Security orchestration, automation and response platforms need careful consideration in easing the security management burden.
A surge in cyber threats and the administrative burden involved in staying on top of data security management is putting pressure on enterprise IT departments that cannot afford to risk a serious data breach, reputational damage and operational disruption.
Faced with an ongoing cyber security skills shortage, organisations need a different approach to security provision unrestricted by manual processes – one that reduces their dependence on hard-pressed humans by harnessing automation, machine learning, artificial intelligence, predictive analytics and other innovative technologies to help identify, filter, neutralise and remediate cyber threats before they have a chance to do significant harm.
Ultimately what security professionals and analysts are looking for is a way not only to reduce compromise to detection dwell times, but also detection to remediation times – i.e. how long it takes the organisation to contain the threat once it has been identified.
Research firm Gartner has noted the evolution of new tools to address the problem over the last few years, with security operations, analytics, reporting and vulnerability management functions converging with threat intelligence and security incident response to form more capable security orchestration, automation and remediation or response (SOAR) platforms.
By integrating orchestration processes, automation, incident management and collaboration, visualisation and reporting under a single interface, SOAR can give security operations centre (SoC) staff a faster, more accurate way to process large volumes of data produced by cyber security systems and help identify and remediate attacks which may be imminent or underway.
Mixed state of SOAR readiness
In its Innovation Insight for Security Orchestration, Automation and Response report published in November last year, Gartner forecasts that by the end of 2020, 15% of organisations with a security team larger than five people will use SOAR tools, up from an estimated 1% in 2017. The scale and rate of that adoption suggests two things: firstly that many businesses may be unprepared for the security management challenges they face, and secondly that awareness of SOAR and the benefits it can bring is still limited. Respondents to a recent survey conducted by the SANS institute found that 26% of incident response (IR) professionals judged their organisation's preparedness and capabilities to be less than sufficient, with many pointing to a lack of appropriate tools and technology.
The Information Security Forum’s Threat Horizon 2020 Executive Summary points out that only those with the most robust security preparations will stand tall. It lists nine threats that organisations in all industries and regions can expect to face over the next two-three years, posed by looming conflict, technology outpacing controls, and pressure skewing judgement. “Only organizations that understand this rapidly changing and complex environment will remain firm and unshakeable. Those that are unprepared and incapable of responding quickly will crumble as they defend against an onslaught of potent, day-to-day cyberattacks,” says Steve Durbin, Managing Director of the ISF.
Any gap in education can lead to expensive mistakes when it comes to product procurement decisions which are invariably difficult and costly to rectify. So, it’s important that IT departments don’t rush into any implementation without taking a good look at their existing security architecture and processes and carefully consider where SOAR can work alongside them to help SoC analysts ease their cyber security workloads.
In many cases, IT departments remain unclear on what security processes can or should be automated for example, and which of their current security applications and systems lend themselves to the type of orchestration that SOAR enables – if existing tools from different vendors cannot be integrated efficiently using mechanisms like application programming interfaces (APIs), the quality of the data and recommendations being shared can be compromised and the ability to act fast on accurate intelligence diminished.
Steps to SOAR success
- An audit of existing security infrastructure should be a priority, including defences which routinely span on- and off-premise systems hosted in public, private and hybrid clouds, as well as fixed and mobile devices in distributed branch office environments.
- All systems should be properly assessed for SOAR readiness, and any opportunity to consolidate security systems to weed out extraneous security information that does not help with threat identification and remediation should be thoroughly explored.
- Additional filters can also be applied to further reduce the background noise that often distracts analysts from the real danger.
- IT departments should specify key performance metrics that frame what they want to achieve in terms of dwell and detection to containment times to make sure threats are neutralised before they have a chance to spread into other systems.
- Those KPIS should be aligned closely with in-house security analyst resources and skill sets, to give current staff the best tools and training to meet requirements.
- Organisations without in-house security analysts should consider outsourcing cybersecurity monitoring and management functions to managed security service providers (MSSPs) that use suitable SOAR tools able to integrate with on-premise security systems to maximise threat detection and remediation.
Figures compiled by IBM suggest that human error remains the weakest link in many cyber security defences. The company's annual X-Force Threat Intelligence Index report showed that misconfigured cloud infrastructure alone was responsible for the exposure of nearly 70% of compromised records tracked by IBM X-Force's spam traps and security monitoring systems, for example.
The SANS Institute predicted that hackers will launch an increasing number of attacks at cloud-hosted infrastructure in 2018 in the hope of exploiting these vulnerabilities – just as more organisations migrate increasing volumes of applications and workloads into on- and off-premise public, private and hybrid cloud services.
But with so many different security tools and applications needed to protect large volumes of data, people and devices wherever they may reside, the cascade of logs and alerts analysts have to wade through to identify the priorities for their attention is only set to amplify.
Equally there remains a real danger that the benefits of machine learning and artificial intelligence when applied to cyber security automation and orchestration will be overstated unless IT departments are realistic about what can be achieved and where their weaknesses lie.
It is important to remember that while greater orchestration and automation can shoulder some of the burden currently carried by security analysts, it cannot replace them completely. At the end of the day, well-educated competent professionals will be still be necessary, but their time can be optimised if machines take on some of the legwork.
Sander Barens, VP of Commercial Development at Expereo International
Image Credit: Methodshop / Pixabay