As federal technology systems continue to grow in size and complexity, agencies are turning to automation to plug some of the cybersecurity gaps that the IT workforce has been unable to monitor.
While automation and orchestration tools have proven useful in shoring up the federal government’s cyber defenses, security officials have also found them to be cost-effective on already-tight cybersecurity budgets.
Paul Beckman, the Homeland Security Department’s deputy chief information security officer, said about 90 percent of cyber incidences at DHS could be automated to give human operations more time to tackle the agency’s toughest security challenges.
“Once we get to that utopia — once 90 percent of that generally is being handled in an automated fashion, then I can really use the vast majority of my workforce to focus on what I really need them to do, which is the 10 percent of really bad guys,” Beckman said Jan. 29 at the Institute for Critical Infrastructure Technology’s Winter Summit in Arlington, Virginia.
Automation and orchestration have become such successes at DHS that Beckman said one agency component has already implemented some tools. The agency component, he said, spent $1.5 million to roll out the project, but six months into using automation, the agency has already identified more than $300,000 in cost savings.
“This thing is going to pay for itself, virtually, in a very short amount of time,” Beckman said.
Before getting the automation project off the ground, Beckman said the CISO’s office did a cost-benefit analysis, and was able to get buy-in from DHS leadership based on the potential return on investment.
“One of the beautiful things about this tool, is that it is unique in the respect that it is so easy to figure out your return on investment, the savings that you’re getting. If you start doing activity-based costing and breaking out these repeatable processes step-by-step, every time I get a [personally identifiable information] spill, here’s all the steps a person would have to take to be able to remediate that PII spill,” Beckman said. “Once you have all the tasks, you figure out how long it takes to do that task, you average in the average hourly rate that it would take somebody to do that, and you can clearly identify every time I automate that process, here’s exactly how much I’m going to be saving in human interaction or human hours. And they’ve only reached the tip of the iceberg, in my opinion, with respect to what they’ve been able to automate.”
While automation has removed some of the tedious processes around monitoring for cyber threats, Beckman said the acquisition workforce needs to adopt a more agile framework in order to be more responsive to DHS’ needs in the future.
“One of the foundations of agile is not all requirements can be known up front, so you need to build in a process to be able to accommodate these rolling requirements as they come in. Acquisition is going to be the same way. I don’t know what my security requirements are going to be in four-to-five years, so I need to be able to build contracts to some degree that the flexibility to be that agile, so that I can buy what I need, when I need it, where I need it,” Beckman said.
Over the last few years, the Defense Department and the military services have also improved their cybersecurity posture through automation tools. The Marine Corps, for example, has worked with the DoD’s chief information officer and his staff to create an automated “comply-to-connect” framework that ensures new devices meet security requirements before they’re allowed access to the network.
“Before we would allow it to connect to the rest of our enterprise network … it was analyzed, it was scanned, it was patched, it was remediated, whatever needed to be done, and then was pushed onto the network,” Ray Letteer, the chief of the Marine Corps’ cybersecurity division, said.
On some performance scorecards, Letteer said DoD has been able to bring compliance and patching up to 98 percent. Looking ahead, he said automation will prove useful in giving defense agencies a better sense of their threat landscape.
“Many of you out there only maybe see 70 percent of your network. I want to get better at that because that’s my battle space and I need to know where every box is, at every building, with every single application. Automation will help us to get to that — to map it and define it and track it,” Letteer said.