Endpoint

8/31/2018
10:30 AM
Roy Katmor
Roy Katmor
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Why Automation Will Free Security Pros to Do What They Do Best

There are three reasons today's security talent pool is neither scalable nor effective in addressing the rapid evolution of cyberattacks.

People are and will always be the most critical cybersecurity resource. Right now, the talent pool with the unique skills and training to respond to cyber threats is unfortunately all too limited, and the way we are making use of this scarce resource is neither scalable nor effective in addressing the rapid evolution of cyberattacks.

The lack of analysts dedicated to advanced malware forensics and the high cost to recruit and retain such human resources, force organizations to build security operations centers (SOCs) and incident response teams in a tiered analyst structure. The further you go up the tiers, the more advanced the security analyst, and the fewer resources available to staff that position. As a result, it's critical within this structure to filter out as many false alarms as possible. This leaves only the more limited, high-tier human resources available to analyze the most extreme forensic cases. It's common that the pressure faced by these top-tier security professionals to respond quickly to alerts and filter as many false positives as possible drives many cases of missed infiltrated attacks.

To limit the negative impacts of a breach and avoid incident overload within incident response teams, many organizations rely on prevention technologies as their first line of cyber defense. Current prevention technologies are designed to log or, in obvious cases, filter out known anomalies and indicators, but they lack the ability to stop the unknown or prevent the implications of a successful attack. As a result, more sophisticated cyberattacks can remain undetected for longer periods of time by bypassing these established countermeasures.

This situation is often beyond the control of hard-working security pros. Consider the 2017 Equifax breach. Equifax had a well-qualified security team in place, but an advanced cyberattack evaded its detection systems and remained stealthy while stealing corporate data. As in this and most other breach scenarios, by the time the SOC analyst responds, his or her threat-hunting efforts are largely focused on investigative steps to determine the causes and assess the impact. There are three reasons why this approach is problematic:

Reason 1: Human-driven analysis consumes precious time. It's a manual process of painstakingly reviewing atypical compromise indicators and determining an appropriate response. For example, how many indicators do you have? How many do you need to warrant investigation? How do they even come to be an indicator? Threats are simply moving too quickly to tolerate the delays inherent in manual response.

Reason 2: Skilled security analysts are hard to find. Today's most-coveted SOC skill involves human eyes darting between screens and deciding what to do first when attempting to make sense of statistical indicators and anomalies. Aside from that being essentially a reactive exercise after the damage is done, the labor shortage of people with these skills makes them costly to hire and retain. And because it's nearly impossible to predict the number of analysts needed to analyze the increasing volume of cyberattacks and the corresponding indicators, operational expenditures (OpEx) related to salary costs are continual wild cards.

Reason 3: It's too late. Once a breach and potentially a theft have occurred, the damage is done and your data is gone. Your valuable SOC resources are focused on cleanup and damage control rather than on preventing the cyberattack and breach.

Given these problems, the current approach is unsustainable. Fortunately, automation technology offers a compelling solution that augments rather than replaces the human component in the equation. In particular, automation can help increase security efficacy and the speed of operations. While preventing all attacks is not possible, automated, real-time containment of an attack reinforces a protective posture, preventing or limiting the consequences of a breach. Once attacks are contained, automated responses can be customized and applied to remediation, but in a predictable way and more manageable time frame. That makes for efficient use of limited security resources, accelerates the time to address new threats, and improves OpEx.

Another benefit of automation is how it will increase the value of security analysts by enabling them to get even better at the more consequential aspects of their jobs. As adoption of automation inevitably increases, security analysts will need to focus beyond the art and science of manually correlating data based on memory and instinct, and more on strategic analysis, planning, and remediation, such as understanding the businesses drivers for how the organization uses, transmits, and stores data. Better understanding of the business context will empower analysts to develop predetermined automation outcomes designed to minimize disruption of critical business services and functions. For example, a decision may be made to automate containment or remediation of infections on call center endpoints that are critical for sustaining customer support operations.

Once preventative countermeasures are adopted that can ensure effective prevention and protection in real time, security analysts will then be able to focus on identifying the next potential weak link and remediating it. That will not only provide better security posture but will also guarantee security scalability and analysts' greater satisfaction in their jobs.

In summary, automation will help organizations contain breach impacts while controlling the costs of scarce staff resources struggling to keep up. But ultimately, security will still come down to people. Security analysts will create the solutions that keep their organizations safe. Automation will empower them to succeed in an environment where incident response time pressures have been minimized, freeing them to employ their best talents and skills and realize the full potential of threat hunting to discover and eliminate future risks.

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Related Content:

 

Roy is a 15-year seasoned product manager and security market strategist, combining strong technical knowledge with proven sales and marketing skills. Prior to enSilo, Roy led Akamai's security strategy. Before that, he managed Imperva's data security products and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ssmall
100%
0%
ssmall,
User Rank: Apprentice
9/10/2018 | 6:02:37 PM
Automation can be great, but it's no quick fix...
Nice article, Roy. Automation and orchestration are indeed 'hot' topics at the moment and are helping many organizations address issues faster and more consistently than they were before. The topics are perhaps also premier candidates for leading the latest round of fads in industry marketing.

Some caveats worth mentioning: new buyers of security automation products may find themselves experiencing sticker shock or falling victim to a still-maturing product space. Many vendor products are prohibitively expensive to the organizations that might benefit most (i.e., the long tail) and too often lock-in users with proprietary workflow formats. That said, automation is worth exploring—and perhaps adopting—for many organizations. My organization has realized numerous benefits to date.

An additional note of caution: I see many organizations rushing to automate workflows without first running the numbers; and, while automation has many benefits, it is first and foremost a matter of economics. Deciding what could, should, and will be slated for automation is an issue of resource management and optimization, whether those resources are people hours, pay-by-use cloud services, or particular team members with in-demand skills and limited availability.

Finally, organizations new to automation need to recognize that deploying new automation workflows is, in many ways, similar to deploying a new "product"—in that the workflows may (in more ways than expected) require additional support resources and know-how for testing, monitoring, and maintenance.
Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
5 Reasons Why Threat Intelligence Doesn't Work
Jonathan Zhang, CEO/Founder of WhoisXML API and TIP,  11/7/2018
Why Password Management and Security Strategies Fall Short
Steve Zurier, Freelance Writer,  11/7/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-2491
PUBLISHED: 2018-11-13
When opening a deep link URL in SAP Fiori Client with log level set to "Debug", the client application logs the URL to the log file. If this URL contains malicious JavaScript code it can eventually run inside the built-in log viewer of the application in case user opens the viewer and taps...
CVE-2018-2473
PUBLISHED: 2018-11-13
SAP BusinessObjects Business Intelligence Platform Server, versions 4.1 and 4.2, when using Web Intelligence Richclient 3 tiers mode gateway allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service.
CVE-2018-2476
PUBLISHED: 2018-11-13
Due to insufficient URL Validation in forums in SAP NetWeaver versions 7.30, 7.31, 7.40, an attacker can redirect users to a malicious site.
CVE-2018-2477
PUBLISHED: 2018-11-13
Knowledge Management (XMLForms) in SAP NetWeaver, versions 7.30, 7.31, 7.40 and 7.50 does not sufficiently validate an XML document accepted from an untrusted source.
CVE-2018-2478
PUBLISHED: 2018-11-13
An attacker can use specially crafted inputs to execute commands on the host of a TREX / BWA installation, SAP Basis, versions: 7.0 to 7.02, 7.10 to 7.11, 7.30, 7.31, 7.40 and 7.50 to 7.53. Not all commands are possible, only those that can be executed by the <sid>adm user. The commands execut...