Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

12/12/2017
08:35 AM
Paul Shomo
Paul Shomo
News Analysis-Security Now
50%
50%

Automation Answers Security Skills Shortage

The often-discussed cybersecurity skills shortage may find a solution in security automation.

Hackers and analysts do battle with tools and techniques that are constantly evolving. Cybersecurity is an arms race, but it's not a fair one: the bad guys get endless "do overs" during the attack, yet a single InfoSec mistake could invite a breach. This burden of consistency is probably why the good guys are losing. However, something new is coming over the horizon that could even the score.

If ever there had been a day when software automatically stopped breaches, that era is gone. Attackers continually alter malware. Complete certainty in threat detection is only possible for simple attacks. Advanced detection technologies are much more sensitive and require a partnership with humans that can quickly alert analysts to "Take a look at this."

These human practitioners examining alerts represent a weakness. Outlier Security Founder and CTO Greg Hoglund compares them to the weary eyed night watchmen. "Analysts are tired of the doing the same repetitious task," he explains. "They have too much data bombarding them. It doesn't mean you can remove the human from the loop, but it does mean you can make the humans you have more productive."

Today, everyone uses Security Information and Event Management (SIEM) technology to consolidate alerts from their detection products into a single list of priority actions. Yet no aggregation technologies have arisen to organize the response to these alerts. These response activities are most of the work within a SOC, and employ myriad products including antivirus, sandboxes, and forensic tools like Volatility and EnCase.

Introducing Security Orchestration, Automation and Response (SOAR)
SOAR solutions really represent the first effort to act as a quarterback, guiding response activities across many products. Orchestration and automation vendors accomplish this by building connectors against each security product's APIs. Take Phantom, for example. The SOAR vendor boasts third-party apps for "over 670+ APIs across more than 135 security technologies," according to Chris Simmons, the company's director of product marketing.

SOAR orchestrates your many products inside a platform that encompasses:

  1. Alert Ingestion & Management -- SOAR products ship with connectors to ingest all the SIEM alerts requiring response. Case Management dashboards monitor ongoing activities and alerts that have become real incidents. Analysts can view daily dashboards to see what they're supposed to prioritize and work on.
  2. Automating Tasks in Playbooks -- Displayed within these platforms are an organization's arsenal of owned security products, and any tasks that can be performed through these product's API calls. These tasks can be dragged into visual playbooks to orchestrate and automate response. For instance, crosschecking alert information against threat intelligence feeds, using endpoint response products to collect telemetry, sandboxing files, or preserving forensic evidence.
  3. Collaboration and Learning -- Most of InfoSec personnel's work is in chasing down alerts. SOAR products enable multiple incident responders -- "Threat Hunters" or people from IT HelpDesk to coordinate their logistics.

To this final point, Rishi Bhargava, CEO of Demisto, describes his company's product as a collaboration platform for "enhanced learning among analysts." The vision is to replicate what your most skilled practitioners do, and walk junior analysts through these effective playbooks. Yet some take it a step further than humans working together. Bhargava adds that Demisto's machine learning "enables analysts to escalate their knowledge levels."

SOAR market growth expected
Big industry players are banking on SOAR to be a big deal, with few naysayers. Gartner predicts, "A large percentage of the security budget will shift to SOAR." FireEye, Rapid7 and IBM have all purchased SOAR products. Mega IT ticketing company ServiceNow has released an orchestration and automation offering. SIEM giant Splunk has also stepped into the arena. Across the industry, momentum is swelling. Meet the new players
Innovation usually arrives at the hands of startups, which often operate better autonomously than when pushing against an acquiring company's inertia. Despite the entry of large vendors, history shows that at least one new brand typically arises in the category they founded. These four US-based startups focus exclusively on SOAR, and most of them date back to the birth of this category in 2014 or 2015:

  • Demisto was founded by former McAfee execs and has major venture capital (VC) backing. The company delivers more than the typical SOAR features. CEO Rishi Bhargava, describes the company as a "social platform to collaborate." They were also one of the first to ship a solution with machine learning capabilities.
  • Phantom also has an impressive list of VCs backing them. In addition to numerous connectors, Phantom's solution boasts an AI capability dubbed, "Phantom Mission Guidance." It's designed to support analysts, Chris Simmons says, "by suggesting possible steps to investigate, contain, eradicate, and recover."
  • Swimlane focuses on a complete platform, going beyond response, compliance and automation to add "the ability to bring these capabilities together where security teams are first class citizens," according to Founder and CEO Cody Cornell. Cornell believes automation "will become a cornerstone capability of the SOC in the not too distant future."
  • CyberSponse is building its future with open technologies and a traditional business model. Founder and CEO Joe Loomis says CyberSponse is the only platform with open source playbooks. He's also thinking out of the box with funding: "We are not VC based and happy customers are more important than revenue."

How much will automation impact the SOC?
SIEMs have been the main product that SOCs keep on the big screen to monitor overall security health -- they get more of InfoSec's "eyeball time" than any other product. Yet in the end they only produce a "To Do" list. Responses to these alerts encompass most of the SOC's activities. This begs the question, could SOAR products be the first category to steal the SIEM's eyeball time?

Bhargava believes so. "That is absolutely happening," he argues. "The real investigation work is starting to happen in the automation platforms, and I absolutely agree that we will get more." Not everyone is optimistic about slaying the goliaths. Certainly acquisition is in store for some of SOAR's founding startups. Loomis comments: "I think the future is that SIEMs will acquire a SOAR capability or build such an offering within five years."

No matter who brings automation to the people, it will fundamentally change the way SOCs operate.

Related posts:

Paul Shomo is the Sr. Technical Manager, 3rd Party Technologies at OpenText.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "Network congestion ahead."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27342
PUBLISHED: 2021-05-17
An authentication brute-force protection mechanism bypass in telnetd in D-Link Router model DIR-842 firmware version 3.0.2 allows a remote attacker to circumvent the anti-brute-force cool-down delay period via a timing-based side-channel attack
CVE-2021-31727
PUBLISHED: 2021-05-17
Incorrect access control in zam64.sys, zam32.sys in MalwareFox AntiMalware 2.74.0.150 where IOCTL's 0x80002014, 0x80002018 expose unrestricted disk read/write capabilities respectively. A non-privileged process can open a handle to \.\ZemanaAntiMalware, register with the driver using IOCTL 0x8000201...
CVE-2021-31728
PUBLISHED: 2021-05-17
Incorrect access control in zam64.sys, zam32.sys in MalwareFox AntiMalware 2.74.0.150 allows a non-privileged process to open a handle to \.\ZemanaAntiMalware, register itself with the driver by sending IOCTL 0x80002010, allocate executable memory using a flaw in IOCTL 0x80002040, install a hook wit...
CVE-2021-32402
PUBLISHED: 2021-05-17
Intelbras Router RF 301K Firmware 1.1.2 is vulnerable to Cross Site Request Forgery (CSRF) due to lack of validation and insecure configurations in inputs and modules.
CVE-2021-32403
PUBLISHED: 2021-05-17
Intelbras Router RF 301K Firmware 1.1.2 is vulnerable to Cross Site Request Forgery (CSRF) due to lack of security mechanisms for token protection and unsafe inputs and modules.