Get Started with a One-to-One Personalized Demo
Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.
See IncMan SOAR in Action.
Recent trends in almost any industry have shown that data breaches mark a steady rise. And as cyber attackers are growing and evolving their methods, those on the defense line are experiencing shortages of many kinds. With the huge volume of security alerts flooding Security Operations Centers (SOCs), security analysts seem to be fighting a losing battle.
Since most indicators of compromise lurk in low priority alerts, manual triage processes only increase detection to response times. This latency provides potential attackers ample time to probe the network, infect hosts, and pivot to gain access to high value data. In many cases, by the time a cyber attack is detected, it is too late and the damage is already done.
There are though two techniques that can help SOCs in their battle with their advisories. You may be wondering what the Industrial Revolution has to do with this, but tried and tested manufacturing techniques from this era may surprisingly be of more help to us in the 21st Century than you could first imagine. Let’s explore them in more detail below.
The first one is automation, the method of automatically handling tasks without the need for manual intervention. Even though automation is not a new concept, the way in which it is applied in security management is. Driven by the premise “do more with less”, it was the main force behind the Industrial Revolution, and its growth has continued to evolve in this century. Within the digital realm, automation has been completely reinvented. Not only has automation become an industry buzzword in recent years, it’s also the future of cybersecurity. If organizations fail to adopt automation properly, they’re doomed to face the consequences in a state of reaction. And as we speak, adversaries keep on lurking somewhere among missed indicators, always leaving experts one step behind.
A vast majority of breach indicators can be found in a seemingly normal network, therefore they can stay there unattended for long periods of time, much like the case with the Marriott breach. So how could automation help? Automation can help address persistent problems though enrichment of data, since the process of manual triage has been proven to be time-consuming and tedious for those analysts involved. This, on the other hand also leads to extended dwell times and provides the attacker with time to cause more serious damage. Using automation to enrich events with data will result in a reduction in the time spent on data gathering, which in turn helps investigator to prioritize and respond faster to a potential security threat.
After a security alert is prioritized, there are other manual tasks that a security analyst is faced with, for example creating and updating tickets to ensure all findings are logged and stakeholders are kept in the loop. This is a core part of post-alert activities and the knowledge transfer process within the SOC and overall security team. However, during an active attack, important investigative data and information may be left out as a result of the time-sensitive nature of this engagement. The automation of trouble ticketing will enable security teams to update tickets more consistently and frequently, which in turn will lead to more complete metrics, not only for the analysts dealing with the initial threat but also for management. It also provides a solid basis for knowledge transfer and historical trending going forward.
The automation of enrichment functions is merely the first step. If analysts can’t gather enrichment data from all sources and correlate it, they’re left with only half the pieces of the puzzle. Therefore, the next step would be the integration of all disparate security tools used within the SOC.
Integrating siloed security and network technologies provides many valuable efficiencies, and at the same time makes it more difficult for attackers to penetrate the organization's defence. Another important benefit of this integration is that it gives organizations greater visibility within their network and attack surface. With this improved visibility, network defenders can anticipate potential threats and act faster to secure the environment.
Incorporating security tools, devices and their outputs allows organizations to combine internal and external threat intelligence with historical trending, in order to provide the necessary context for uncovering slow attacks. By combining device specific threat intelligence using sandboxing techniques and proprietary feeds with subscription based intelligence, analysts are equipped with real time indicators and details which enables them to quickly assess the scope of the incident.
Because many recent attacks exploit familiar vulnerabilities, the integration of this data into automated and orchestrated processes enables organizations to prioritize patching cycles and focus security rulesets on vulnerable systems up to the time when they can be properly addressed.
In summary, combining the benefits of automation with the integration and orchestration of security tools could help security teams address issues with security operations, such as staff shortages that troubles almost all industries nowadays, at the same time increasing their overall effectiveness. From assembly lines to lines of software code, automation has been and continues to be invaluable to organizations in terms of helping them drive efficiency. As attackers are becoming more sophisticated, automation combined with the fusing of information and intelligence from seamlessly integrating a number of tools can help overcome some of the biggest security operations issues organizations are being faced with today.
DFLabs / 24 Jul 2018
Discover the three core pillars which define what a SOAR solution is: Security Orchestration, Automation and Measurement. Learn more
DFLabs / 31 Jul 2018
Discover what are the five most critical SOAR technology components any Security Orchestration, Automation and Response (SOAR) solution should possess
DFLabs / 12 Oct 2018
Dario Forte / 13 Sep 2017
Threat actors are increasingly adopting security automation and machine learning – security teams will have to follow suit, or risk falling behind.
See IncMan SOAR in Action.