Use Cases: A Closer Look At Cybersecurity Automation
CISOs I talk to tell me that when it comes to cost-cutting cybersecurity automation is all tightening the corners rather than cutting them. However, that doesn’t mean that automation can’t show you some real gains in your CSOC. In this article, we’ll take a closer look at the low-hanging fruit automation use cases to illustrate how this can be.
Some CISO’s out there are leveraging sophisticated cybersecurity automation, which includes well thought out playbooks, human prompts and decision-making logic to execute automated actions that help a CSOC analyst investigate an event before remediating it.
When it comes to handling complex automation use cases, SOAR (Security Automation & Orchestration) platforms are your friend. A good SOAR platform will help you compile your automation playbooks to alleviate some of those important, but time-consuming, manual tasks.
Any CSOC worth its salt collects extraordinary amounts of data, but none of it has any value if it’s not converted into actionable next steps. Data’s a great source of learning, but if you don’t organize and process it for decision making, it becomes a burden.
A good automation playbook helps you correlate data by pulling in all the threat data from across your infrastructure and validating it against threat intelligence data from outside sources. Sharp analysts leverage the output of this kind of automation by using it to identify known threats that behave similarly. Doing this manually is just not an option for most CSOC’s; they have too much data that needs to be sequenced quickly and accurately, and too high a threat volume to deal with. Automation, however, helps you quickly convert that data into the next steps.
Communicating across the organization
Updating other teams within your organization takes much more time than anyone would think and is an often neglected task because of that. Sometimes it’s because the case management GUI’s are clumsy when copying information between them, other times it’s because your team is just too busy. Automating the process of intra-organizational communication around threats frees up your team to focus on more important tasks. It can also help you develop better metrics to share with the rest of your organization and increase your audibility across with company executives.
Detecting infections already in your network
Dwell time is the duration of time an unauthorized intruder has undetected access to your network until the threat has been completely removed, it’s the metric we use to describe how quickly we can detect and remove threats. The average dwell time for most organizations is somewhere between 50-150 days, which is just crazy when you think about it. To stop an attack before someone outside your network exfiltrates your data, your team must be moving faster than the attack is, identifying suspicious behaviors and identifying infected hosts to get ahead of attacks.
In the same way that the analysis of unknown threats attempting to penetrate your network is a laborious and manual task, the manual correlation and analysis of data from across your endpoints, mobile devices, servers, and networks can be much more difficult to scale. By automating this workflow, if something on your network becomes comprised, the subsequent analysis, investigation, and remediation become much faster. This drives down dwell time.
Vulnerability reporting & alerting
One of the most unpopular tasks in a CSOC is vulnerability report review, looking into a systems previous history and working out who the system owner is, or in many cases the business owner. This is some of the lowest-hanging fruit in the cybersecurity automation playbook and automating this workflow will make your analysts much more productive as they have time to focus on more important tasks. When you automate vulnerability reporting and alerting and combine it with a SOAR platform with dynamic threat analysis, you dramatically increase your ability to detect sophisticated threats.
Generating/implementing protections faster than threats can spread
Once your team identifies a threat on the network, protections need to be prepared and deployed faster than the threat can propagate, moving laterally through your endpoints and networks. Creating sets of protections from different technologies manually, ones that are capable of mitigating against am attackers future behavior is a difficult and time-consuming task that is complicated by the number of different security vendors that you have in your CSOC’s technology stack.
Once your team builds their mitigating protections, they must be implemented in order to stop the attack from gaining a deeper foothold on your network. Deploying these protections across the enterprise to endpoints and servers to mitigate the attacks’ behaviors is a time-consuming manual task.
Automating every aspect of this response can dramatically speed up your team’s response times, enabling them to create protections on the fly, without straining your CSOC. The only way to stay ahead of a well-coordinated attack is by using automation to deploy your protections. Your adversaries leverage automation in order to attack you and the only way to stay in front and ahead of adversaries is by leveraging automation in your security efforts in order to counter them effectively.
The use cases that I outlined above are just a few of the cybersecurity workflows that you can automate in order to make your CSOC more effective, but other CSOC workflow use cases can be just as effective in delivering improvements to your efficiency and consistency.
A good SOAR platform can help you automate a wide range of different CSOC functions and workflows, such as penetration testing, intelligence sharing, and user management in order to deliver those services in a more effective way.
Post provided to you by @InfosecScribe.