When it comes to giving cyber security experts the tools they need to take action, automation and machine learning (ML) can make a big difference. Many companies are working with high volumes of data, and types and variants of attack are always growing and changing. It can become too much for people to process in a meaningful time frame. But security automation and ML-based early triage can reduce data volumes. Check out how security automation can work and what it can do. 

Many Services, Loosely Connected 

In today’s world of multicloud solutions, businesses and other groups find themselves with a more diverse security toolset than they ever had before. Now, the security operations team need to not only cover legacy data centers and multiple cloud providers. They also manage the security of new platforms, such as containers, Kubernetes and OpenShift.

These new technologies have ushered in a world where an application is no longer a monolithic entity only needing to connect to one or two things such as a database or user authentication system. Instead, applications are becoming a loosely coupled amalgam of multi-use services connected by API calls. Even more complicated is that these services can be located anywhere, across multiple clouds and data centres and may not even be run by the same company.

This makes understanding how your data is being processed and flows through an “application” extremely difficult for the security operations team, furthermore to keep track of security events from multiple technologies, in multiple locations data has to be fused into a single picture.

What is required is something that pulls all the information from these diverse tools into a single overarching view that can then be processed to understand the complete picture of an organisation’s security posture.

This is where security automation comes in. Your team needs to catch problems and run smoothly. To do that, you need to keep track of incidents from multiple angles. You need to fuse data from multiple locations into a single picture. You need a complete view of all of these connected endpoints, which can then be processed to understand the complete picture.

Security Automation Can Speed Up Threats Response Times Too

The days of human analysts doing all the work are fast receding. The volumes of the data being created, the ever-growing types and variations of attack, mean there is too much for human analysts to process in meaningful timeframes. As a result, automation and machine learning based early triage is required to reduce the volumes down to manageable levels.

Advanced threat disposition scoring, developed by IBM, is one possible solution. It uses multiple ML algorithms to analyze threat patterns and take actions on its own to raise and lower the priority of tickets for human analyst review.

Another key element in this area is the integration between IT automation and cyber security. While cyber security is not just an IT problem, the reaction and fixing the problems detected often are. We need to move away from the concept of raising tickets and waiting for overwhelmed IT teams to respond.

Linked, Automated Responses 

The world of DevSecOps has developed the concept of Constant Integration and Constant Deployment (CI/CD), combined with software defined networks and infrastructure, the configuration of our Enterprise infrastructures are now software driven and updating constantly.

Using automated IT configuration tools, such as Ansible, Jenkins or Puppet and linking them to Security Orchestration, Automation, and Response (SOAR) tools, businesses have the power to use pre-agreed configuration changes, known as playbooks, to automate responses. As these playbooks have to be pre-approved by the IT teams to be run by the Security Operation Centre (SOC) teams, then everyone knows what is going on, it is easy to audit what actions were taken and maintain tight configuration control, all the while speeding up security incident response times.

The linking of detection to response has the following benefits:

  • The SOC team can proactively protect the enterprise instead of raising tickets;
  • Better communication, planning and integration between Security Operations and IT teams;
  • Reduction of the IT team’s burden of making changes; 
  • Incident response can be rolled out in minutes instead of hours or days.
  • Changes can be rolled back equally quickly 

This highly automated approach not only speeds up response times. It also gives the security operations and IT teams much needed time to look into the problem further. Now, people can focus on new attacks that have not been seen before, instead of dealing with repeat attacks from known threats.

How Security Automation Brings It All Together

To make this happen, all parties must work together. The needs of the IT team — uptime, reliability and resilience — must be balanced with the needs of the security team. Likewise, the IT team needs to trust the security operations team and allow them to activate responses that will change system settings without direct IT approval every time. Both teams need to take responsibility and understand each others’ needs in order to allow security automation to fully realize its potential.

Enterprises are facing an increasing number and more refined attacks. The apps on which they depend are also becoming more and more complex. As a result, automation of attack detection and response is no longer just nice to have, but an essential component of enterprise security. 

More from Intelligence & Analytics

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Accelerating security outcomes with a cloud-native SIEM

5 min read - As organizations modernize their IT infrastructure and increase adoption of cloud services, security teams face new challenges in terms of staffing, budgets and technologies. To keep pace, security programs must evolve to secure modern IT environments against fast-evolving threats with constrained resources. This will require rethinking traditional security strategies and focusing investments on capabilities like cloud security, AI-powered defense and skills development. The path forward calls on security teams to be agile, innovative and strategic amidst the changes in technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today