When it comes to giving cyber security experts the tools they need to take action, automation and machine learning (ML) can make a big difference. Many companies are working with high volumes of data, and types and variants of attack are always growing and changing. It can become too much for people to process in a meaningful time frame. But security automation and ML-based early triage can reduce data volumes. Check out how security automation can work and what it can do. 

Many Services, Loosely Connected 

In today’s world of multicloud solutions, businesses and other groups find themselves with a more diverse security toolset than they ever had before. Now, the security operations team need to not only cover legacy data centers and multiple cloud providers. They also manage the security of new platforms, such as containers, Kubernetes and OpenShift.

These new technologies have ushered in a world where an application is no longer a monolithic entity only needing to connect to one or two things such as a database or user authentication system. Instead, applications are becoming a loosely coupled amalgam of multi-use services connected by API calls. Even more complicated is that these services can be located anywhere, across multiple clouds and data centres and may not even be run by the same company.

This makes understanding how your data is being processed and flows through an “application” extremely difficult for the security operations team, furthermore to keep track of security events from multiple technologies, in multiple locations data has to be fused into a single picture.

What is required is something that pulls all the information from these diverse tools into a single overarching view that can then be processed to understand the complete picture of an organisation’s security posture.

This is where security automation comes in. Your team needs to catch problems and run smoothly. To do that, you need to keep track of incidents from multiple angles. You need to fuse data from multiple locations into a single picture. You need a complete view of all of these connected endpoints, which can then be processed to understand the complete picture.

Security Automation Can Speed Up Threats Response Times Too

The days of human analysts doing all the work are fast receding. The volumes of the data being created, the ever-growing types and variations of attack, mean there is too much for human analysts to process in meaningful timeframes. As a result, automation and machine learning based early triage is required to reduce the volumes down to manageable levels.

Advanced threat disposition scoring, developed by IBM, is one possible solution. It uses multiple ML algorithms to analyze threat patterns and take actions on its own to raise and lower the priority of tickets for human analyst review.

Another key element in this area is the integration between IT automation and cyber security. While cyber security is not just an IT problem, the reaction and fixing the problems detected often are. We need to move away from the concept of raising tickets and waiting for overwhelmed IT teams to respond.

Linked, Automated Responses 

The world of DevSecOps has developed the concept of Constant Integration and Constant Deployment (CI/CD), combined with software defined networks and infrastructure, the configuration of our Enterprise infrastructures are now software driven and updating constantly.

Using automated IT configuration tools, such as Ansible, Jenkins or Puppet and linking them to Security Orchestration, Automation, and Response (SOAR) tools, businesses have the power to use pre-agreed configuration changes, known as playbooks, to automate responses. As these playbooks have to be pre-approved by the IT teams to be run by the Security Operation Centre (SOC) teams, then everyone knows what is going on, it is easy to audit what actions were taken and maintain tight configuration control, all the while speeding up security incident response times.

The linking of detection to response has the following benefits:

  • The SOC team can proactively protect the enterprise instead of raising tickets;
  • Better communication, planning and integration between Security Operations and IT teams;
  • Reduction of the IT team’s burden of making changes; 
  • Incident response can be rolled out in minutes instead of hours or days.
  • Changes can be rolled back equally quickly 

This highly automated approach not only speeds up response times. It also gives the security operations and IT teams much needed time to look into the problem further. Now, people can focus on new attacks that have not been seen before, instead of dealing with repeat attacks from known threats.

How Security Automation Brings It All Together

To make this happen, all parties must work together. The needs of the IT team — uptime, reliability and resilience — must be balanced with the needs of the security team. Likewise, the IT team needs to trust the security operations team and allow them to activate responses that will change system settings without direct IT approval every time. Both teams need to take responsibility and understand each others’ needs in order to allow security automation to fully realize its potential.

Enterprises are facing an increasing number and more refined attacks. The apps on which they depend are also becoming more and more complex. As a result, automation of attack detection and response is no longer just nice to have, but an essential component of enterprise security. 

More from Intelligence & Analytics

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…