The skills gap – seemingly unavoidable and an ever-present issue plaguing cybersecurity. In fact, it is estimated that there will be over 3.5 million vacancies within the industry by 2021. The impact of this is leaving security teams scrambling high and low to try and entice relevant people or seek tools that can help to alleviate the strain place upon their shoulders. One such strategy that is gaining significant traction within the cyber community is automation.
A daily challenge many security teams must deal with is false positive alerts that can quickly pile up out of control and create unnecessary pressure for security personnel to prioritise and remediate the most pressing of incidents. In a fast-paced environment that is cybersecurity, this can often mean some flaws get forgotten by the roadside. This is either down to there being a lack of information, resources or long, drawn out manual processes that are hindering any sort of meaningful progression.
These aren’t one-off complications and most security personnel have had to deal with similar scenarios. To put an end to this and avoid this from reoccurring, one tactic that can help is by having security teams divided internally into three levels of analysts, with tiered processes placed to address certain levels of issues.
Level one analysts will be charged with identifying and triaging alerts and act as the first barrier. The second level of analysts will then take on these incidents and conduct further research to identify false positives before confirming them as an issue. The third and final level of analysts will then act as the last line of defence in handling the most complex of problems. Part of their responsibility will also include acting as incident responders.
Logistically, it would be common for security teams to use a workflow management system which would automate the process when distributing the incidents to various analysts while also informing and updating all other stakeholders, including the wider IT department. This guarantees there is a trail of documented information through an effective and efficient process, which are two key elements automation seeks to address for organisations.
Automation will achieve this by: reducing the number of mundane tasks, automatically conducting initial checks on incidents before reallocating them, and then compiling all the necessary data on a specific incident. This will be completed before providing it to the analysts, who will then make the decision on whether to investigate it further or to respond immediately. However, any dependencies should also be taken into account. For example, automation of log collection can be very effective, but interpretation of the logs is dependent on identifying the endpoints, or hosts, to which they relate.
For larger, more dynamic systems, operating with a spreadsheet containing a huge list of IP addresses to locate a host is not efficient. This may be more suited for small, less mobile environments. This is a prime example of where automated asset detection tools can be used to speed up the sequence when hunting for an exact asset file.
It is for this reason automation is mainly used by security professionals for log collections from the system and the security monitoring of devices across all connected networks. Automation can also provide assistance by taking care of low-level tasks like patching systems continuously and conducting vulnerability scanning.
In addition, there are many tools that are available – some which are free or open source – to help automate sections of incident triage. In an instance, the tools can upload hashes containing all the start-up executables, as well as all the running processes on a host, to virus total. Using this in conjunction with dedicated malware scanning solutions, which will scan and analyse any unknown threats, the automation tool can flag any known malware.
Many enterprises, that have already sought out SIEM technologies to accelerate their incident response approach, can configure settings using a set of event combinations, to help alert when potentially dangerous threats arise. These can be adjusted to seek out and hunt possible vulnerabilities based on current threat intel, which can help improve overall detection rates.
With the continued evolution of the cyber threat, security teams are having to adapt on a daily basis to rise up against the challenges facing their enterprises. In order to achieve that, automation in some capacity has to be incorporated within any security infrastructure to help reduce the load on the team. Once a business finds the balance between human and machine automation, the security will be able to see the benefits almost instantly and thus making the overall security program all that more effective.