Data breaches, regardless of industry, are here to stay. Attackers continue to evolve their methods while defenders are spread dangerously thin. With hundreds, if not thousands, of security alerts per day pouring into Security Operations Centers (SOC), security professionals are fighting a losing battle.
Since most indicators of compromise lurk in low-priority alerts, manual triage processes only increase detection to response times. This latency gives potential attackers ample time to probe the network, infect hosts, and pivot to gain access to high-value data. In most cases, the damage has been done by the time an attack is detected.
Fortunately, two techniques can help even the playing field between SOCs and their adversaries.
1) Automation: Enrichment and Prioritization
The first is automation. While not a new concept, its application in security programs is. Spawned in the Industrial Revolution, automation was developed for and driven by the need to do more with less, and has continued to evolve into the 21st century.
In the digital era, we are looking at automation in a whole new way. It is more than a marketing buzzword; it is the future of cybersecurity. The failure to adapt and adopt automation into a security program will leave organizations in a constant state of reaction. Adversaries will continue to lurk among the missed indicators, and network defenders will continuously be one step behind.
Since most indications of a breach are concealed in seemingly normal network and security events, they can go undetected and unattended for long periods of time, which was the case in the recent Marriott breach. Automation can help address this persistent problem through enrichment. The manual triaging process is by far the most time-consuming and tedious task, which can lead to extended dwell times and give an attacker more time to cause extensive damage.
Once an incident is correctly prioritized, another manually intensive task that squanders scarce security analyst time is creating and updating tickets. These tickets are crucial to post-mortem activities and knowledge transfer. However, important investigational information may be left out or delayed during an active attack due to the time-sensitive nature of this type of engagement.
By automating ticketing during an active incident, security teams can quickly document updates more frequently and consistently which will result in more complete metrics for executive staff and a solid foundation for knowledge transfer and historical trending.
2) Integration: Increasing Visibility
Automating enrichment functions is just a first step. If analysts are unable to gather enrichment data from all available sources and correlate it, they are only seeing part of the picture. This is where the second technique comes in — integration.
The integration of siloed network and security technologies provides valuable efficiencies, while making it more difficult for adversaries to penetrate an organization’s defenses. This integration provides another important benefit — it gives organizations greater visibility into their network and its attack surface. This enhanced visibility allows network defenders to anticipate potential issues and take a more proactive approach to securing their environment.
By knitting together security tools, devices and their outputs, organizations can incorporate both internal and external threat intelligence with historical trending to provide the context necessary for uncovering low and slow attacks. Combining device-specific threat intelligence through sandboxing capabilities and proprietary feeds with subscription-based intelligence, analysts will be armed with real-time indicators and compromise details to quickly assess the scope of the potential incident.
Since most present-day attacks exploit known vulnerabilities, integrating vulnerability data from an organization’s scanning devices into automated processes enables organizations to prioritize patching cycles and focus their security rulesets on vulnerable systems until they can be appropriately handled. For example, in the scenario where a system contains a vulnerability that cannot be immediately patched, an integrated and automated process can alert security staff to implement compensating controls. In addition, automation can be used to block activity and raise the priority of events on unpatched systems.
From assembly lines to writing lines of software code, automation has helped businesses solve new problems and drive up efficiency. As adversaries continue to evolve, the methods used to circumvent security defenses, automation and integration can help overcome the odds.
About Heather Hixon
Heather Hixon is a senior solutions architect for Security Orchestration, Automation and Response (SOAR) vendor DFLabs. She has been a SOC team leader, SOC analyst and SIEM engineer with an industry leading MSSP, and served in IT management roles with several other organizations. Heather is CompTIA Security+, SANS GSEC and GCIA certified.