Orchestration and Automation - An Intelligence Led Approach to Security

A lot can happen in six months; just ask the CEO of a business that has faced cyber attacks. That’s right: organizations in APAC are so inadequately prepared for cyber threats that in 2016, attackers spent a median of 172 days in compromised networks without being discovered. Cyber security has become an increasingly asymmetric fight between attackers and defenders. As attackers get faster, smarter and more strategic in their methods, Indian organizations are falling further behind as they rely on traditional security methods, inundated with alerts, unable to prioritize, and wasting valuable time even as the really dangerous attackers slip past them.

Attackers have access to intellectual resources, computing power, and the backbone of the fastest digital delivery networks. They can change the tools, shift to new delivery methods and constantly fine-tune how they approach their goal of infiltrating your network. Several attacker techniques are inherently hard to detect because of their reliance on compromising legitimate user accounts. Traditional detection mechanisms generally fail at detecting these techniques without a plethora of false positive alerts, requiring a more human-centric approach. Organizations in India and across the globe need to actively ensure an integrated approach to security to monitor, defend, and neutralize threats to their cyber infrastructure.

Over a long period of time, most IT firms have developed an infrastructure with numerous technologies and software incorporated as point solutions. The data from those systems has typically been tied to some type of security incident and event management (SIEM) system where security operations center (SOC) analysts review alerts seeking to correlate logs from those disparate sources across the enterprise. This has led to a huge uptick in what security professionals refer to as “alert fatigue”. Critical alerts are hidden in a deluge of false positives and non-useful data.

To counter this data and alert overload, organizations are relying more on tools and processes to filter data and automate analysis to redirect valuable security resources to more complex incident investigations and response. We are also seeing Threat Intelligence gradually taking the driver’s seat. Previously, most organizations considered threat intelligence a “nice to have” rather than a “must have.” This resulted in organizations not truly understanding the benefits that intelligence provides for risk reduction, prevention, detection and response. Cyber Threat Intelligence (CTI) is starting to take a prominent place within enterprise security operations and organizations are increasingly using CTI to build and update their own organization’s baseline threat profile. In turn, this is enabling more efficient tactical operations in terms of hunting, identification, prioritization and response.

Many mature security organizations in India, have also spent a considerable amount of time thinking and investing in threat hunting. By uncovering similarities and patterns in attack instances, the correlations solidify into actionable data that can be used to identify the threat actors, respond to and thwart future attacks. Escalating only those incidents potentially related to high priority threats improves operational efficiencies, ensuring investigation and response time is spent in the right areas and lowering security operational costs.

Automation can eliminate time spent on smaller and repeatable events, allowing redirection of resources for hunting, proactive defense and other tasks. It is becoming common for relatively scarce and innovative techniques to flow down into more common practice over time; as techniques become better codified and automation tooling becomes available. Creating playbooks for repeatable events can enable automation of disposition of false positives, minor alerts, and informational alerts allowing time to focus on the critical alerts in the environment and decreasing response time.

The sophistication of opportunistic attackers will continue to grow and security conscious organizations will attempt to defend themselves with more visibility, which will breed threat hunting skills in analysts with a willingness and curiosity to explore data to find evidence of compromise. We anticipate that security orchestration capabilities will enable organizations to move from an alert to remediation in minutes. It would also help address the major talent shortage challenge in the security industry.

( The views and opinions expressed in this article are solely those of the author)