CISO’s I talk to tell me that when it comes to cost-cutting cybersecurity automation is all about tightening the corners rather than cutting them, but that doesn’t mean that automation can’t show you some real gains in your CSOC. In this article, we will take a closer look at the low hanging fruit automation use cases in order to illustrate how this can be the case.
Some CISO’s out there are leveraging sophisticated cybersecurity automation, which includes well thought out playbooks, human prompts and decision making logic to execute automated actions that help a CSOC analyst investigate an event before going on to remediate it.
When it comes to handling complex automation use cases SOAR (Security Automation & Orchestration) platforms are your friend, a good SOAR platform will help you compile your automation playbooks to alleviate some of those important, but time-consuming, manual tasks.
Any CSOC worth its salt collects extraordinary amounts of data, but none of it has any value if it cannot be converted into actionable next steps. Data is a great source of learning, but if it’s not organized, processed and made available in the right format for decision making, it’s useless and becomes a burden rather than a benefit.
A good automation playbook helps you correlate data by pulling in all the threat data from across your infrastructure and validating it against threat intelligence data from outside sources. Sharp analysts leverage the output of this kind of automation by using it to identify known threats that behave similarly. Doing this manually is just not an option for most CSOC’s, they have too much data that needs to be sequenced quickly and accurately and too high a threat volume to deal with, but automation helps you quickly convert that data into next steps.
Communicating Across The Organization
Updating other teams within your organization takes much more time than anyone would think and is an often neglected task because of that. Sometimes it’s because the case management GUI’s are clumsy when copying information between them, other times it’s because your team is just too busy. Automating the process of intra-organizational communication around threats frees up your team to focus on more important tasks. It can also help you develop better metrics to share with the rest of your organization and increase your audibility across with company executives.
Detecting Infections Already In Your Network
Dwell time is the duration of time an unauthorized intruder has undetected access to your network until the threat has been completely removed, it’s the metric we use to describe how quickly we can detect and remove threats. The average dwell time for most organizations is somewhere between 50-150 days, which is just crazy when you think about it. To stop an attack before your data has been exfiltrated outside of your network, your team has to be moving faster than the attack is, identifying suspicious behaviors and identifying infected hosts to get ahead of attacks.
In the same way that the analysis of unknown threats attempting to penetrate your network is a laborious and manual task, the manual correlation and analysis of data from across your endpoints, mobile devices, servers, and networks can be much more difficult to scale. By automating this workflow, if something on your network becomes comprised, the subsequent analysis, investigation, and remediation become much faster, driving down dwell time.
Vulnerability Reporting & Alerting
One of the most unpopular tasks in a CSOC is vulnerability report review, looking into a systems previous history and working out who the system owner is, or in many cases the business owner. This is some of the lowest hanging fruit in the cybersecurity automation playbook and automating this workflow will make your analysts much more productive as they have time to focus on more important tasks. When vulnerability reporting and alerting is automated and combined in a SOAR platform with dynamic threat analysis, your ability to detect sophisticated threats is dramatically increased.
Generating/Implementing Protections Faster Than Threats Can Spread
Once your team identifies a threat on the network, protections need to be prepared and deployed faster than the threat can propagate, moving laterally through your endpoints and networks. Creating sets of protections from different technologies manually, ones that are capable of mitigating against am attackers future behavior is a difficult and time-consuming task that is complicated by the number of different security vendors that you have in your CSOC’s technology stack.
Once your team has built their mitigating protections, these then must be implemented in order to stop the attack from gaining a deeper foothold on your network. Deploying these protections across the enterprise to endpoints and servers in order to mitigate against the attacks current and future behaviors is a time-consuming manual task.
Automating every aspect of this response can dramatically speed up your team’s response times, enabling them to create protections on the fly, without straining your CSOC. The only way to stay ahead of a well-coordinated attack is by using automation to deploy your protections. Your adversaries leverage automation in order to attack you and the only way to stay in front and ahead of adversaries is by leveraging automation in your security efforts in order to counter them effectively.
The use cases that I have outlined above are just a few of the cybersecurity workflows that you can automate in order to make your CSOC more effective, but other CSOC workflow use cases can equally be as effective in delivering improvements in your efficiency and consistency.
A good SOAR platform can help you automate a wide range of different CSOC functions and workflows, such as penetration testing, intelligence sharing, and user management in order to deliver those services in a more effective way.
Post provided to you by @InfosecScribe