenship: And the thing for us was, we don’t have the manpower to review these. We don’t have the manpower to go and manually take the PII away.

Thompson: A day doesn’t go by that I’m not talking to an enterprise about how they solved this problem or that problem, and I say, Hey, I’ve got a tool for that. And it sort of reminds me of when I was in college, working as a nighttime mechanic, and I talked to these master mechanics. I saw one who had a stethoscope in his toolbox and I was like, what are you doing with that? He says, ‘I use it to determine if there’s a tick or something’s out of timing on the car.’ He would actually put it up to the engine. You know, today they have these ports on the car that you actually plug into a computer and it gives you all the diagnostics about everything that’s happening in that engine. What you’re describing is much the same process. We need a single tool that will give us complete visibility into all the endpoints on a regular basis.

Blankenship: One of our main requirements was it needed to be self-sustaining. So it’s not enough for us to find PII; we needed to take it away, once we confirm the situation or scenario. So we’re able to go in and look at those hits and say, yes, this pattern is legitimately PII—everything else that looks like it, go ahead and take it. So we just have some care and feeding we have in training it, because our requisition forms all look the same, our contracts all look the same. It’s actually pretty straightforward, once you know the types of PII that live in your environment, for you to care and feed and train the tool to automatically take it. And politically we were able to get it through, and our users have come to understand how all that works.

Thompson: How did you manage that? Getting the buy-in from the users?

Blankenship: At the point at which your state funding is gonna be pulled if you do not meet legal requirements, the last bits of hesitation [disappear] as our president doesn’t want to be in the newspaper. Fortunately, other people around us have had bad experiences to the point that we’re now believed. I don’t think that some of the political and cultural explanations are even needed anymore nowadays. It’s not that we haven’t known we needed to do this for the last decade, but we finally have the tools, the ability to do it, and the willpower, the acknowledgement in today’s cybersecurity environment that we have to do it. So that’s how it came together.

Thompson: That’s sort of a delicate balance, because in the past you could have done it, but it wouldn’t have been a great customer experience. Technology done well fades into the background. You don’t even know what’s there. It just works. It’s like the power switch when you turn on the light. And it sounds like you were able to come up with that solution to make it seamless to the user—if you remove that friction, then they’re a lot more likely to buy in.

Blankenship: Right. And the big thing is, anything we could have done in the past would’ve had such a manual overhead on IT and on the users that it would’ve been untenable for us to support and maintain it. So that was really how we got it in here. Once we got it in the door and we have this powerful tool on all of our endpoints and all of our servers, then it’s kid-in-the-candy-store time.

Thompson: Well, being able to automate that stuff is very powerful in that it helps you scale. I’ve run into people on occasion [who] think you’re trying to do away with their job. And in reality you’re trying to free them up to do something of higher value that in essence makes their job more important and more reliable. … Nobody’s making iceboxes anymore. When the refrigerator came out, you know, nobody…. [trails off.] VCR tapes, you don’t have a lot of those anymore. You know, everything’s digital. It goes on.

Blankenship: I used to have those conversations with people all the time. Any aspect of your job that I can automate with PowerShell or with a script or with a tool, you ought to be happy, because that’s got to be miserable doing that repetitively. Let’s get you on something way more interesting, way more valuable, way more marketable. You know, it’s not like I’m trying to automate you out of a job and fire you.

Thompson: Right.

Blankenship: Especially in this state, we’re very stable. The average tenure of the people in my department spans between 10 to 30 years. We don’t have a lot of job-hopping. We’re pretty isolated out here on the eastern shore of Maryland. We’ve got beaches, though. That’s the main selling point . But it is the people that are the true value in our department, and the more that I can direct them at way more valuable projects than menial repetitive tasks, let’s get all that automated, all that out of the way.

Thompson: And it reduces errors and stuff too. Because sometimes you do this over and over and over again. It’s ripe for overlooking something, or you have an outlier that comes out that, well this always worked before. There was one thing that’s different. By automating all that stuff, you can put checks in place to make it more reliable again, then free up the human to do the more white-glove and the higher-value things.

Blankenship: Automation also has a natural tendency to self-document processes. So if you can automate a process, you have thoroughly documented that business process. So it’s easy for anybody else to come along afterwards and maintain it, update it, understand what’s occurring. Whereas when things are manual processes, that’s in one person’s head and they may have just retired.

Thompson: That’s a big factor that I talk to a lot of people [about]. They have the one person [who they rely on], but it gets a lot more difficult when they leave. Or god forbid something tragic happens that you couldn’t plan for at all. I know I’m horrible at documenting things cuz I just, I go through it and go on—much to my wife’s chagrin. She yells at me on occasion. “But why didn’t you write that down?” “I just, uh, it is.” But that onlyimpacts me and my family. It doesn’t impact an entire organization.

Blankenship: So, once we got the visibility and started seeing the power of the tool, when we got it in here, people started realizing we could ask real-time questions and get answers about our situation. So for example, we were asked about a piece of software, whether we should continue paying for this piece of software—we’re paying $60,000 for a site license. Why are we doing this? And I’m able to just ask a question about our environment and say where is, [or] what computers even have this? And then I can know where those computers are and who’s using them. I can know the versions. I get those responses back, and it’s so much faster and in a single pane of glass.

I can then take that same answer that I got and feed it straight to a deployment. So turning it into a security example: We’ve got a vulnerability that’s been released for an Adobe product or you name it, [and] I don’t even know how many computers have that version. Before, to get that answer would be incredibly painful.

Now it’s a sentence that helps me auto-fill in the rest of the sentence to tell me exactly how many are in that situation and then take that exact list of computers, feed it straight into a deployment, to go ahead and update them.

Thompson: So that clearly saves you just a ton of time.

Blankenship: Absolutely. And one of the big things we also get pushed on is patching and patch compliance. We have a lot of compliance metrics that we have to meet: basically baseline configurations that have to be held to, as well as patch mean time of mitigation for vulnerabilities, as well as patch[ing] from within a certain period of release time from the manufacturer. We have to have them apply. And I’ll tell you that is an infuriating thing to piece together .

Thompson: To do all that manually, patch by patch, I imagine that would drive anybody bonkers. So having the right automated tool not only saves you time but saves your sanity, too. It’s like having your own special agent riding on each endpoint, giving you real data about the endpoint in real time. There’s no more having to rely on third-party tools or remote scans or a ratchet for this and a socket for that.

Blankenship: And I know that the agent on there, when I tell it the update, is gonna get those updates and provide feedback to me about how that went.

Thompson: And it’s got to make you sleep better knowing that you can answer those questions. There’s nothing worse than having your boss come in and know he’s gonna ask you one of those questions. I can get you that answer, but it may be a week.

Blankenship: Right. And you’re only as secure as your weakest links in this. And yes, we have a lot of other layers in security and we’ve got firewalls and we’ve got other pieces to this puzzle. But for the longest time, our endpoints have been our greatest concern and points of compromise.

Because our servers are locked down. They’re highly, highly tuned. Our network, you know, we’ve got a lot of constraints and controls within it. But those endpoints and those pesky users are the main problem in an environment. So by assuring that that can do as little damage as possible—reputational damage, data loss—having those endpoints with no PII I on them? Right there, I’ve already won half the game. So even if that endpoint is stolen, that endpoint is compromised, you’re not getting something locally from us. Then I have those other layers in place between that endpoint and the additional spots where you’re gonna do more damage to me.

But yes, I’m sleeping better at night knowing that I’ve got AV running properly, knowing that I’ve got the firewall enabled locally. Knowing that you don’t have admin rights locally on that machine, knowing that all of our little settings and group policies, and all the tweaks and layers that we put on those endpoints are still enabled, are still working. And you’re patched. The other thing is, operationally, if your environment looks like what I just said, you get way less calls.

Thompson: Yep.

Blankenship.: You have way less issues. Your users are actually happier in that environment because their desktop works.

Thompson: It gets back to that point where technology’s fading into the background and you’re gonna be able to do what you need to do.

Blankenship: It all just works.

Thompson: So it sounds like you’ve got some improvements, you’re sleeping better at night, you’ve got some happy customers. I really appreciate you spending some time with us and telling your story about how it sort of transformed the way you do business.

Blankenship: Absolutely. Yep. Appreciate you having me.

Thompson: I’ve been talking with Steven Blankenship, IT director at Salisbury University.

If you’d like to read more about security and automation, check out Tanium’s new online cyber news magazine at Tanium.com. To hear more conversations with today’s top business leaders and security experts, make sure to subscribe to Let’s Converge on your favorite podcast app such as Apple Podcast and Spotify. And if you like this episode, which I know you did, please give us a five-star rating.

Thanks for listening. We look forward to sharing more cyber insights on the next episode of Let’s Converge.