Light Dark
February 26, 2021 By Gavin Kenny 3 min read
Intelligence & Analytics
Cloud Security
Security Services

When it comes to giving cyber security experts the tools they need to take action, automation and machine learning (ML) can make a big difference. Many companies are working with high volumes of data, and types and variants of attack are always growing and changing. It can become too much for people to process in a meaningful time frame. But security automation and ML-based early triage can reduce data volumes. Check out how security automation can work and what it can do. 

Many Services, Loosely Connected 

In today’s world of multicloud solutions, businesses and other groups find themselves with a more diverse security toolset than they ever had before. Now, the security operations team need to not only cover legacy data centers and multiple cloud providers. They also manage the security of new platforms, such as containers, Kubernetes and OpenShift.

These new technologies have ushered in a world where an application is no longer a monolithic entity only needing to connect to one or two things such as a database or user authentication system. Instead, applications are becoming a loosely coupled amalgam of multi-use services connected by API calls. Even more complicated is that these services can be located anywhere, across multiple clouds and data centres and may not even be run by the same company.

This makes understanding how your data is being processed and flows through an “application” extremely difficult for the security operations team, furthermore to keep track of security events from multiple technologies, in multiple locations data has to be fused into a single picture.

What is required is something that pulls all the information from these diverse tools into a single overarching view that can then be processed to understand the complete picture of an organisation’s security posture.

This is where security automation comes in. Your team needs to catch problems and run smoothly. To do that, you need to keep track of incidents from multiple angles. You need to fuse data from multiple locations into a single picture. You need a complete view of all of these connected endpoints, which can then be processed to understand the complete picture.

Security Automation Can Speed Up Threats Response Times Too

The days of human analysts doing all the work are fast receding. The volumes of the data being created, the ever-growing types and variations of attack, mean there is too much for human analysts to process in meaningful timeframes. As a result, automation and machine learning based early triage is required to reduce the volumes down to manageable levels.

Advanced threat disposition scoring, developed by IBM, is one possible solution. It uses multiple ML algorithms to analyze threat patterns and take actions on its own to raise and lower the priority of tickets for human analyst review.

Another key element in this area is the integration between IT automation and cyber security. While cyber security is not just an IT problem, the reaction and fixing the problems detected often are. We need to move away from the concept of raising tickets and waiting for overwhelmed IT teams to respond.

Linked, Automated Responses 

The world of DevSecOps has developed the concept of Constant Integration and Constant Deployment (CI/CD), combined with software defined networks and infrastructure, the configuration of our Enterprise infrastructures are now software driven and updating constantly.

Using automated IT configuration tools, such as Ansible, Jenkins or Puppet and linking them to Security Orchestration, Automation, and Response (SOAR) tools, businesses have the power to use pre-agreed configuration changes, known as playbooks, to automate responses. As these playbooks have to be pre-approved by the IT teams to be run by the Security Operation Centre (SOC) teams, then everyone knows what is going on, it is easy to audit what actions were taken and maintain tight configuration control, all the while speeding up security incident response times.

The linking of detection to response has the following benefits:

  • The SOC team can proactively protect the enterprise instead of raising tickets;
  • Better communication, planning and integration between Security Operations and IT teams;
  • Reduction of the IT team’s burden of making changes; 
  • Incident response can be rolled out in minutes instead of hours or days.
  • Changes can be rolled back equally quickly 

This highly automated approach not only speeds up response times. It also gives the security operations and IT teams much needed time to look into the problem further. Now, people can focus on new attacks that have not been seen before, instead of dealing with repeat attacks from known threats.

How Security Automation Brings It All Together

To make this happen, all parties must work together. The needs of the IT team — uptime, reliability and resilience — must be balanced with the needs of the security team. Likewise, the IT team needs to trust the security operations team and allow them to activate responses that will change system settings without direct IT approval every time. Both teams need to take responsibility and understand each others’ needs in order to allow security automation to fully realize its potential.

Enterprises are facing an increasing number and more refined attacks. The apps on which they depend are also becoming more and more complex. As a result, automation of attack detection and response is no longer just nice to have, but an essential component of enterprise security. 

 |  |  |  | 
Gavin Kenny
Associate Partner, IBM Security

More from Intelligence & Analytics
September 5, 2024

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

August 21, 2024

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature