How Domino’s UK is using automation in the cloud to improve security

Profile picture for user ddpreez By Derek du Preez June 28, 2021 Audio mode
Summary:
Shifting to the cloud has its benefits, but also brings with it some security challenges. Domino’s explains how it's using automation to improve its time to response for certain security incidents.

pizza-dominos_759

Domino's is one of the leading pizza brands in the UK, delivering over 100 million freshly baked pizzas each year from over 1,200 stores nationwide. However, innovation for the company isn't just about pushing the boundaries of pizza making (please see the Double Decadence as a prime example), but is also about using modern digital technologies to improve customer experience. 

We at diginomica have written frequently about the company's digital investments, which have delivered strong returns for the organization in recent years. And last week we got the chance to hear from Marius Poskus, IT Security Operations Analyst at Domino's, about how the company is using automation in the cloud to shift towards a proactive approach to threat management. 

Poskus was speaking at the Avantra Summit, where he said that whilst moving to the cloud can deliver significant benefits, buyers also need to recognize the associated risks - particularly as it relates to operations management and security. Poskus said: 

What I find with companies that have decided to lift and shift into the cloud, is there's a misunderstanding of responsibility. Companies use IaaS, PaaS or SaaS, but you need to remember that when you lift and shift to the cloud, if you use virtual machines for example, the cloud provider is only responsible for the bare metal. 

You still need to patch your operating systems, you need to be configuring your virtual networks, applications and all the data. I think sometimes companies misunderstand where their responsibilities lie and have problems. There is a real challenge there but that challenge can be solved in a way, with automation. 

Poskus said that cloud allows companies to improve the speed and ease of their deployments, and means easier scalability and virtually unlimited capacity. However, organizations need to be mindful of shifting to operational costs and a change in control structures. He added: 

Depending on which responsibility model you choose, there's a certain loss of control. Depending how and what you use, there's cost variation, so it can be hard to predict how much you're going to spend over the next year. There's also potentially a lack of support - you're not always going to get your questions answered very quickly. There's also a reliance on the internet and potential security threats. 

Automating for a more sophisticated response

The overarching theme from Poskus's presentation is that Domino's is using automation to target low hanging fruit, in terms of its security incident and response approach. Poskus provided numerous examples of how Domino's is automating as much as possible so that the company's Cyber Security Operations can invest time in tackling more complex issues. 

For instance, Domino's is using automation to identify malware across its virtual machines - but is also changing its response depending on the time of day a threat is identified. Poskus explained: 

We run a hybrid automation model at Domino's. We automate a very simple response to incidence, but we scale our automated response depending on the times as well. So, for example, some of the events we can automate 24/7, but some we only want to automate overnight. 

We want to automatically collect packages from the machines where malware has been found, for example. But if it happens at midnight when we are not working, we might want to automatically isolate that machine, collect the logging package, and then when I come online at 9am, I know that the machine has been isolated and can't infect anyone else. And then I can investigate and see what has happened. 

Poskus said that there is a lot of scope when it comes to automating to improve security in the cloud, and plenty of quick wins to be had. But added that it's important to remember that what works for one company, may not work for another - and so a lot of time needs to be invested in figuring out how your business operates and where the use of automation will be most impactful. He said: 

Build up stories of how departments work together, where you can get quick wins from automation, where you don't need human interaction. 

Cloud policy

Domino's is using Microsoft Azure as its cloud platform of choice and Poskus pointed to its cloud policy feature as a way of further improving security automation. Cloud policy allows organizations to govern every existing or future resource deployed, managing policies in a centralized location, where compliance can be tracked and changes can be quickly identified. GCP and Azure have similar features too. 

Poskus said: 

When launching virtual machines, you can launch a policy that means scanning all virtual machines, say, every 24 hours, which then reports to me the machines that don't have a vulnerability management agent installed on them. It can report the machines that don't have the latest security patch on them. And we can remediate all of that. 

It's an easy example of how we can monitor all of our infrastructure. If you've got hundreds or thousands of virtual machines it's impossible, or at least very painful, to find out what is missing. Also with some of the policies you can build in a quick fix, so you can fix it with one click of a button. 

Domino's is also using automation playbooks to identify anomalies for threat detection. Playbooks allow for rules to be written for certain scenarios that enable automation technologies to identify potential threats. Poskus explained: 

For example, we have alerts coming in for impossible travel. Sometimes people might be travelling or they might be using a VPN. Most of our people are based in the UK, but sometimes you can get a login from the UK and then from Thailand within 60 minutes. That creates an impossible travel alert. 

So we created a playbook, which says that when an incident is created in Azure Sentinel that matches impossible travel, if the user has passed MFA successfully, please close the incident because we know that that's the person that logged in. If false, then please send us a report so we can investigate. 

Why this matters

Poskus said that the key for Domino's in thinking through its approach to automation, is that it wants its security analysts to be working on threats that need human attention - rather than wasting time on tasks that could be carried out by machines. This will mean a more thoughtful, proactive approach to security response. He added: 

Automating means better decision making, because you can automate some of the decisions. We can reduce the time of analysts actually working and investigating some low severity incidents, because we can automate them. It's damage limitation, as well. If your Security Operations Center does not have a team that can operate 24/7, you can use automation out of hours and prevent specific incidents from spreading. Once that human interaction is needed, you can pick it up on the next day. 

I think what's happening with Cyber Security Operations, scaling up means moving from reactive defence to being proactive and chasing the bad guys. Instead of reacting to what happened yesterday, we try to predict and detect what might happen in the future.