COVID-19 isn’t slowing down our cyber adversaries. In fact, they are ramping up their efforts to take advantage of this crisis to try and take advantage of organizations. While we are all understandably focused on business continuity issues, such as setting up remote teleworker solutions and other accommodations for our employees, we cannot afford to take our eye off of security. This is especially true for critical organizations such as hospitals and other first- and second-tier critical infrastructure providers who cannot afford to have their operations shut down for any length of time.
The reality is, nearly two-thirds (65%) of companies already lacked the skilled staff they needed to maintain effective security operations even before recent events. And now, due to social and physical distancing requirements, the number of available security personnel in many organizations has been reduced further. And even if it hasn’t, those overworked teams are struggling to troubleshoot a whole new range of issues while maintaining security controls with a skeleton crew in their SOC, or worse, from a home office.
These intersecting factors further increase the chances of a breach going undetected.
The reality is, many organizations are going to be generating much more data and logs than ever before, since the majority of internal network traffic will, probably for the first time, be originating from outside the network perimeter. And it’s simply not practical to try and manually analyze all of that the data—experience shows that you are highly likely to miss something important.
Not only do manual processes, such as the hand correlation of threat data, slow response times, but reduced staffing may mean your most junior personnel (i.e., those with less experience and training) may be your first line of defense. Instead, your staff needs to be focused on the most challenging tasks and addressing the low hanging fruit needs to be automated.
To meet the challenges created by increasing risk and limited security personnel, organizations need to adopt an automated protection, detection, and response strategy. Even in the best of times, with a full staff of trained cybersecurity professionals, today’s threats have become so sophisticated, and the time to compromise has become so short, that human intervention is no longer a viable security strategy.
By automating Advanced Threat Protection, organizations can now have real-time threat intel at their fingertips, which can help identify threats, combined with intelligent response to stop those threats in real-time. Proactive threat research and automated event correlation can prevent the exploitation of new avenues of attack. For example, machine learning solutions can capture IOCs (indicators of compromise) such as malicious IP addresses, domains, and URLs. And by combining machine learning with AI capabilities, those systems are also able to continually assess new files, web sites, and network infrastructures. This allows them to identify malicious components of cybercrime, as well as dynamically generate new threat intelligence that enables organizations to even predict and prevent future cyber threats.
AI-driven security operations are also able to scale well beyond the limitations of human security analysts, enabling organizations to see and protect data and applications across thousands or millions of users, systems, devices, and critical applications. This alleviates the tedious work of studying malware characteristics to identify and classify them into threat categories by SOC analysts. And at the same time, AI-enhanced response can deliver sub-second detection, classification, and investigation of sophisticated threats. This reduces the time needed to identify initial points of compromise as well as subsequently infected systems in sub-seconds.
Because of the proliferation of advanced attacks, today’s compromises can occur in a matter of seconds, and as a result, networks need advanced detection capabilities. This requires building a security architecture that enables the unified collection and analysis of data collected from diverse information sources, including logs, performance metrics, security alerts, and configuration change.
For most organizations, this requires SIEM capabilities combined with a distributed event correlation engine to enables complex event pattern detection to enable real-time response. And for larger organizations with network and security operations centers, they need to integrate their NOC/SOC analytics to quickly determine if a problem is a performance issue or a security issue so appropriate countermeasures can take place.
Automated systems also enable event and asset prioritization, allowing teams to quickly identify the most critical issues that need immediate analysis. Leveraging machine learning enables security teams to detect unusual user and entity behavior (UEBA) without requiring system admins to write complex rules. And EDR capabilities added to remote devices allow security systems to detect and defuse threats in real-time, automatically protecting the endpoint and preventing a breach.
To keep pace with emerging threats and new risk exposures, the average enterprise now deploys 47 different security solutions and technologies. All these separate tools, especially when they have individual management consoles and operate mainly in isolation, make it difficult to correlate events and execute a consistent, coordinated response to threats.
New security orchestration, automation, and response (SOAR) technologies allow these separate components to communicate and work together in a defensive coordination to increase your visibility. And SOAR solutions work even better when well-defined playbooks can be leveraged to simplify orchestration and management. These playbooks, which can be continuously refined through machine learning and AI components, replace time-consuming manual workflows with automated responses. For example, by automatically taking a host offline the moment malicious behavior is detected.
Of course, the adage “garbage in, garbage out” still applies. Automating bad or insufficient practices and processes can actually make things worse. And moving to an automated process can also expose inherent fears of automation that may exist within an organization. By taking humans out of the loop, the thinking goes, an automated action may do something wrong that will be difficult to undo.
Fortunately, these issues can be resolved. This may be a good time for an internal security practices audit to make sure you aren’t compounding a problem with automation. And failsafe systems can be put in place, such as operating in monitoring-only mode at first to validate responses before moving to a fully automated system.
Of course, the benefits far outweigh the potential risks. Adding automation to your security strategy significantly increases your chances of detecting a breach or malicious activities, ensures effective and timely responses, and minimizes potential downtime due to breaches. It also frees human resources to work on more challenging tasks (i.e., allows people to be more productive), while automating manual tasks reduces chances for human error. And it helps ensure that you continue to meet your compliance requirements during times of unusual change. And given the challenges of today’s hectic pace of transformation and innovation, these are advantages we could all use. (Edgard Hilario)