Security automation – the argument has been won

With such a complex threat environment, automation can stop threats in their tracks and allow security staff to focus on what they do best.

By Tim Ferguson

Thu 7 Dec 2017 @ 11:59

The growing sophistication of cyber threats and the speed at which they evolve means it's only a matter of time before a corporate network is compromised. While perimeter security offers some protection, it can't hope to catch every attack that attempts to compromise a network.

Security staff are constantly bombarded with alarms and alerts as they strive to keep their networks safe. This creates alarm fatigue among security with the result that threats aren't always picked up. The sheer volume of alerts also makes it difficult for security analysts to focus on other aspects of their job.

Combined with the ongoing cybersecurity skills shortage, the increase of threats means security operations centres (SOCs) can be overwhelmed and lack effectiveness.

A powerful tool in this fight to keep up with security threats is automation. Security tools are increasingly capable of acting without human intervention, meaning that mundane but important tasks such as network monitoring can be handed over to software.

This not only leads to fewer inconsistencies in response but reduces the workload for security staff, letting them focus on tasks of more value which require their specialist skills. Analysts can also spend more time getting up to speed with the latest threats and improving their skills, boosting the overall security capabilities of their organisation.

But automation isn't just about freeing up the time of the security team. It's also about moving an organisation from a reactive to a proactive stance on cybersecurity.

Speed is of the essence when it comes to dealing with cyber threats and it's critical that SOCs are able to detect and shut down threats as quickly as possible. The aim must be to reduce mean time to detect (MTTD) and mean time to respond (MTTR).

It is useful to consider automation in the context of the cyber threat lifecycle or 'kill chain'.

As the threat progresses along the six stages of the kill chain – reconnaissance, initial compromise, command and control, lateral movement, target attainment and finally exfiltration, corruption and disruption – it poses a growing risk for the organisation.

If a piece of malware is caught and shut down at the initial compromise stage, it prevents the command and control stage from being established, after which it becomes harder to contain the threat.

If the threat progresses all the way through to the final stage of the kill chain, it's too late and the organisation will have suffered a breach.

Automation can play a crucial role here, as it provides the means for threats to be rapidly contained. If security analysts always rely on responding to the alerts they receive, by the time they have investigated and identified the threat it may have progressed further down the kill chain.

Automated security tools can automatically detect indications of a threat and provide information to security staff to help them take the most appropriate action. This will reduce MTTD and MTTR, and ensure fewer threats are able to progress along the kill chain.

With a threat quickly contained, security analysts can examine the details of the incident and determine how they can prevent a similar threat occurring again. Automated security tools can create clear incident reports that can be used to improve responses in the future.

Automation tools aren't perfect, as their ability to investigate security events without human intervention can sometimes result in false positives. For example, a system might block an IP address that may be just be unusual, such as a cloud-based pilot project, rather than genuinely suspicious.

But good security automation can be tuned so that it fits the risk profile of the organisation and the preferences of the security team. Selecting the appropriate analytics and effective workflows will then increase accuracy.

Automation will undoubtedly play a growing role in cybersecurity as organisations grapple with a threat landscape that is constantly evolving with new ways to attack networks. And as the pressure on security teams continues to increase, it will be a powerful tool in preventing security compromises from becoming headline news.