Lori MacVittie, Distinguished Engineer at F5, looks at how AI will shape the future of IT automation security.
Poisoning wells as a tactic during conflict is a well-used one in history. The town well has for centuries been target of attacks, whether it was by using it to spread disease across a population, or by simply cutting access to it.
Nowadays, the modern well is an API endpoint or script that kick starts automation that drives change into digital services, applications and infrastructure. F5’s State of Application strategy report found that 78% of organisations employ a large range of automations across IT functions with this purpose. This number is unsurprising given how commonly used automation is to spearhead changes into complex, hyperscale systems operated by the likes of Amazon, Meta and X.
Much like in the days where a poisoned well could seal the fate of whole villages, a single script can similarly impact thousands of systems within minutes. Years ago, making manual changes to the same number of systems would have taken days or weeks. However, with automation, now operations of all kinds can reach a level of scale that humans simply cannot.
Automation is the foundation of scaling practices, and processes. It is hard to argue that a business couldn’t call itself a digital business if it does not deploy automation. Quite simply, because automation has quickly become one of the six essential capabilities business must have if they want to truly make the most of their data, as well as adopt the likes of Site Reliability Engineering (SRE) operations, and instil adaptation capabilities in their digital services through modern app delivery.
The issue with automation is the fact it is automatic. Once the process has started, it is a challenge to identify and rectify any changes that are cascading across these systems. Speed is often one of the characteristics of automation, and once changes have started, it is almost impossible to stop them.
You’d have to be living under a rock to not have heard about automation propagating unintended changes that, ultimately, had an impact on large swaths of the Internet. A bad parameter pushed into a script is almost impossible to recall once the enter button is pushed, or API endpoint invoked. Once it’s done, the well has been poisoned.
I have raised the alarm with respect to the security of IT automation before. It is a neglected and underexplored attack vector that will, eventually, be taken advantage of. It doesn’t matter if ‘eventually’ is many years away, the more immediate threat of human error is still very much present. Research from Uptime Institute claims “nearly 40% of organisations have suffered a major outage caused by human error over the past three years.”
Here is where artificial intelligence and especially machine learning can have a huge impact.
Protecting IT automation by applying machine learning
Machine learning is particularly gifted at uncovering patterns and relationships between data points. Today, a large part of the market is focusing on the application of machine learning to solving security and operational challenges. This includes determining whether a user is indeed human or a bot, recognising attacks, and even foreseeing impending outages.
One of the areas that is often unexplored is app infrastructure protection (AIP). For instance, F5 Distributed Cloud AIP uses machine learning to understand how operators and admins interact with critical systems and immediately notice when an interaction deviates from the norm. This is useful for detecting attackers attempting to access directories they shouldn’t or invoke commands with parameters outside normal usage.
Reread the last sentence. Invoke commands with parameters outside normal usage.
Ah, there it is. There is nothing peculiar to security in the ability of AIP — and machine learning in general — to detect anomalous parameters or an attempt to execute an unusual command. Which means, this technology could just as easily be applied to IT automation to catch either human error or intentionally malicious commands.
Assuming the right level of access to target systems, such a machine learning solution, could certainly offer a path to protecting systems against occasional bad parameters, lateral communication attempts, or any other attack. Ransomware, anyone?
The infrastructure underlying automation, apps and app delivery is an appealing attacking point. While organisations are taking measures to introduce more automation, they need to be taking into account the potential ramifications – both accidental and intentional – that the adoption of automation can bring.
Infrastructure — for apps, app delivery, and automation — is still an attractive attack vector. As organisations move to adopt more automation — and they are — they need to simultaneously consider the ramifications, accidental or intentional, of the use of that automation. In order to protect it from fat fingers and malicious keystrokes, it must be protected against the inevitable.
There is no doubt that automation is a force multiplier that can be used to produce greater good, as well as with malicious intent – which means we need to protect it. A digital business’s infrastructure, which remains a crucial component, can be protected with the help of machine learning.