Reduce cyber-risks through automation

According to the Accenture 2019 Cost of Cybercrime Study (https://www.accenture.com/us-en/insights/security/cost-cybercrime-study, accessed January 15, 2021), released on March 6 2019, on an average the expense of malware attacks for companies was $2.6 million, an 11% year-over-year jump. Accenture also noticed a big rise in the cost of malicious insider-related cyberattacks, up 15% to $1.6 million on average per company. While the prices are increasing, Accenture observed that companies are mostly not deploying the right kinds of technology to help decrease cybercrime costs. According to the study, only 28% of companies are using automation and said that automation in SOC is helping organizations to keep up with cybersecurity threats. Let’s take a look at how automation can reduce cybersecurity risks.

How Automation Can Reduce Cybersecurity Risks?

The important cybersecurity challenge in the industry is to stay a one step ahead of the “attackers.” As fast as security vulnerabilities are patched, new vulnerabilities arise and are used for the next assault. In fact, hackers have been using automation to carry out attacks for a while. For example, they are using tools like AutoSploit (Automating Metasploit) to automate internet scanning and exploitation, or Sentry MBA for credential filling by controlling proxies to manage attacks. They are also using automation tools to infiltrate networks and collect data or create user accounts. As their tools evolve, the number of automated attacks will grow, and there will be more and more breaches being executed by software. Therefore, it’s time to think about automation as the next line of security in catching up with the hackers.

For example, you might have some sort of security information and event management (SIEM) system used by your SOC. The goal of such systems is to protect sensitive data from being obtained by unauthorized people. Automation tools can actually integrate with such system to both improve and increase its capabilities. The effect is a closed-loop automated method that serves to recognize security incidents the moment they happen so they can be solved immediately. Moreover, because this is no longer done manually, operational performance increases.

How does it work?

Security alerts appear from a variety of sources, but especially in bigger companies, most incidents begin in the SIEM. The bridge from SIEM to SOAR can be improved by automating the standards for alert intensification. By coupling well-chosen rules for escalation and automated intelligence gathering, analysts can concentrate on important incidents and act with full context, instead of trying to pick out the real threats from hundreds of alerts every day.

For example, if an email is flagged as a potential phishing effort, a SOAR platform can automatically look up the reliability of the URL in the email, verify the geolocation of the domain owner, investigate links to well-known attackers, and more. Without automation, analysts have to go to other apps and manually look up this data, seldom over 100 times per day.

The following are some of the basic advantages of automation.

• Remotely detach any illegal devices and/or computers from the network immediately.
• Remotely deactivate/bar access for unknown users instantly.
• Seize SIEM security events and automatically perform defined methods to derive extra information, conduct incident analysis and report to appropriate personnel as required to resolve more complicated events.
• Enable/disable user logins within specified time frames to control better authority over remote user connections.
• Catch antivirus system alerts and complete procedures to stop intrusions and the spread of viruses and other serious external threats.

One example of automation is server deployment and monitoring, which helps reduce the amount of tedious, manual tasks involved. In the past, system administrators created servers through manual configuration and then had to monitor and troubleshoot problems physically. Scripting can be used in various scenarios to automate the server, which also gives elasticity — if you have an enhanced load and require an additional server, you run the same script again.

Top Factors to Consider Automation

Automation in cybersecurity glues incongruent tools together to enhance threat detection and couples security analytics with operations. It allows to go fast in incident response and apply risk mitigation strategies as the alerts triggers. There is no time left for the attacker.

Security vendors are progressively providing API to interact with tools. This is a first step but you need to get as many connectors as API endpoint that should be necessary. The next step will come with OpenC2, which is a command/response language to automate actions on multiples solutions. Some of them are starting to consider it. One should think that automation orders written in OpenC2 is a clever choice to make it compliant with an evolution of the infrastructure.

Playbooks and orchestration engines allows to transform what was known in the company as the good process into a always-active and mandatory path. And when this path is full of automated steps, the reaction is supposed to be the best one and the fastest Automation means you accelerate your defense by using API, script and OpenC2 commands.

Ultimately, security automation aims to enhance organizations’ security conditions in various ways, like doing monotonous tasks precisely, increasing human intelligence in fields such as log-file analysis, and substituting human mediation collectively in the classification and containment of cyber exploits or breaches.

The main advantages of automation include

• More constant response to alerts.
• Improved capability to handle volume of ticket
• Faster response time on major security incidents
• Better focus by analysts on more important precedence items
• Increased visibility into what is transpiring
• Coverage of a more extensive area and a larger number of tickets

Here are the top 3 factors to consider automation:

1 – Repetitive task

One of the most repetitive everyday task that a security engineer executes is monitoring log-files over devices to detect possible risk. This is an excellent place to begin with automation. While a security engineer scanning the same logfiles every day could abstain something, an automated method for the corresponding task will get it accurate and avoid boring stuff.

2 – Improved Data Analysis

Consolidation and integration of tools can give data contextualization and enhancement, chaining of individual events, and cross-correlation. For example, the ability to pivot over technologies such as threat intelligence, endpoint, and security analytics, user and entity behavior analytics, etc. can provide better and more thorough data analysis, with the capability to recognize threats across a wider swathe of the company’s attack surface.

3 – Invest in the team

Automation empowers SOC teams. They become proactive and execute human-necessary duties, concentrating on the roles they were really hired for. Automation can only be really successful when mixed with human skills. Basically, human people keep the control level of the global orchestration strategy and implementation. For example, if the skills gap is a problem, think about training current employees to fulfill those gaps and become more accustomed to automation technologies and tools.

Limits of fully automated systems

Even if integrating automation to your security model can provide real added value, a misuse of it can lead to lack of control.

Most misuse refers to over dependence on automation, which can then result in failures of monitoring or decision biases.

For example, according to the “SANS 2019 SOC Survey“, automation should be used to support current staff skills and should not be seen as a solution to replace staff altogether.

The SANS further explores that most companies think about tools and technology first, rather than the methods and people also working in operating the SOC, but it is necessary to understand that people are still the SOC’s most important asset. It is necessary for companies to be able to find and retain good staff, particularly with the growing shortage of skilled cybersecurity professionals in the market. If this is not the company strategy, outsourced security service may be a suitable and good option too.

Finally, automation in SOC reduces manual, monotonous tasks by automating incident response playbooks, clearing up limited manpower support, and measurably improving service levels. This type of program also allows the advanced configuration of security methods on a consistent basis in order to recognize and block security vulnerabilities. The requirement for automation in SOC is becoming an urgent matter since attackers are also harnessing various automated tools to develop and carry out attacks. The increasing pace of automated attacks necessarily demands to automate some SOC functions and processes. Following the outlined suggestions in this article can help decide the correct automation strategy.

In SEKOIA.IO, we support OpenC2 so that each countermeasure proposed into alert can be automated on customer side. Do you want to have a look ? Try SEKOIA.IO for free!

On our blog, you can read also:

• SEKOIA proudly flies the flag of “Cybersecurity Made In Europe”
• Augmented SOC — How to rethink your security center?
• Cybersecurity skills shortage: 4 advices to better deal with it.
• Moving your security to the cloud?
• Calisto show interests into entities involved in Ukraine war support
• Command & Control infrastructures tracked by SEKOIA.IO in 2022.