Responding to the Cyber Skills Drought with Automation

Friday, August 17, 2018

In our previous blog, Fidelis’ Director of MDR Services, Rae Jewell discussed how 24x7 managed detection and response can help organizations cope with the ever-present cyber-skills drought.

This week, we’ll examine how technology that leverages automation can also help organizations address the skills shortage by increasing the efficiency and capabilities of an existing security operations team. A computer shouldn’t replace an analyst, but automation should act as a force multiplier to increase a team’s capacity as well as the level to which it’s able to operate.

So, how then should automation be effectively used to ensure you are able to get the very most out of your security operations team?

First, as we know – no organization is the same. Every enterprise handles detection and response workflows differently based on their specific security architecture. As a result, organizations should be seeking a customizable, extensible solution that empowers analysts to respond quickly to validated alerts within their unique environments.

Organizations should be looking for a solution that automates the data gathering and analysis necessary to ensure accurate detections and then enable faster response, such as isolating compromises or suspected compromised endpoints from the network, perform memory and process analysis, and jumpstart response scripts.

Here are some ways to consider integrating automation into your security operations workflow to maximize your team’s efficiency throughout the entire lifecycle of an attack.

Automating Investigations

The beauty of automating investigations is that if done properly, it has the power to elevate tier 1 or junior analysts to the level of tier 2 analysts, as it can provide a deeper level of insight, so that they can quickly draw accurate conclusions and complete investigations at a faster pace.

Legacy threat detection systems can be very ‘noisy’. They often flood security analysts with notifications and alerts for human validation. In addition, the number of alerts often grows as the same artifact or behavior is detected at different stages of the attack lifecycle – triggering more and more alerts. This creates ‘alert fatigue’. There are key ways alert fatigue can be reduced through automation and in turn help security operations stay on task and focused. 

  1. Prioritized Alerts – Alert prioritization should be automated to ensure the team focusses on alerts associated with the highest level of risk. A robust automated detection capability will use machine learning to automate alert prioritization based on past actions taken by analysts.
  2. Grouped Alerts – Grouping or collecting relevant alerts together under the relevant highest priority alert. Intelligent grouping allows security teams to focus on those that matter so that they can respond quickly.
  3. Actionable Alerts - In order to provide this deep context, the solution should include key information such as the full sandbox execution report, a link to the entire network path and all endpoint activity before and after the violating activity – as well as any relevant asset information – all in one screen at your fingertips

Automating Prevention

Prevention workflows can be automated in various ways to reduce the impact on a busy security operations team, and ultimately speed up prevention of new and previously unknown threats.

The automation of dropping sessions through sending a network TCP reset on Network sensors is a great way to improve prevention efficiency. In addition, automated email management (such as quarantine, reroute and attachment management) and web page redirection are great ways to reduce workload via automation. An automated solution should also quarantine suspicious/malicious files as well as block file execution, prevent process execution on endpoints and identify data loss. With all these automated elements, prevention is faster and more efficient, therefore saving manpower or the need for a greater headcount.

Automating Response

At the end of the day, an automated response is good for more than just taking the pressure off from a resource perspective. With automated response capabilities an organization can speed up it’s response time considerably. Regardless, automating response can also reduce the time required of analysts to effectively remediate alerts and therefore take pressure off the Security Operations team.  

By setting up rules to automate endpoint response, for example to isolate a compromised endpoint if a specific alert rule has been triggered, analysts can both reduce the risk associated with specific alerts as well as save time having to manually initiate a workflow for each individual alert. A brilliant way automation can help teams save time post-attack is through automated rollback, which restores a computer to a specific backup point prior to its infection.

The long and short of it is that if used properly – and if tailored to your specific organization – automation can significantly improve the efficiency and therefore the capacity of a security operations team.

Do your research. Many vendors miss the mark when it comes to automation. There’s a careful line and we shouldn’t automate too much – humans are still needed to make the ultimate decisions, but automation can certainly help us reach those decisions faster, and with more accuracy.

- Sam Erdheim
Vice President of Marketing