When it comes to giving cyber security experts the tools they need to take action, automation and machine learning (ML) can make a big difference. Many companies are working with high volumes of data, and types and variants of attack are always growing and changing. It can become too much for people to process in a meaningful time frame. But security automation and ML-based early triage can reduce data volumes. Check out how security automation can work and what it can do. 

Many Services, Loosely Connected 

In today’s world of multicloud solutions, businesses and other groups find themselves with a more diverse security toolset than they ever had before. Now, the security operations team need to not only cover legacy data centers and multiple cloud providers. They also manage the security of new platforms, such as containers, Kubernetes and OpenShift.

These new technologies have ushered in a world where an application is no longer a monolithic entity only needing to connect to one or two things such as a database or user authentication system. Instead, applications are becoming a loosely coupled amalgam of multi-use services connected by API calls. Even more complicated is that these services can be located anywhere, across multiple clouds and data centres and may not even be run by the same company.

This makes understanding how your data is being processed and flows through an “application” extremely difficult for the security operations team, furthermore to keep track of security events from multiple technologies, in multiple locations data has to be fused into a single picture.

What is required is something that pulls all the information from these diverse tools into a single overarching view that can then be processed to understand the complete picture of an organisation’s security posture.

This is where security automation comes in. Your team needs to catch problems and run smoothly. To do that, you need to keep track of incidents from multiple angles. You need to fuse data from multiple locations into a single picture. You need a complete view of all of these connected endpoints, which can then be processed to understand the complete picture.

Security Automation Can Speed Up Threats Response Times Too

The days of human analysts doing all the work are fast receding. The volumes of the data being created, the ever-growing types and variations of attack, mean there is too much for human analysts to process in meaningful timeframes. As a result, automation and machine learning based early triage is required to reduce the volumes down to manageable levels.

Advanced threat disposition scoring, developed by IBM, is one possible solution. It uses multiple ML algorithms to analyze threat patterns and take actions on its own to raise and lower the priority of tickets for human analyst review.

Another key element in this area is the integration between IT automation and cyber security. While cyber security is not just an IT problem, the reaction and fixing the problems detected often are. We need to move away from the concept of raising tickets and waiting for overwhelmed IT teams to respond.

Linked, Automated Responses 

The world of DevSecOps has developed the concept of Constant Integration and Constant Deployment (CI/CD), combined with software defined networks and infrastructure, the configuration of our Enterprise infrastructures are now software driven and updating constantly.

Using automated IT configuration tools, such as Ansible, Jenkins or Puppet and linking them to Security Orchestration, Automation, and Response (SOAR) tools, businesses have the power to use pre-agreed configuration changes, known as playbooks, to automate responses. As these playbooks have to be pre-approved by the IT teams to be run by the Security Operation Centre (SOC) teams, then everyone knows what is going on, it is easy to audit what actions were taken and maintain tight configuration control, all the while speeding up security incident response times.

The linking of detection to response has the following benefits:

  • The SOC team can proactively protect the enterprise instead of raising tickets;
  • Better communication, planning and integration between Security Operations and IT teams;
  • Reduction of the IT team’s burden of making changes; 
  • Incident response can be rolled out in minutes instead of hours or days.
  • Changes can be rolled back equally quickly 

This highly automated approach not only speeds up response times. It also gives the security operations and IT teams much needed time to look into the problem further. Now, people can focus on new attacks that have not been seen before, instead of dealing with repeat attacks from known threats.

How Security Automation Brings It All Together

To make this happen, all parties must work together. The needs of the IT team — uptime, reliability and resilience — must be balanced with the needs of the security team. Likewise, the IT team needs to trust the security operations team and allow them to activate responses that will change system settings without direct IT approval every time. Both teams need to take responsibility and understand each others’ needs in order to allow security automation to fully realize its potential.

Enterprises are facing an increasing number and more refined attacks. The apps on which they depend are also becoming more and more complex. As a result, automation of attack detection and response is no longer just nice to have, but an essential component of enterprise security. 

More from Intelligence & Analytics

2022 Industry Threat Recap: Manufacturing

It seems like yesterday that industries were fumbling to understand the threats posed by post-pandemic economic and technological changes. While every disruption provides opportunities for positive change, it's hard to ignore the impact that global supply chains, rising labor costs, digital currency and environmental regulations have had on commerce worldwide. Many sectors are starting to see the light at the end of the tunnel. But 2022 has shown us that manufacturing still faces some dark clouds ahead when combatting persistent…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…