People are and will always be the most critical cybersecurity resource. Right now, the talent pool with the unique skills and training to respond to cyber threats is unfortunately all too limited, and the way we are making use of this scarce resource is neither scalable nor effective in addressing the rapid evolution of cyberattacks.
The lack of analysts dedicated to advanced malware forensics and the high cost to recruit and retain such human resources, force organizations to build security operations centers (SOCs) and incident response teams in a tiered analyst structure. The further you go up the tiers, the more advanced the security analyst, and the fewer resources available to staff that position. As a result, it's critical within this structure to filter out as many false alarms as possible. This leaves only the more limited, high-tier human resources available to analyze the most extreme forensic cases. It's common that the pressure faced by these top-tier security professionals to respond quickly to alerts and filter as many false positives as possible drives many cases of missed infiltrated attacks.
To limit the negative impacts of a breach and avoid incident overload within incident response teams, many organizations rely on prevention technologies as their first line of cyber defense. Current prevention technologies are designed to log or, in obvious cases, filter out known anomalies and indicators, but they lack the ability to stop the unknown or prevent the implications of a successful attack. As a result, more sophisticated cyberattacks can remain undetected for longer periods of time by bypassing these established countermeasures.
This situation is often beyond the control of hard-working security pros. Consider the 2017 Equifax breach. Equifax had a well-qualified security team in place, but an advanced cyberattack evaded its detection systems and remained stealthy while stealing corporate data. As in this and most other breach scenarios, by the time the SOC analyst responds, his or her threat-hunting efforts are largely focused on investigative steps to determine the causes and assess the impact. There are three reasons why this approach is problematic:
Reason 1: Human-driven analysis consumes precious time. It's a manual process of painstakingly reviewing atypical compromise indicators and determining an appropriate response. For example, how many indicators do you have? How many do you need to warrant investigation? How do they even come to be an indicator? Threats are simply moving too quickly to tolerate the delays inherent in manual response.
Reason 2: Skilled security analysts are hard to find. Today's most-coveted SOC skill involves human eyes darting between screens and deciding what to do first when attempting to make sense of statistical indicators and anomalies. Aside from that being essentially a reactive exercise after the damage is done, the labor shortage of people with these skills makes them costly to hire and retain. And because it's nearly impossible to predict the number of analysts needed to analyze the increasing volume of cyberattacks and the corresponding indicators, operational expenditures (OpEx) related to salary costs are continual wild cards.
Reason 3: It's too late. Once a breach and potentially a theft have occurred, the damage is done and your data is gone. Your valuable SOC resources are focused on cleanup and damage control rather than on preventing the cyberattack and breach.
Given these problems, the current approach is unsustainable. Fortunately, automation technology offers a compelling solution that augments rather than replaces the human component in the equation. In particular, automation can help increase security efficacy and the speed of operations. While preventing all attacks is not possible, automated, real-time containment of an attack reinforces a protective posture, preventing or limiting the consequences of a breach. Once attacks are contained, automated responses can be customized and applied to remediation, but in a predictable way and more manageable time frame. That makes for efficient use of limited security resources, accelerates the time to address new threats, and improves OpEx.
Another benefit of automation is how it will increase the value of security analysts by enabling them to get even better at the more consequential aspects of their jobs. As adoption of automation inevitably increases, security analysts will need to focus beyond the art and science of manually correlating data based on memory and instinct, and more on strategic analysis, planning, and remediation, such as understanding the businesses drivers for how the organization uses, transmits, and stores data. Better understanding of the business context will empower analysts to develop predetermined automation outcomes designed to minimize disruption of critical business services and functions. For example, a decision may be made to automate containment or remediation of infections on call center endpoints that are critical for sustaining customer support operations.
Once preventative countermeasures are adopted that can ensure effective prevention and protection in real time, security analysts will then be able to focus on identifying the next potential weak link and remediating it. That will not only provide better security posture but will also guarantee security scalability and analysts' greater satisfaction in their jobs.
In summary, automation will help organizations contain breach impacts while controlling the costs of scarce staff resources struggling to keep up. But ultimately, security will still come down to people. Security analysts will create the solutions that keep their organizations safe. Automation will empower them to succeed in an environment where incident response time pressures have been minimized, freeing them to employ their best talents and skills and realize the full potential of threat hunting to discover and eliminate future risks.
Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.
Roy is a 15-year seasoned product manager and security market strategist, combining strong technical knowledge with proven sales and marketing skills. Prior to enSilo, Roy led Akamai's security strategy. Before that, he managed Imperva's data security products and ... View Full Bio