When a data breach does occur, organizations must be able to spring into action and respond to the threat immediately. Recent industry data shows that credentials are compromised in minutes and most of an organization’s critical data or intellectual property is lost within the first day of a data breach. Specifically, according to Verizon’s 2016 Data Breach Investigation Report, 81.9 percent of organizations surveyed reported that a compromise took only minutes to infiltrate company systems with 67.8 percent of respondents showing that associated data was “breached” within days of the initial compromise. Therefore, any threat detection solution that cannot detect and remediate threats in near real-time is not much use. Valuable assets could already be stolen and sold on the Dark Web before an organization knows they are even missing!
The good news is that advances in threat detection technology have significantly improved the enterprise’s ability to detect and stop these threats and prevent extensive damage. The challenge, however, is that many of these technologies demand an army of human security analysts to interpret threat indicators and determine the appropriate course of action, including elimination and clean up. With hundreds, if not thousands, of varying levels of threat flags per day, this task is like holding back the tide; it is nearly impossible for security teams to keep up with the flow of information and still perform other ongoing responsibilities in prevention and analysis. Not surprisingly given their frequency, many of these alerts are often ignored. According to a March 2016 report conducted by Enterprise Strategy Group, despite having invested significantly in information security solutions to the point of utilizing dozens of point products, nearly 74 percent of the 125 IT and cybersecurity professionals surveyed reported that security incidents/alerts are simply ignored because their teams can’t keep up with the suffocating volume.
As the likelihood of breaches increases—and it’s a matter of when, not if it happens—CISOs with limited time, budget and resources are further challenged to seek ways to accelerate the threat detection and elimination process before damage is inflicted. In this article we will make the case for effectively implementing automation for faster detection, response, elimination and remediation of cyber threats.
As we look around, we see automation everywhere, in manufacturing, marketing, finance, networking, transportation, even driver-less cars! By its very nature, automation is designed to reduce capital and operating expenditures by eliminating redundancies, reducing human-related errors and risk, and improving the efficiency of human-intensive processes so attention can be paid to higher-level, critical issues. Cyber security is no different.
Of course, much has been done already to automate preventative, perimeter security such as antivirus and firewalls, but these technologies are simply no longer enough to keep intruders at bay. With the proliferation of ‘always connected’ smart phones, tablets, social media, applications and network flows, the ‘way in’ for would-be attackers increases as well.
Companies in highly-regulated industries, including finance and healthcare, recognized this long ago and have taken the necessary measures and investments to detect and address security incidents within the traditional perimeter, driving any security events into a security information and event management (SIEM) system for centralized collection and review. SIEMs keep all of this data in one place for compliance, collecting logs and other security-related documentation for analysis. However, SIEMs don’t take user and entity behavior and interactions into account between databases, applications and flows to effectively detect the real threats. Moreover, SIEM systems are typically expensive to deploy and complex to operate and manage. Unless the organization has the human capital to review the myriad threat indicators generated by these SIEMs every day, there is no other way to monitor, review or take action in a timely manner. Automation can simplify this process tremendously, while reducing operating expense.
The Case for Automation
While SIEMs do provide an excellent system for storing and tracking indicators, the threats faced by today’s enterprise warrant an immediate, streamlined and efficient process for detecting critical threats and automatically alerting security personnel or preventing the data breach by remediating the vulnerability in real-time. But what tools exist beyond SIEMS for automating these tasks? Is it possible to automate the collection and analysis of various events data and compare the results to normal and abnormal processes and behaviors? Are there solutions available that can identify the threats and offer effective action to stop them in real time, eliminating the time- and human-intensive task of analyzing threat information before even deciding on a course of action?
Today, there are a number of innovative solutions from emerging providers that leverage advanced technologies such as user behavioral analytics, machine learning and in-memory processing for this type of data collection, analysis and automated remediation in real-time. With any of these technologies, however, the challenge is to deploy them strategically, understanding the implications any single action will have on specific applications, network connections, employees, customers etc. Following are some of the considerations that organizations can use to evaluate these emerging solutions:
- Easy to understand, prioritized alerts: By automatically connecting multiple threat indicators and correlating them in context to surface genuine threats, these next generation technologies can help security teams address attacks as they happen with plain English alerts. A single-line threat alert with drill-down context enables security teams to understand the severity of the threat easily and quickly and take action to fix it automatically.
- Fully automated threat detection for known and zero-day attacks: The need for automated threat detection applies to organizations of any size or cyber security skill level. For the Fortune 500 with significant resources and staff already in place, automation of threat detection can eliminate threat alert overload and enable security teams to be a lot more efficient in addressing attacks as they occur, ensuring the correct remediation and reporting of the threat. For small to medium-sized businesses with limited and/or inexperienced IT staff, automated technology enables a kind of “SoC-in-a-Box” security solution, giving skill- and resource-constrained teams a chance to get ahead of any major breaches.
- Automatic threat remediation in real-time: With faster detection must also come faster remediation. Once the threat is revealed, intuitive systems provide immediate elimination and remediation, which can be scripted for “push button” or human response, and provide specific implications for user, application and network consequences.
- Automated dashboards and reports: Wouldn’t it be great to have a “bird’s eye view” of an organization’s cyber security threat vulnerability and position at any given point in time? Most organizations are woefully unaware of any patterns or interactions of their most used applications, servers, end points and even network paths. With automation, all of these enterprise assets and their activities and interrelationships can be made clearly visible and shared with appropriate executives or relevant teams. An ability to generate reports for different kinds of resource usage, vulnerabilities, existing threats/alerts with a confidence score can help SoC teams provide high level insight for senior executives.
With automation, organizations stand to benefit from faster detection, response, elimination and remediation of cyber threats. By addressing compromises in real-time, organizations can stave off significant damage and recoup the cost of their investment in a security automation tool within months of implementation, while at the same time better understanding the vectors for attack and preparing future defenses.
So, while the risk of a breach remains high for even the most well-established enterprises, fortunately a new breed of automated security solutions has emerged that are proving the value of automation each day. By harnessing these advancements in technology, modern solutions are closing the gap between the growing sophistication of enterprise attacks, and an organization’s ability to identify and stop them quickly before significant damage has been done.
- Cyber Security Threat Detection – The Case for Automation - September 21, 2016