The critical role of automation in improving enterprise security posture

A growing digital footprint has thrown up critical issues that many Indian enterprises are facing today, such as an acceleration in the number of cyberattacks. Over two lakh cyber security incidents in India were recorded by CERT-In (Indian Computer Emergency Response Team) in just the first two months of this year (till February 2022). To better protect themselves, Indian enterprises have to act quickly, as the speed of response can prevent a crippling data breach from happening. This, however, is not so simple. Attacks have become stealthier and are extremely hard to detect. Traditional security techniques cannot withstand the scale of attacks and are increasingly falling short in detecting and preventing attacks.  Additionally, many security teams do not have the required skilled resources to effectively manage and monitor security alerts or detect and respond against advanced complex threats.

The value of automation

As data breaches continue to escalate in both frequency and severity, it is more critical than ever for security leaders to improve their security posture by using automation. In this context, Managed Detection and Response (MDR), is a credible and viable option that provides organizations the capability to avail an outsourced service that can respond quickly to threats. An effective Managed Detection and Response (MDR) is built around a 100% remote, cloud-based virtual security Operations Center supported by machine learning and MITRE ATT&CK framework (a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations). Using artificial intelligence and specialized workflows, an MDR service can help enterprises develop insightful correlations between computer, network and device logs. 

The MDR service can help in automating many of the SOC Tier 1 and 2 processes and includes an EDR (Endpoint Detection and Response), network sensors, and SIEM (Security Information and Event Management) as part of the solution. The EDR will pick up telemetry off managed endpoints and OS data points that are being generated, while the network sensors ingest network and DNS traffic. This provides security analysts extended visibility and enables automation to be run on those data sets. 

When viewed in the context of an industry that is seeing threats increasing in complexity and facing a dire shortage of security experts, an MDR service can help in ensuring a proactive security posture. Firstly, as the MDR service is automating the SOC Tier 1 and 2 analyst activities and doing actionable threat hunting, the security analyst is freed up of routine tasks such as running queries and clearing false positives. The security team can be proactively involved in threat hunts and be engaged in valuable skill-building activities. As a result, the team is motivated each day to be on the hunt for the latest malware. This type of work is perceived to be much more rewarding compared to spending every day looking at a dashboard and clearing out alerts as they come in. This ultimately helps in reducing staff turnover and alert fatigue.

Some of the clear benefits that is prompting organizations to consider MDR as key to their security strategy are:

AI-powered threat detection:  An MDR service can provide comprehensive security monitoring supported by machine learning, which when complemented by a MITRE ATT&CK framework can deliver a 99% detection rate 

More effective detection rate and lesser mean time to detection (MTTD): Response can be automated based on alert criticality to ensure the fastest path to threat remediation, and the remediation can be controlled in a hands-on fashion— and most importantly the validation of threats. Advanced threat detection and analytics can provide deep insights where threats originate and the overall impact to the business

Integrated threat intelligence:  In an MDR service, threat intelligence is integrated with the SIEM, which helps the business understand the scope and impact of any security event. Threat intelligence also allows the correlation to be drawn between data sets of known malicious files and data points identified from ingested log sources. Having threat intelligence directly integrated allows for immediate threat validation to known malware. In addition endpoint and network technologies are integrated into the solution with people, processes, and procedures in the event of a 0-day or targeted event. This helps in automated alerting with real-time detection. 

Alert validation and noise reduction: An MDR service can reduce alert and event noise up to 97% leaving analysts and security personnel more time to focus on real threats and vulnerabilities in addition to patching, upgrades, configurations, etc. Reduction of event noise and alerts saves analyst time, provides confidence in findings, and increases accuracy on threat identification.

In summary, as data breaches continue to escalate, it is more important than ever for enterprise security leaders to counter with increased monitoring accompanied by an improvement in their cyber defenses. Against this context, MDR services are extremely effective in enabling enterprises to use automation and respond in a consistent, effective and faster manner, which in turn can help them be more resilient to emerging threats.  

The article has been written by Anthony Di Bello, VP Strategic Development, OpenText