Outsmarting Attackers with Security Automation
Security teams are facing information overload amid an ever-increasing threat landscape. When these teams are using manual processes to analyze and respond to alerts, it’s far too difficult to tell how best to prioritize their time and attention—and it’s far too easy to let critical threats slip through the cracks. On top of that, resource constraints continue, so security teams often fall behind in responding to every threat.
Security automation solves many of these problems—and it saves companies money. In fact, IBM reported that businesses with fully deployed security automation save $3.1 million more in a data breach compared to companies that have yet to leverage advanced technologies.
Read on to learn what security automation is, the threats that make automation essential, how automation strengthens your security posture, and how an outside vendor can help.
What is security automation?
Previously, the term “security automation” was applied to the automation of security controls—for instance, automated patch management.
Today, security automation refers to the use of automatic systems to detect and prevent cyber threats while contributing to the overall threat intelligence of an organization to plan and defend against future attacks.
Security automation essentially aims to reduce human intervention when addressing security operations. When applied effectively, repetitive, time-consuming actions that a security analyst would have handled are done automatically, allowing security analysts to focus on other, more valuable tasks.
The Threats That Make Security Automation Essential
Cybercriminals Leveraging Automation
Security automation is a powerful tool for businesses. Unfortunately, it’s a powerful tool for cybercriminals as well. For example, let’s say a cybercriminal deploys malware. That malware can send telemetry back to command and control servers on the backend, quickly evaluate that information, and then rebuild the malware to address the weaknesses they discovered through the probes.
In other words, cybercriminals build into their workflows the same tools, like machine learning and artificial intelligence, that the cybersecurity industry uses. As the industry gets more robust and faster, so too do cyber criminals.
Expanding Attack Capabilities
Cybercrime is now a $6 trillion industry, making it the third-largest economy globally. With nation-states as targets and world conflicts like the Ukraine war, new cyberattacks are perpetrated to take down communications or power plants. The outcome is that these new, powerful exploits trickle down into cybercrime networks, expanding breach tactics and techniques.
To keep up with these attacks, the security market is growing. At its current rate, it is projected to “exceed $10 billion by 2025, driven majorly by the need to identify, classify, and remediate vulnerabilities that attackers could exploit to access confidential data,” according to CISO Mag.
Today’s security teams are receiving an average of 12,000 security alerts per day. Considering that 2.72 million cybersecurity jobs are left unfilled globally, keeping up with those alerts is a significant burden.
Unfortunately, the shortage of cybersecurity professionals means that many alerts go uninvestigated—52 percent, according to one study.
The shortage is getting worse, too. A Ponemon Institute survey found that 77 percent of enterprise security teams don’t have enough resources to keep up with the volume of patches that need to be applied, a five percent increase from just two years before.
How Automation Strengthens Security
With the average cyberattack, you have 30 minutes before there is the lateral movement across the network. The ideal response is to detect this behavior immediately and stop it before additional malicious tools are deployed, turning the initial threat into an existential threat. Unfortunately, most companies simply don’t have the resources to respond as quickly as needed.
“A customer with 20,000 employees reached an incredible 6 billion logs in just 24 hours,” says Jesper Zerlang, CEO of LogPoint. “On average, it takes organizations 212 days to identify a data breach and another 75 days to . . . contain it.”
Fortunately, automation has reduced the average response time from 30 minutes to five. Here’s how else it helps:
Deal with Alert Overload
Security automation is organized in the form of a playbook that automates the tedious work of gathering information about threats. In the past, you would have to do a manual query and determine whether specific IP addresses or DNS entries represented a minor threat or were part of a global attack.
Today, SOAR (security orchestration, automation, and response) platforms can gather all that information from tools like Microsoft’s Azure Sentinel, Defender for Endpoint, Defender for Identity, or Recorded Future’s Threat Intelligence (TI) platform. The SOAR platform will enrich the information with details like how each threat fits in with the global view of threats and what threats should be prioritized.
In many cases, you can also build an automated response to the threat—which will be triggered through playbooks—into the workflow without the intervention of analysts. These actions might include the following:
- Disabling the account
- Resetting the password
- Notifying the client of the threat and its severity via email
Identify Unusual Behavior
User behavioral analytics (UBA) tools automatically recognize unusual behaviors that may indicate a threat. For example, let’s say an employee who usually logs in from Rochester, New York, suddenly logs in from Spain. The SOAR platform, which functions somewhat like a traffic cop, can prioritize that threat at a specific severity level and notify you if you need to act. It can even disable the account if that unusual behavior triggers that response in the playbook.
SOAR platforms offer multiple dashboards that help you understand whether or not you are meeting your KPIs. For example, you might have a goal to respond to critical alerts within five minutes. If you get 30 alerts and 12 are critical, how can you maintain that KPI? Dashboards can help you manage that. You can see what source is reporting the most—Sentinel? Defender for Endpoint?—and know which threats require the most attention. Perhaps there is a spike in ransomware attacks.
The goal of these dashboards is to generate better risk metrics to present trending tactics. If you have seen a lot of phishing attacks, perhaps there is something amiss in your employee onboarding training, or there may be additional security capabilities you need to deploy.
Maximize Your Investment
Whenever you undergo a business initiative, you want to be able to demonstrate what you are getting back from your investment—in this case, your ROSI (return on security investment).
How many alerts turned into incidents? How many breaches were avoided because of visibility into the network? Did you restore functionality quickly if your systems got shut down? Security automation makes these reporting capabilities possible and helps your team understand other places you should make investments for an even better return.
How an Outside Vendor Can Help Leverage Security Automation
It’s no secret that maintaining a security department is expensive. If you’re paying your security employees $100,000 a year, and you get 100 alerts per day, “that means you spend $2601 per day on alerts. Times that by 365, assuming you have a 7-day-a-week SOC, and you’re talking $952,650 a year spent on alerts alone,” according to Rapid7.
But simply purchasing security automation tools may not solve that problem. The cost of automation tools alone is a significant investment. Then you need to deploy the platform and develop content, playbooks, and workflows to make the most of the investment. Content development requires people who can write scripts and code, tie tools back into ticketing or billing systems, understand APIs, etc.
Partnering with an outside vendor is an excellent way to create an affordable and reliable automated security program. Instead of hiring individual workers to set up your automated program, you can hire a team with all the institutional expertise needed to do an excellent job and meet your specific needs.
At ProArch, we have proven processes and operational structures that we have been perfecting for years. Whatever the company’s core capabilities, we have over 120 rules embedded into Azure Sentinel that we can easily add to their environment. And our Managed Detection and Response (MDR) program can provide an even deeper look into
- who is attacking you,
- what their motivation and capabilities are, and
- what indicators of compromise in your systems to look for?
Serious threats make automation essential for strengthening your security posture, and an outside vendor can help you cut costs and get started on solid footing. Automation may seem like a hefty investment at first, but it’s more than worth it when you consider why it is necessary. Reach out today and see how ProArch’s Managed Detection and Response capabilities can benefit your organization.