Security Automation as a Force Multiplier in Cyber Incident Response

Back to all articles

cyber incident response

Discussions post data breach regularly revolve around the the issue of shortage of skilled security experts, especially as part of the incident response process and capacity to handle the increasing volume of alerts security teams are being faced with on a daily basis. This shortage means that existing analysts are already overworked and experience what is known as “alert fatigue”, resulting from the estimated 52% false positive rate of all alerts being received.

Today, in order to be the most effective and to be able to respond in the fastest possible time frame to all security alerts, (before they turn into potential security incidents like data breaches), a Security Operations Center (SOC) and/or Computer Security Incident Response Team (CSIRT) toolbox now has to be equipped with an automated alert response capability, with integrated, trackable workflows designed to meet industry standards, regulations and best practices.

This chronic shortage of skilled labor, along with the necessary processes of automation and orchestration can not easily be solved with the use of traditional Security Incident Response Platforms (SIRP) or Security Automation and Orchestration (SAO) tools. The right answer is a mix of these technologies to build a comprehensive Security Orchestration, Automation and Response (SOAR) solution that addresses many aspects, including automation, knowledge transfer and intelligently orchestrated workflows, and in a way that can also meet a number of current security program challenges.

What is Alert Fatigue?

Alert fatigue takes place when an analyst or alert monitor is presented with so many security alerts that they becomes desensitized to the data received due to the pure volume.

Even though this phrase was largely used primarily in the medical field (known as alarm fatigue), alarm or alert fatigue quickly became a frequently used phrase in the cybersecurity space, particularly to describe a situation where a SOC specialist would typically handle thousands of alerts daily while finding it difficult to prioritize them. As the number of security alerts leading to cyber incidents continue to rise, the volume of incoming alerts are quickly outpacing the capabilities of experts to effectively respond to them with their current manual processes. This situation leads to many alerts being disregarded as a result of the huge volume. Now, let’s take a look to see how this can be fixed.

Reducing the Noise

In order to maintain the highest level of efficiency within your SOC/CSIRT team, there are certain proactive steps that need to be taken. Let’s take a look at the four steps that will set the stage for a longer term solution.

1. Rotate Responsibilities Regularly

Mixing things up from time to time can prove invaluable for your security teams. With a few simple changes, you can change routines and watch the tremendous effect it has. Rotating monitoring stations or in an MSSP environment, the clients being serviced, are typical examples of this. After staring at the same type of alerts for months, the shift to a new set of alerts can be the key to finding the nugget by putting a fresh set of eyes on the screen.

2. Give Analysts Access to Resources They Need, When They Need Them

Provide access to all the written resources your analysts need. This might sound simple, but if you ask an analyst if they have written resources readily available to educate themselves on how to respond to verified incidents, the answer would typically be no. Therefore, having an available knowledge base with information and standard operating procedures or articles on best practices for the type of incident will not only help them with uncertainties, but it can also be a part of any reporting processes.

3. Examine Those Alerts That Make Up Your Highest Levels of False Alarms

Examine those alerts that make up your highest instance of false positives and configure your parsing engines to account for them. In IncMan SOAR from DFLabs, we can utilize wizard-like information parsing rules to target exactly the alert information we want to receive without knowing how to write a line of code. Being able to hone an alert rule that is too broad will largely reduce the number of alerts that have to be reviewed daily, be it from your SIEM, syslog or other feed. More precise targeting of relevant alerts will largely reduce not only alert fatigue for your analysts, but also the dwell time for malicious activities in your network, as they are more quickly identified and remediated.

4. Provide Analysts With Orchestration and Automation Capabilities

Your analysts should be equipped for incident workflow orchestration and response automation. It’s common knowledge that one of the core elements of a winning strategy starts with a Playbook. As your team works through the stages of the incident response lifecycle, it’s critical for them to have access to guidance and workflow processes based on international standards, corporate policy and investigative best practices. Consistent actions based upon policies and best practices give analysts the edge and provide management with confidence.

What’s Next?

The efforts to reduce alert fatigue among your staff and providing your analysts with the tools they need to truly weed through the plethora of incoming alerts really is a true challenge. But this simply doesn’t apply when implementing a Security Orchestration, Automation and Response (SOAR) solution like IncMan SOAR from DFLabs, which is designed to work “out of the box” with your existing network security infrastructure.

What Does IncMan SOAR Do?

IncMan SOAR provides modern security operations centers with the most powerful aspects of both SIRP and SAO solutions by facilitating the necessary mixture of automated, semi-automated and manual task workflows to consistently and successfully resolve actual incidents through the use of provided Playbooks. These Playbooks can be used immediately or easily modified by the end user, ensuring that your team always has the most correct, up to date information possible when working an incident. To learn more about the difference between SAO and SOAR, read our previous blog post on the topic.

DFLabs’ IncMan SOAR provides the necessary efficiency of a full function SIRP, while at the same time leveraging the automation and workflow capabilities of a SOAR solution. It easily integrates with an existing security infrastructure and provides the team the capability to address alerts faster, thus reducing fatigue and malicious activity dwell time on the network. Some of the many diverse capabilities include:

• Execute Playbook instructions for automated or semi-automated tasks to contain the incident immediately. An effective Playbook must simultaneously allow the responder to quickly triage incoming alerts based on a combination of data enrichment and threat intelligence resources and permits your analysts to automate, or semi-automate, appropriate responses quickly during each phase of the incident response lifecycle.

• Identify the network port where a suspicious device is located and disable the port.

• If an account compromise is suspected, halt a user’s account access, regardless of the access device.

• In the case of malware, can gather forensic data from the infected endpoint through a variety of SIEM resources including Carbon Black, IBM QRadar, Splunk and dozens more.

• If data exfiltration is occurring, the incident response team can kill the connection by updating the access control list used by your existing firewall.

• If the team detects unknown or blacklisted processes on critical devices, the process can be prevented from communicating with other devices on the network.

In Conclusion

If you’re ready to make things easier for your analysts and give your stakeholders the confidence that comes with making the strategic decision to use a leader in the Security Orchestration, Automation and Response industry, request a demo and see how IncMan SOAR can address your pain points and truly become a force multiplier for your Security Operations and Incident Response activities. Also, download our latest whitepaper with the same title "Automation as a Force Multiplier in Cyber Incident Response" or an in-depth analysis.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo