Cybersecurity automation? Yes, wherever possible

There was a time when companies were hesitant about their IT and security teams using automation to discharge some of their duties.

“I think much of that was due to the feeling that if a task was automated and something went wrong, IT was not in control and did not have as much visibility,” Candace Worley, Chief Technical Strategist at McAfee, told Help Net Security.

But the increasing quantity and sophistication of threats, the massive amount of data flowing across the corporate network, the exponential complexity of enterprise environments, the chronic shortage of cybersecurity talent and increasingly pervasive privacy and security regulations have forced companies to overcome their reticence.

Automating the SOC

Automated systems are invaluable when it comes to performing asset discovery, evaluation and vulnerability remediation, sifting through mountains of data, detecting anomalous activity and, consequently, alleviating the everyday burdens of security teams.

Automating many of the most time intensive tasks associated with incident response is also likely to make the difference between identifying an attack after the fact and identifying (and blocking) it while in progress.

Many routine tasks in a SOC are ripe for automation, Worley notes. If a task is highly repetitive, requires searching through reams of data for anomalous behavior, or can be scripted, then it is likely a candidate for automation.

“Inventory how your team is spending their time, take note of the tasks they are completing to meet these criteria, and then set aside time for them to automate those tasks,” she advises CISOs.

“The time spent automating up front may be painful but will save you thousands of man hours over time. Those hours can then be spent on the tasks that require the highest degrees of intellect and discernment and are likely the tasks that your most talented IT folks enjoy spending time doing.”

There are many opportunities for automation

Placing automation at the right location in the attack lifecycle is key to fast and efficient investigations, says Andrew Lancashire, Security Operations Strategist at McAfee.

“The first opportunity to automate is at the source of the telemetry. Endpoint protection technologies, for example, use a series of steps to qualify threats. Updating threat intelligence data here, as well as leveraging services to qualify suspicious objects on an end user workstation or sever will result in higher quality alerts being sent to the SIEM. This same approach can be applied to any signal or telemetry sources, such as gateways, IPS, and DNS,” he explains.

Next comes the automation in the SIEM.

“The typical SOC today focuses on developing use cases analysts believe might lead to an attack. While some use cases provide specific organizational value, relying on use cases can and does lead to SOCs missing other more modern indicators of attack,” he opines, and says that it is important to allow the data to “speak for itself”.

“Looking at the data surrounding an alert tells the story of what happened before and what after an attack. Repeated patterns of collecting and retrieving data are good opportunities to automate analysts’ tasks in the SIEM. For instance, if analysts are manually qualifying external IP addresses, as part of an investigation, these types of tasks can be done prior to analysts starting to work the event, allowing analysts to quickly see which alerts are more quantifiably suspicious than others. If the threat intelligence is reliable, the automation in the SIEM can also include an immediate containment step where the threatening IP addresses are sent to safeguards to update policies blocking observed indicators of compromise at the speed of the SIEM’s automation.”

SOAR technologies should perform automation where other manufacturer-maintained products cannot.

“SOC teams shouldn’t be burdened with maintaining Python code if they don’t have to. If the automation can be contained in a vendor product, it will likely be supported by the vendor. In many cases, the vendor will write the automation for you, such is the case with SIEM correlations,” Lancashire adds.

Finally, there’s good EDR, with its ability to automate the gathering of deep technical data and presenting it to an analyst in a methodical and useful way.

“Automated investigation guides serve as great ways to automate and create consistency within the investigative process. Additionally, a worthwhile EDR platform will also be able to incorporate SIEM data into the investigative process,” he notes.

Human-machine teaming is the future

Leveraging the capabilities of machines in concert with the capabilities of humans to accomplish the best possible outcome in a given situation is the ultimate goal of human-machine teaming.

“When you look at it through the lens of the business outcomes an organization wants to realize, human-machine teaming delivers improved productivity through both machines and humans; increases in capacity and associated output of the highly skilled human resources you have; and risk mitigation and reduction as a result of reducing mean time to detection (MTTD) and mean time to remediation (MTTR) for cyber-threats,” Worley points out.

Machines bring the ability to gather and analyze large quantities of complex data automatically, in a fraction of the time it would take a group of humans to do the same. That means that the data is still timely when it is being analyzed and becomes the basis for strategic decision making.

Humans bring their own special skills to the table:

• They are able to take the information that machines put forward and apply strategic intellect. They understand the context of multiple pieces of data threaded together and are much better at deciphering the subtle clues that unearth an attack.
• They are able to perform a second layer of assessment required for security decisions that would have severe consequences (e.g., taking a DNS server offline or disconnecting the CEO’s laptop).

Applying strategic intellect to assess the data, the risk, and determining if the response is appropriate to mitigate risk in the context of the organization’s overall risk appetite is where humans shine.