Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

9/5/2019
02:00 PM
Chris Schueler
Chris Schueler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Automation: Friend of the SOC Analyst

Faced by increasingly sophisticated threats, organizations are realizing the benefits of automation in their cybersecurity programs.

Automation, artificial intelligence (AI), and machine learning (ML) are rapidly transforming nearly every industry, and cybersecurity is no exception. Automation in cybersecurity is growing so fast that analyst firm Gartner predicts that by 2021 a full 70% of enterprise organizations with a dedicated security operations center (SOC) will have security orchestration, automation, and response (SOAR) capabilities. That growth is remarkable given that less than 5% had these capabilities as recently as 2018.

Automation always raises concerns about peoples' livelihoods, but cybersecurity professionals shouldn't worry about automation making their jobs obsolete. On the contrary, automation, AI, and ML will bring tremendous benefits to SOCs, helping alleviate the growing global cybersecurity skills shortage and enabling the industry to improve threat-hunting capabilities and response times.

Cybercriminals Are Already Using Automation
The challenge today is that our adversaries have widely embraced automation. Hackers have realized that they don't just need scale, they need speed — and automation lets them launch sophisticated, fully automated attacks that spread malcode fast. Using automation, cybercriminals can quickly and easily spread malware strains that can hide within an organization's network, looking for vulnerabilities and automatically executing commands when it finds them. Cybercriminals even use automation to make their spearphishing campaigns more convincing, leveraging AI algorithms to impersonate targeted individuals in email conversations and tricking their co-workers into disclosing sensitive information.

Fortunately, AI is also helping those of us on the right side of the law to automate our responses and improve our defenses. Here are two examples:

Automating and Augmenting Time-Consuming Security Tasks
As Internet of Things-connected devices proliferate throughout enterprises and the attack surface grows, the volume of data that SOC analysts must search through when threat hunting has grown exponentially. Simultaneously, attackers are employing more sophisticated obfuscation techniques, making our work more challenging and time-consuming. All this is occurring at the same time the industry is facing unprecedented shortages of skilled cybersecurity professionals, with nearly 3 million unfilled cybersecurity positions around the globe.

With automation, under-resourced SOCs can more quickly analyze vast data sets to look for patterns and anomalies that may indicate a breach, triage and prioritize alerts, and automate response measures. Automating the more minute, time-consuming tasks that are heavy in data analysis enables SOC analysts to spend their time on the more meaningful activities that require higher-level thinking and decision-making. Whereas AI identifies the anomaly, SOC analysts use their experience and creative-thinking skills to understand the meaning of the threat — asking important questions such as whether we've seen this threat actor before or if this is a likely type of attack in this industry. Following these types of investigative threads enables a SOC analyst to get better results, often allowing us to identify and quickly contain zero-days or close vulnerabilities before nefarious attackers identify them.

Delivering Greater Flexibility and Faster Response Times
In addition to enhancing threat hunting, automation enables us to speed our response and remediation time while also providing SOC analysts greater flexibility in terms of how they respond.

Traditionally, without automation, once a SOC analyst identifies a threat, he or she must perform a time-consuming series of actions involving numerous technology platforms and devices in order to stop, contain, and remediate that threat. For example, he or she may need to make manual updates to block the threat at the firewall, as well as add the bad URL to the web security gateway product, not to mention killing the process on each infected endpoint, potentially needing to remove file systems on infected laptops, etc.

Each of these actions involves a different technology platform or system, so the SOC analyst may need to enlist the help of two or three other members of the cybersecurity team who have knowledge of each of those platforms. On top of that, change tickets must be annotated and pushed up the chain of command through multiple layers of reviews and approvals. In that way, something that should be fairly straightforward can become time-consuming and complex. As a result, a single event can often take several hours or even a full day to contain and remediate.

With automated orchestration tools, when SOC analysts are alerted to a threat, they can take action no matter where they're located and can respond much faster. Imagine being away from the office and receiving an alert on your smartphone that a threat has been identified. With the tap of a button, you can automatically begin an entire series of decisions, approvals, and actions to stop, block, contain, and remediate the threat. The automated solution can communicate with all the different platforms and systems in the organization, making the necessary changes on each to fix the issue. It can automatically create and submit change requests through the appropriate review and approval processes, automatically updating change logs for compliance purposes. The entire process is completed much more quickly and can be done from anywhere, making the SOC analyst's life easier while better protecting the organization's environment.

With the increasing sophistication of threats and ever-growing attack surface, organizations of all sizes are realizing the benefits of automation in their cybersecurity programs. However they go about it, cybersecurity professionals must embrace automation, AI, and ML soon. These technologies won't replace the need for SOC analysts, but they will ease the workload and maximize talent. By improving threat-hunting capabilities and speeding response times, automation is poised to revolutionize the cybersecurity industry, helping SOC analysts keep pace with the ever-evolving nature of tomorrow's threat landscape. 

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's story: "Meet FPGA: The Tiny, Powerful, Hackable Bit of Silicon at the Heart of IoT."

Chris Schueler is senior vice president of managed security services at Trustwave where he is responsible for managed security services, the global network of Trustwave Advanced Security Operations Centers and Trustwave SpiderLabs Incident Response. Chris joined Trustwave ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
theschue
50%
50%
theschue,
User Rank: Apprentice
9/23/2019 | 4:46:40 PM
Re: Geek squad support
Thanks @Geeksquad for the commentb and feedback. I'm pretty passionate about this as I've spent nearly 20yrs just in/with security operations and we have always struggled with load....automation can appear on the outside as opposing forces to an analyst.  Specifically, how automation is going to replace jobs, but in reality, it is going to allow people to grow and do higher level work which is NOT being done!  I will be writting more on this soon.  
Geek Squad
50%
50%
Geek Squad,
User Rank: Apprentice
9/9/2019 | 2:18:10 AM
Geek squad support

Thanks for the informative article. This is one of the best resources I have found in quite some time. Nicely written and great info, I really thank you for sharing it.

 

 
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19040
PUBLISHED: 2019-11-17
KairosDB through 1.2.2 has XSS in view.html because of showErrorMessage in js/graph.js, as demonstrated by view.html?q= with a '"sampling":{"value":"<script>' substring.
CVE-2019-19041
PUBLISHED: 2019-11-17
An issue was discovered in Xorux Lpar2RRD 6.11 and Stor2RRD 2.61, as distributed in Xorux 2.41. They do not correctly verify the integrity of an upgrade package before processing it. As a result, official upgrade packages can be modified to inject an arbitrary Bash script that will be executed by th...
CVE-2019-19012
PUBLISHED: 2019-11-17
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
CVE-2019-19022
PUBLISHED: 2019-11-17
iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
CVE-2019-19035
PUBLISHED: 2019-11-17
jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.