When is Security Automation and Orchestration a Must-Have Technology? – Addressing Gartner’s SOAR Question

Last week, Anton Chuvakin from Gartner announced that Augusto Barros and himself are planning to conduct research in Q4 2017 on the topic of Security Orchestration, Automation and Response (SOAR), or Security Automation and Orchestration, depending on which analyst firms’ market designation you follow. At DFLabs we are very excited that Gartner is finally showing our market space some love and will be helping end users to better assess and differentiate SAO offerings.

Anton provided many questions that he wanted SAO vendors to prepare for. The questions immediately piqued our interest, with one question, in particular, standing out to us.

1.When is SOAR a MUST have technology? What has to be true about the organization to truly require SOAR? Why your best customer acquired the tools?

Anton also said that he had one main problem with Security Automation and Orchestration. In his own words, “For now, my main problem with SOAR (however you call those security orchestration and automation tools…if you say SOAPA or SAO we won’t hate you much) is that I have never (NEVER!) met anybody who thought “my SOAR is a MUST HAVE.”

The question is not entirely unwarranted. During my own time at Gartner covering the SOAR space, I spoke to many clients who were seeking an SAO solution without knowing that they were. Typical comments were, “I have too many alerts and false positives to be able to deal with them all”, or “We are struggling to hire enough skilled people to be able to respond to all of the incidents that we have to manage”. Another common comment was, “I am struggling to report operational performance to my executives?”. Often, these comments were followed by the question, “Do you know of any technology that can help?”.

Typically, these organizations had a mature security monitoring program, usually built around a SIEM. They often had critical drivers, such as regulatory requirements, or held sensitive customer data. We hear the same buying drivers from our own customer base.

To sum up the most common drivers for someone asking about Security Automation and Orchestration:

  1.  A high volume of alerts and incidents and the challenge in managing them
  2.  A large portfolio of diverse 3rd party security detection products resulting in a large volume of alerts
  3.  Regulatory mandates for incident response and breach notification
  4.  An overstretched security operations team
  5.  Reporting risk and the operational performance of the CSIRT and SOC to an executive audience

One interesting thing is that when there is no external driver like regulatory compliance, deploying a Security Automation and Orchestration solution is often determined by maturity. Most organizations don’t realize that they will be unable to cope with the volume of alerts and the resulting alert fatigue until they have deployed a SIEM and a full advanced threat detection architecture.

The common misconception is that the SIEM can help to reduce the number of incoming alerts by applying correlation rules. This not entirely untrue, but correlation rules will only reduce a small percentage. They are essentially signature based. You need to know in advance what you want to correlate, and adding a correlation rule to cover all and every incoming alert is not a trivial task. Even with correlation rules, additional work will be required to qualify an incident. Gathering additional IoC’s, incident observables and context is still a very manual process. Lastly, detection is only one part of the entire incident response process – notifying stakeholders, gathering forensic evidence and threat containment will also have to be done manually. These are the areas where SAO solutions provide the greatest ROI – as a force multiplier.

Slaying the Hydra – Incident Response and Advanced Targeted Attacks

In incident response, protecting against a targeted attack is like slaying the hydra. For those not familiar with what a hydra is, it is a multi-headed serpent from Greek mythology, that grows two new heads for every head you chop off. A determined attacker will try again and again until they succeed, targeting different attack vectors and using a variety of tactics, techniques, and procedures.

The Snowden and Shadowbroker leaks really drove this home, giving partial insight into the toolkit of nation state actors. What really stuck out to me was the sheer variety of utilities, frameworks, and techniques to infiltrate and gain persistence in a target. Without the leak, would it be possible to reliably determine that all of those hacking tools belonged to a single entity? Would a large organization with thousands of alerts and hundreds of incidents every day be able to identify that these different attacks belonged to a single, concerted effort to breach their defenses, or would they come to the conclusion that these were all separate, unrelated attempts?

Our colleagues in the Threat Intelligence and Forensic analysis industries have a much better chance to correlate these tools and their footprint in the wild – they may discover that some of these tools share a command and control infrastructure for example. A few did have at least an outline of the threat actor, but judging by the spate of advisories and reports that were released after the leaks, not very many actually appear to have achieved this to a great degree. The majority were only able to piece the puzzle together once equipped with a concise list of Indicators of Compromise (IoC) and TTP’s to begin hunting with.

“How does this affect me? We are not important enough to attract the attention of a nation state actor”

Some readers may now be thinking, “How does this affect me? We are not important enough to attract the attention of a nation state actor”. I would urge caution in placing too much faith in that belief.

On the one hand, for businesses in some countries the risk of economic espionage by-nation state hacking has decreased. As I wrote on Securityweek in July, China has signed agreements with the USA, Canada, Australia, Germany and the UK limiting hacking for the purpose of stealing trade secrets and economic espionage. However, this does not affect hacking for national security purposes, and it will have little impact on privately conducted hacking. These are also bilateral agreements, and none exist in other nations, for example, Russia or North Korea. For militarily and economically weaker nation states, offensive cyber security is a cheap, asymmetric method of gaining a competitive or strategic advantage. As we have seen, offensive cyber activity can target civilian entities for political rather than economic reasons, and hackers are increasingly targeting the weakest link in the supply chain. This means that the potential probability of being targeted is today based more on your customer, partner, and supply chain network, and not just on what your organization does in detail. Security through obscurity has never been a true replacement for actual security, but it has lost its effectiveness as targeted attacks have moved beyond only focusing on the most prominent and obvious victims. It has become much easier to suffer from collateral damage.

Cyber criminals are becoming more organized and professional

On the other hand, cyber criminals are becoming more organized and professional, with individual threat actors selling their services to a wide customer base. A single small group of hackers like LulzSec may have a limited toolbox and selection of TTP’s, but professional cybercrime groups have access to numerous hackers, supporting services and purpose-built solutions. If they are targeting an organization directly and are persistent and not opportunistic, it will be as difficult to discern that a single concerted attack by one determined threat actor is taking place.

What this means in practical reality for any organization that may become the target of a sophisticated threat actor, is that you have to be on constant alert. Identifying, responding to and containing a threat is not a process to be stepped through with a final resolution step – instead, cyber security incident response is an ongoing, continuous and cyclical process. Advanced and persistent attacks unfold in stages and waves, and like a war consist of a series of skirmishes and battles that continue until one side loses the will to carry on the conflict or succeeds in their objectives. Like trying to slay the hydra, each incident that you resolve means that the attacker will change their approach and that the next attempt may be more difficult to spot. Two new heads have grown instead of one.

To tackle this requires that we cultivate a perpetual state of alertness in our SOC and CSIRT

To tackle this requires that we cultivate a perpetual state of alertness in our SOC and CSIRT – but we must do this without creating a perpetual state of alarm. The former means that your team of analysts is always aware and alert, looking at individual incidents as potentially just one hostile act of many that together could constitute a concerted effort to exfiltrate your most valuable data, disrupt your operational capacity, or abuse your organization to do this to your partners or customers. In the latter case, your analysts will suffer from alert fatigue, a lack of true visibility of threats, and a lack of energy and time to be able to see the bigger picture.
The hydra will have too many heads to defeat.

In the Greek legend of Heracles, the titular hero eventually defeats the Hydra by cauterizing each decapitated stump with fire to prevent any new heads from forming. Treating an incident in isolation is the Security Incident Response equivalent of chopping off the head of the hydra without burning the stump. Applied to our problem, burning the stump means that we have to conduct the response to each incident thoroughly and effectively, and continue the process well beyond containment.

We must invest more time in hunting and investigating, and we have to correlate and analyze the relationship between disparate incidents. We must use threat intelligence more strategically to derive situational awareness, and not just tactically as a machine-readable list of IoC’s. This also requires gathering sufficient forensic evidence and context data about an incident and related assets and entities during the incident response process, so that we can conduct post event analysis and continuous threat assessment after containment and mitigation have been carried out. This way we can better anticipate the level of threat that we are exposed to, and make more informed decisions about where to focus our resources, add mitigating controls and improve our defenses. In Incident Response “burning the stump” means making it more difficult for threat actors to succeed in the future by presenting them with a hardened attack surface, reducing their reside time in our infrastructure, and reducing the time we need to discover and contain them. To do this we need to learn from every incident we manage.

Interested to know what 412 IT professionals and cyber security professionals think on the latest Security Analytics and Operations trends?

A Weekend in Incident Response #34: Proper Cyber Incident Response Plan in Critical Infrastructure Sectors Can Help Preserve Public Safety and International Peace

Cyber criminals do not discriminate against anyone when it comes to their targets of choice. They go after whatever organization they consider to have a potential to yield substantial financial benefits, without taking into account that some of their exploits might even lead to international conflict or an environmental catastrophe of unimaginable scale.

Cyber attacks on critical infrastructures have become commonplace lately, threatening public health and safety, and deteriorating relations between countries. Having in mind how sophisticated and advanced these cyber threats are, it is no wonder that it is extremely difficult to detect and prevent all of them, so a proper cyber incident response plan that would help contain the damage and recover from an attack becomes a necessity.

Incident Response Solutions for Critical Infrastructure Sectors

Critical infrastructure is comprised of organizations from various sectors, including health care, energy, telecommunications, financial services, government, and transportation, among others. All businesses and institutions that are part of one of these sectors are potential targets for cyber criminals.

To improve their ability to mitigate cyber security threats more effectively, these organizations are advised to create a workflow-based incident response plan relying on automation and orchestration platform.

Benefits of a Workflow-Based Security Incident Response Plan

By utilizing an incident response platform that allows an orchestrated approach while automating certain routine and time-consuming tasks, organizations can greatly reduce reaction times of their cyber security teams, and start the recovery process as soon as possible.

A workflow-based platform, that incorporates a set of actions tailored to specific types of cyber attacks, allows security teams to go through all stages of an incident response quickly and effectively, by providing them with concrete steps that need to be taken based on the type and scope of an attack. Furthermore, based on the attack types, knowledge sharing articles could be associated with the incident for faster and more efficient resolving.

In addition to workflows, automation-and-orchestration incident response platforms can easily integrate with intelligence sharing platforms, allowing organizations to send and receive essential cyber security events information, improving their ability to prevent future attacks.

Cyber attacks on critical infrastructure are probably going to become even more common, so investing in an incident response platform with automation and orchestration capabilities would be of great help to organizations looking to enhance their cyber defenses moving forward. By doing that, they would also be contributing to efforts for preserving international peace and public safety.

Security Event Automation and Orchestration in the Age of Ransomware

We have recently experienced a devastating wave of ransomware attacks such as Wannacry or ‘WannCrypt’ which spread to more than 200 countries across the globe. While Russia was hit hard, Spain and the United Kingdom saw significant damage to their National Health Services. Hospitals were forced to unplug their computers to stop the malware from spreading even further. This is just one of the security threats posed by special malware that encrypts computer files, network file shares, and even databases thereby preventing user access (Green 18-19). It happens in spite of heavy investments in a wide array of security automation and orchestration solutions and staff required to triage, investigate and resolve threats.

The primary problem is that organizations seem to be losing the battle against cyber attackers (Radichel, 2). The security administrators are overburdened and compelled to manually perform time-consuming and repetitive tasks to identify, track, and resolve security concerns across various security platforms. Notwithstanding the time and effort, it is difficult to analyze and adequately prioritize the security events and alerts necessary to protect their networks. Still, the inadequate visibility into the present activities of the security teams, metrics and performance leave security managers struggling to justify additional resources. It has long been accepted that the organizational efficiency depends heavily on the ability of the security system to reduce false positives so that analysts can focus on the critical events along with indicators of compromise.

Security event automation and orchestration ensures that an organization detects a compromise in real time. A rapid incident response ensures a quick containment of the threat. Through the automation of common investigation enrichment and response actions, as well as the use of a centralized workflow for performing incident response, it is possible to minimize response times and thus make the organization more secure. Security events automation and orchestration expedites workflows across the threat life-cycle in various phases. However, for the security team to deploy security automation and orchestration of event-driven security, there must be access to data concerning events occurring in the environment that warrant a response. To effectively employ event-driven security, automation should be embedded into processes that could introduce new threats to the environment (Goutam, Kamal and Ingle, 431). The approach requires that there be a way to audit the environment securely and trigger event based on data patterns that indicate security threat or intrusion. Of particular importance, continuous fine tuning of processes is required to make certain the events automation and orchestration being deployed is not merely automating the process, but providing long-term value in the form of machine learning and automated application of incident response workflows that have previously resolved incidents successfully.

At a time of increased cybersecurity threats, a structured approach can expedite the entire response management process from event notification to remediation and closure through automated orchestration and workflow. An automatic gathering of key information, the building of decision cases and the execution of critical actions to prevent and/or remediate cyber threats based on logical incident response processes are enabled. With security orchestration and event automation, various benefits are realized such as cost effectiveness, mitigation of security incidents and improved speed and effectiveness of the response. Hence, security event automation and orchestration is the real deal in containing security threats before real damage takes place.

A Weekend in Incident Response #32: SOP – Standard Operating Procedures as Big Piece of the Cyber Incident Response Puzzle

Preparing for cybersecurity incidents and responding to them can be a significant burden for any organization. On a daily basis, most security teams will commonly deal with numerous cybersecurity events, many of which will trigger some number of resource-taxing and time-consuming tasks such as gathering and vetting information, analyzing data, and generating incident reports.

It is for this reason that every tool, every solution, and every procedure that can help ease that burden is often more than welcome. Implementing Standard Operating Procedures (SOP) is one of the essential steps towards ensuring a more streamlined and effective incident response process, one that allows security professionals to focus on the more substantial and high-value activities, such as in-depth investigations and implementing improvements in the overall incident response program.

Coordinating Incident Response

Standard operating procedures are aimed at helping CSIRTs to follow the most effective possible workflow when dealing with cyber security events. A typical SOP should contain a list of specific actions that that security professionals need to take whenever their organization faces a particular cyber incident. It ensures that all employees within an organization know their responsibility and what activities they need to take in the event of a cyber attack. For instance, an SOP might note at what point in the incident the CSIRT member is responsible for reporting data breaches to the Information Security Officer and where to submit incident reports in the aftermath of a breach. Further, the SOP might also state how to assign an incident severity level and where to distribute a list of recommendations or specific instructions on how to address a particular threat.

Another important aspect of a SOP is that it should ensure that all workflows and actions taken during incident response are in compliance with regulations that the organization is required by law to adhere to.

Orchestrate and Automate the Process

In order to be worthwhile and effective, cyber security teams and resources from an organization must adhere to SOPs and realize benefits from doing so. Some of the actions recommended or required by a SOP in a given situation may take up a large portion of the time and effort of a security team, so adopting a solution that can orchestrate and automate some of those tasks can go a long way towards realizing those benefits by saving time and cutting costs.

Security automation and orchestration platforms can programmatically handle some of those time-consuming manual tasks, such as generating and sending reports, thereby help drastically reduce reaction times. They can also help quickly determine the severity of an incident and the impact it has on an organization, freeing security resources to focus on the containment, eradication and recovery activities the sop standard operation procedure requires.

In summation, security automation and orchestration platforms are a crucial tool for ensuring a proper implementation of standard operating procedures as a key piece of the cyber incident response puzzle.

A Weekend in Incident Response #31: How Can You Help Your Cybersecurity Team Handle Increasing Volume of Cyber Attacks?

In the context of cyber security, two of the most pressing concerns facing many organizations are the ever-rising number of cyber attacks and figuring out how to keep them at bay without having to increase manpower. The recent Cyber attacks are now more sophisticated and noticeably more common than they were even just a few years ago. Faced with this increased volume, private entities and government agencies are struggling to figure out how to help their security teams respond to cyber events in an effective and timely manner, while finding that most potential solutions require either substantial financial expense, or rely on the addition of specialized human resources.

Hiring skilled staff is a real challenge for most organizations amid an acute and global cyber security skills shortage. Unmet demand has led professionals in this field to command disproportionately high salaries and made it that much more difficult for businesses and governments to attract cyber security talent. Consequently, organizations are now also forced to seek out technical solutions that might actually help decrease their reliance on specialized and expensive human resources. This is where cyber security incident response platforms come in as arguably the most convenient, practical and cost-effective solution to the growing cyber security threat issue and specialized resource shortage.

Ease the Strain on Security Teams by Automating Time Consuming Incident Response Tasks

security automation and orchestration platform is the economical solution to enable an organization to respond to cyber threats and eradicate them in the most effective and fastest way possible. It is also the best way to ease the strain on security teams which, in many organizations, are already overwhelmed with an uninterrupted incident response workload.

Analyzing and assessing the legitimacy, impact and scope of a cyber incident are some of the most time-consuming tasks undertaken by cyber security professionals today. It is exactly within those tasks that an orchestration and automation platform can be of most service. From an incident identification and analysis perspective, these platforms are force multipliers which greatly accelerate the incident triage process. They provide an organization with the ability to analyze the cause and effect of each incident and to assess the scope and impact to an organization from any number of incidents at any given time. From a response perspective, and beyond their ability to automate response activity on existing security infrastructure, they can generate automated incident reports for distribution to in-house security teams, providing response and recovery resources with key insights into the scope and severity of an incident, thereby often dramatically reducing reaction times.

In short, the dual challenge of addressing a growing number of cyber attacks while maintaining an ability to mount an effective response within an existing cyber security team, is best tackled by employing an automation and orchestration platform. Deploying this tool as a force multiplier for both existing security infrastructure and human resources, allows security teams to offload the most intensive tasks and frees these professionals to focus on the more high-value areas of a cyber security threat response.

A Weekend in Incident Response #30: New Cybersecurity Center Promises to Help U.S. Healthcare Sector Improve Their Cyber Resilience

In light of the increased frequency of cyber attacks against health care institutions in the United States and around the globe, the recent announcement from U.S. Department of Health and Human Service (HHS) regarding the launch of a dedicated cybers ecurity center gives hope to security practitioners in this sector that they will soon be able to improve their cyber resilience against the escalating cyber threats.

The Health Cybersecurity and Communications Integration Center (HCCIC), scheduled to reach initial operating capability before the end of June, is modeled on the Department of Homeland Security’s (DHS) National Cybersecurity and Communications Integration Center. Christopher Wlaschin, the CISO at the U.S. HHS, identified the key goals of the HCCIC as trying to “reduce the noise about cyber threats in the health care industry” and to “improve the ability of health care institutions to protect against cyber attacks.”

Mobile Health Applications and Growing Ransomware Attacks Raise Concerns

The imputes for this center are twofold: first, the exploding rate of ransomware attacks on health care organizations in recent years, and second, the increased exposure to cyber attacks brought about by the growing adoption of mobile health applications. Together these developments have pushed the government to take more decisive action to help the health care sector build more effective cyber resilience systems.

Information Sharing and Best Practices

Information collaboration and analysis of cyber threat intelligence will be at the forefront of the activities undertaken by the new center. Sharing cyber threat intelligence within an industry sector and between private companies and authorities is a significant part of overall efforts for improving the preparedness of an organization to promptly and effectively respond to cyber incidents. However, this sharing of intelligence can often also create a torrent of noise, rendering it difficult for security practitioners to discern credible information on what actually constitutes a potential threat to the cyber security of their organization. Antithetically, unfiltered intelligence sharing can actually prevent a faster and more effective response.

For this reason, organizations require a programmatic solution to help them share only the essential information related to cyber threats, past and current, and the cyber security events they have already faced. The prescribed solution is an automation and orchestration platform that has the built-in capability to integrate with threat intelligence sharing platforms such as STIXTAXII or Splunk, to name a few. This customizable platform can enable organizations within the health care sector to: share operational intelligence related to cyber security events in a secure and efficient manner; eliminate the risk of sharing any confidential company or patient data; and, cut out the noise from irrelevant information that so plagues intelligence sharing today.

In this new reality, where new and ever more sophisticated threats loom large on the horizon, health care organizations that choose to implement a cyber incident response platform with these built-in threat intelligence capabilities will do so knowing they have taken a big step forward to ensuring the protection of valuable business information, and confidential and sensitive patient data.

A Weekend in Incident Response #29: Doxing Incidents Emerging as an Increasingly Common Cyber Threat to Organizations

The WannaCry ransomware attack sent shockwaves through businesses and governments all around the globe by bringing day-to-day activities in hospitals, banks, telecommunication operators, and local and state agencies to a grinding halt. Undoubtedly, this attack put a big spotlight on ransomware, highlighting it as a powerful, dangerous, and potentially life-threatening attack methodology exploited by cyber criminals as a means for quickly making significant financial gain. Recently, however, another method has emerged as an increasingly common tool for cyber extortion, one that is expected to gain much more traction in the near future.

The emerging threat in question is doxing and involves attackers obtaining confidential, proprietary, sensitive, or private information via social media or hacking, and threatening to publicly share that information if ransom is not paid. There have been a few notable doxing events in recent years involving hacker attempts to extort large corporations, with Walt Disney Pictures emerging as the latest victim. In another high profile case involving cyber extortion, hackers are today threatening to release a stolen upcoming blockbuster film, in advance of its premiere, unless they receive a pirate-like ransom  of bitcoins in return. With doxing becoming a go-to modus operandi for an increasing number of cyber criminals, organizations seeking to safeguard their proprietary information need to become more aware of the threat doxing represents and implement solutions to protect against these extortion attacks.

Improve the Ability to Identify Doxing Attacks Quickly

Beyond implementing layered preventative and detective security controls, efforts for defending against doxing attacks should include devising a proper cyber incident response plan, preferably one established within the framework of a cyber-security automation and orchestration platform. Through the adoption of such a platform, organizations would address the first and most important part of the process for tackling doxing threats – being prepared to quickly and effectively respond to the attack.

A cyber incident response platform provides organizations with automation and orchestration capabilities through integration with existing security infrastructure and structured response playbooks. This level of preparedness vastly improves their ability to detect, track, and recover from doxing attacks. By providing a consistent and repeatable response strategy, a better prepared organization can reduce or even completely avoid the potentially substantial and damaging impact of a successful extortion attempt.

This platform allows cyber-security teams to detect, predict, and track breaches in their organizations’ computer systems, and to respond quickly and inline by leveraging integrations with existing security infrastructure. The inline response reduces overall reaction times and allows for quick containment and eradication of the threat.

The platform dramatically accelerates the incident triage and response process to improve efficiency, and can even integrate with an organization’s forensic systems, allowing for fast and efficient gathering of digital evidence to help identify attackers and support subsequent law enforcement efforts.

By leveraging the full capabilities of a cyber-security automation and orchestration platform, organizations would be able to more quickly determine the scope and impact of extortion attacks, respond accordingly, and provide authorities with the information necessary to accelerate their investigation. Collectively, leveraging these capabilities would ensure an increased chance for resolving and recovering from  the incident without succumbing to  ransom demands.

Latest Ransomware Attack Highlights the Need for Advanced Security Automation and Orchestration Solutions

The latest ransomware attack that broke out last Friday, affecting more than 200,000 computers across 150 countries by Sunday, once again highlighted the need for improved preparedness to respond to large-scale cyber incidents by implementing advanced security automation and orchestration solutions capable of containing the damage from such events. In this case, the attackers exploited a vulnerability in Windows Server Message Block (SMB) protocol, which had been discovered and kept quiet for exclusive use by the National Security Agency (NSA).

WannaCry, as the virus is called, is delivered via an email attachment and when executed, paralyzes computers running vulnerable Windows operating systems by encrypting their files. Once it encrypts a computer’s hard disk, WannaCry then spreads to vulnerable computers connected to the same network, and also beyond, via the Internet. This is in many ways a typical ransomware attack, infecting computers with a virus that has the ability to spread quickly to other vulnerable systems; however, the infection in this instance, and the speed at which it spread, was more intense than any other such attack in recent memory. The consensus among cyber security experts around the world is that the damage from this attack could have been reduced to a minimum, and more serious consequences could have been avoided, if organizations had been better prepared and had more effective cyber incident response plans and solutions in place.

Early Detection and Damage Containment via Automation and Orchestration

When affected by an attack such as WannaCry, after an organization’s computer system has been breached, the best thing that the organization can do is try to keep the incident under control by preventing the infection from spreading. There are various security solutions designed to achieve this end, but an automation and orchestration platform is arguably the best suited for the task. When an infected computer is detected, this platform can quickly isolate it in the early stages of an attack, blocking traffic to and from it to contain its spread, and thus reduce the business impact to a minimum.

Recovery and Remediation

Once containment is achieved, the platform provides organizations with the ability to quickly remediate the incident by guiding cybersecurity professionals through the entire process, using pre-defined playbook actions for a faster and more effective execution. The playbook actions can suggest the best remediation and recovery methods, and how to enforce them in the most effective manner. For instance, how to restore files and update the appropriate firewall rules.

All of the above is only a fraction of the capabilities of a typical automation and orchestration platform, a security tool that has become critical for any organization seeking to avoid the immense cost and long-lasting consequences of cyber-attacks such as WannaCry.

Cyber-attacks such as this one are only expected to become more common and more sophisticated in the future, and for this reason WannaCry should serve as an example of why now is the time for organizations serious about cyber security to focus on improving preparedness and containment capabilities through investment in advanced security automation and orchestration.

A Weekend in Incident Response #28: How Could NIST Small Businesses Cybersecurity Act Help Improve Cybersecurity for Small Companies?

A recently proposed bill promises to be a great help to small entities as they try to fend off an increasing number of cyber threats that they are seeing in recent years. The NIST Small Businesses Cybersecurity Act of 2017 was recently approved by the US House Committee on Science, Space and Technology, and will soon be headed to the Senate.

The main goal of the legislation is to instruct the National Institute of Standards and Technology (NIST)  to allocate resources to “help small business concerns identify, assess, manage, and reduce their cyber security risks”. This bill addresses the key issues contributing to the increased cyber security risks faced by small businesses. Among other things, it recommends that the NIST security standards“disseminate resources to promote awareness of basic controls and a workplace cyber security culture”, which are some of the leading challenges for small businesses when it comes to tackling cyber threats.

Sharing Information

Sharing information is another important aspect of cyber security that is of great relevance to small businesses and is mentioned in the proposed bill, as well. The NIST security guidelines are designed to help small businesses get the information that they need to improve their cyber defense and resilience to cyber attacks. In this regard, small businesses could use a security automation and orchestration platform, which has the ability to share cyber incident intelligence.

With a platform with cyber threat intelligence sharing capabilities, small businesses can reduce their reaction time following a cyber security event, which is of utmost importance in terms of containing the damage and bringing their computer systems back into operation as soon as possible. Exchanging information on current and past incidents, while also ensuring that you don’t share any confidential and sensitive data in the process, is one of the key steps of the broader and ongoing process of defending against and prevent cyber attacks, and keeping cyber incidents under control.

Identify Cybersecurity Risks

These types of platforms can also help small businesses identify cyber security risks and track, predict and detect breaches, enabling a proactive approach to cyber security, which is the best way to prevent attacks in this age when cyber criminals keep inventing new ways, methods, and technologies to gain access to organizations’ computer systems.

While the NIST Cybersecurity Act aimed at improving their abilities to protect against cyber attacks would certainly be of great help to them, small businesses should not rely solely on the prospect of seeing such a legislation enacted in the future. To be able to get the most out of the NIST security framework, small entities should consider utilizing an automation and orchestration platform as part of their ongoing efforts for improving cyber security for today with the ability to scale as your small business grows.