When it comes to giving cyber security experts the tools they need to take action, automation and machine learning (ML) can make a big difference. Many companies are working with high volumes of data, and types and variants of attack are always growing and changing. It can become too much for people to process in a meaningful time frame. But security automation and ML-based early triage can reduce data volumes. Check out how security automation can work and what it can do.
Many Services, Loosely Connected
In today’s world of multicloud solutions, businesses and other groups find themselves with a more diverse security toolset than they ever had before. Now, the security operations team need to not only cover legacy data centers and multiple cloud providers. They also manage the security of new platforms, such as containers, Kubernetes and OpenShift.
These new technologies have ushered in a world where an application is no longer a monolithic entity only needing to connect to one or two things such as a database or user authentication system. Instead, applications are becoming a loosely coupled amalgam of multi-use services connected by API calls. Even more complicated is that these services can be located anywhere, across multiple clouds and data centres and may not even be run by the same company.
This makes understanding how your data is being processed and flows through an “application” extremely difficult for the security operations team, furthermore to keep track of security events from multiple technologies, in multiple locations data has to be fused into a single picture.
What is required is something that pulls all the information from these diverse tools into a single overarching view that can then be processed to understand the complete picture of an organisation’s security posture.
This is where security automation comes in. Your team needs to catch problems and run smoothly. To do that, you need to keep track of incidents from multiple angles. You need to fuse data from multiple locations into a single picture. You need a complete view of all of these connected endpoints, which can then be processed to understand the complete picture.
Security Automation Can Speed Up Threats Response Times Too
The days of human analysts doing all the work are fast receding. The volumes of the data being created, the ever-growing types and variations of attack, mean there is too much for human analysts to process in meaningful timeframes. As a result, automation and machine learning based early triage is required to reduce the volumes down to manageable levels.
Advanced threat disposition scoring, developed by IBM, is one possible solution. It uses multiple ML algorithms to analyze threat patterns and take actions on its own to raise and lower the priority of tickets for human analyst review.
Another key element in this area is the integration between IT automation and cyber security. While cyber security is not just an IT problem, the reaction and fixing the problems detected often are. We need to move away from the concept of raising tickets and waiting for overwhelmed IT teams to respond.
Linked, Automated Responses
The world of DevSecOps has developed the concept of Constant Integration and Constant Deployment (CI/CD), combined with software defined networks and infrastructure, the configuration of our Enterprise infrastructures are now software driven and updating constantly.
Using automated IT configuration tools, such as Ansible, Jenkins or Puppet and linking them to Security Orchestration, Automation, and Response (SOAR) tools, businesses have the power to use pre-agreed configuration changes, known as playbooks, to automate responses. As these playbooks have to be pre-approved by the IT teams to be run by the Security Operation Centre (SOC) teams, then everyone knows what is going on, it is easy to audit what actions were taken and maintain tight configuration control, all the while speeding up security incident response times.
The linking of detection to response has the following benefits:
- The SOC team can proactively protect the enterprise instead of raising tickets;
- Better communication, planning and integration between Security Operations and IT teams;
- Reduction of the IT team’s burden of making changes;
- Incident response can be rolled out in minutes instead of hours or days.
- Changes can be rolled back equally quickly
This highly automated approach not only speeds up response times. It also gives the security operations and IT teams much needed time to look into the problem further. Now, people can focus on new attacks that have not been seen before, instead of dealing with repeat attacks from known threats.
How Security Automation Brings It All Together
To make this happen, all parties must work together. The needs of the IT team — uptime, reliability and resilience — must be balanced with the needs of the security team. Likewise, the IT team needs to trust the security operations team and allow them to activate responses that will change system settings without direct IT approval every time. Both teams need to take responsibility and understand each others’ needs in order to allow security automation to fully realize its potential.
Enterprises are facing an increasing number and more refined attacks. The apps on which they depend are also becoming more and more complex. As a result, automation of attack detection and response is no longer just nice to have, but an essential component of enterprise security.
Associate Partner, IBM Security
Gavin has 20 years of experience dealing with Security and Information Assurance within both the Government & Private sectors. He has worked on issues in...