The importance of automating Enterprise Security Response

According to a report by Kaspersky, the average cost of a data breach in North America was $1.3 million for large enterprises and $117,000 for small and medium sized businesses. With global spending on cybersecurity products and services predicted to exceed $1 trillion over five years, from 2017 to 2021 according to Cybersecurity Ventures, it's safe to say that security is a primary concern for organizations today.

Recent incidents like the WannaCry ransomware attack, the marketing database breach at Dun & Bradstreet, Yahoo’s official confirmation of its 2013 data breach etc. are only tip of the iceberg.

As IT leaders are compelled to disrupt and innovate continuously, chances of vulnerabilities and risks continue to escalate. And let’s not forget the emerging complexities arising due to the usage of IoT enabled connected devices, rise of cloud adoption, hybrid IT, expansion of enterprise mobility, BYOD policies, and influx of numerous fragmented SaaS applications within the enterprise IT framework.

The World Economic Forum rates a large-scale breach of cybersecurity as one of the five most serious risks facing the world today. Before delving into the need for automation your enterprise security response, let’s take a quick look at common vulnerabilities and threats.

a) Too many tools and a lot of security noise

If you are IT or security personnel, you may be using several protection, detection and visibility products in your organization. An average enterprise today uses 75 security tools (Source: CSOOnline). This results in redundancy and the need to hire even more security experts to manage these products.

These tools are often siloed and generate significant amounts of data and events, overwhelming both IT and security teams who have to manually categorize and prioritize incidents based on their risk profile. Although organizations are investing heavily in prevention, they still lack the capability to contain breaches. Learn about INRY's approach to safeguard Enterprises against threats and vulnerabilities.

According to a 2017 survey by Ponemon Institute, it took respondents 191 days to spot a breach caused by a malicious attacker, and 66 days to contain it. Another survey by eSecurity Planet reveals that 98 percent of North American IT professionals admitted having challenges with their incident response capabilities.

Let’s dive deeper into common reasons that typically cause delays in responses or at times, lack of a security response altogether.

b) Analysts for Everything

As seen in the image above, a typical security incident investigation process has 10 stages. Starting from prioritization to categorization to looking for file hashes, every stage has an analyst assigned to it.

As a result, there is a lot of manual and time consuming work involved which subsequently also increases the occurrence of human error. Moreover, your team’s productivity also decreases as they are not able to devote their time to business critical work that does require human attention.

c) Threat is strategic but response is tactical

Traditionally, security responses are high touch and reactive by nature. They are mostly managed through phone or email conversations and tracked using spreadsheets. Typically there is a lack of documentation or knowledge base leading to a reliance on historical knowledge.

In many organizations, IT and security teams work in silos, even if they may be seated right next to each other, resulting in flawed coordination during the investigation process. This lack of robust structured workflow and coordination among teams significantly affects response times.

All of these factors combined not only increase your time to response, but they also stop you from nipping the threat in the bud by being able to prevent an attack from happening in the first place and reducing overall impact.

Typical Scenario

To understand this better, let’s take a look at a typical SecOps scenario: Phishing

Hackers use a variety of phishing techniques such as:

• Embedding a link in an email that redirects your employee to an unsecured website that requests sensitive information
• Installing a Trojan virus via a malicious email attachment or ad, which will allow the intruder to exploit loopholes and obtain sensitive information
• Spoofing the sender's address in an email to appear as a reputable source and request sensitive information
• Attempting to obtain company information by impersonating a known company vendor or IT department

Companies usually take numerous steps to prevent phishing attacks like:

Security awareness training

• Train employees to recognize phishing scenarios
• Set up a mechanism for employees to report an attempt

Sound security policies

• Deploy SPAM filters to detect viruses, blank senders, etc.
• Keep all systems current with the latest security patches and updates
• Install antivirus solutions and monitor logs
• Develop security policies for password expiration and complexity
• Deploy a web filter to block malicious websites and discourage careless web surfing
• Encrypt all sensitive company information
• Require encryption for telecommuters

For example: Despite all these precautions “Joe” from marketing accidentally clicks on a malicious link and reports the incident via email or call. From there, the Incident Response Team follows the playbook. As evidenced by the workflow above, there are many manual processes in which each step slows down your team’s ability to resolve the threat efficiently.

The Need for Automation

A powerful security response strategy isn’t just about identification, protection and confinement. It also involves automating those specific processes within your response workflow that don’t specifically require human intervention.

Rapid remediation is a critical part of a successful cybersecurity protection program and organizations need to have strong response mechanisms in place. Think about it, with the constant disruptive technology landscape, new threats are bound to emerge and hackers will find ways to circumvent your defense systems.

Given the current environment, it is safe to assume that attacks are likely to happen and hackers will always be a step ahead. You can familiarize yourself with existing attacks, targeted assaults or emerging methods (we don’t know what we don’t know).

But it's not the occurrence of the attack that needs to be your immediate concern, it is:

• How well prepared and equipped you are to face it
• How fast you can detect, prioritize, assign, remediate and review security events
• How efficient your IT and security teams are at coordinating internally and with one another

Hiring more security analysts can be deemed as one option,  but this will significantly increase your operational costs and resources. Moreover if your security event response doesn’t follow a blueprint, bringing more people for managing new tools or processes will add to the existing chaos. Add to that, there is also a serious shortage of cybersecurity skills in the market. In a recent survey by ESG, it was found that 51% of IT and cybersecurity professionals claimed their organization had a problematic shortage of cybersecurity skills.

By strategically introducing automation into your security response response strategy you can:

• Free up your IT and security personnel from mundane tasks and allocate them to work on strategic initiatives 
• Enhance operational efficiencies and cut costs
• Improve market reputation of your organization

Blend human involvement and automation

If you have a definitive blueprint for orchestrating security event response, check which areas can be automated and which ones need an analyst's brain. This doesn’t mean you use a machine to orchestrate the entire activity. Take a bite sized approach. Shortlist those processes which are:

• Right for automation
• Risk free
• Most time consuming activities for your teams

Perhaps a machine can take over identifying and extracting IPs or running repetitious processes.. Analyze the before and after impact of automating each process to the average response time.

Achieving the perfect blend of human involvement and automation in your response framework is tough, but with the right automation and orchestration platforms, it is now achievable. In fact, according to Gartner, by 2019, 40% of large enterprises will require specialized, automated tools to meet regulatory obligations in the event of serious information security incidents.

Apply Digital Transformation to Security Operations

Business-centric digital transformation principles can be applied to Security Operations as well.

Some of them can include:

• Transforming operational capabilities
• Driving rapid collaboration and innovation
• Digitizing for agility and efficiency

We believe for an organization to achieve these principles, you need to:

• Modernize operational capabilities
• Automate collaboration and innovation
• Orchestrate digitization

Again, in order to support such transformation, using the right automation and orchestration platform is advisable.

You may consider ServiceNow Security Operations, which enables you to connect your existing security tools to prioritize and swiftly respond to security events, based on their potential impact on your business. It brings together the power of the NOW platform to drive transformation.

Different features of ServiceNow Security Operations

Security Incident Response

• Integrates with 3rd party threat detection systems and SIEMs
• Single platform to respond to security events

Threat Intelligence

• Understand the depth and potential resolutions of security incidents
• Differentiate between potential and actual threat

Workflow

• Structurize your incident response process
• Route work to the right people

Automation & Orchestration

• Speed up portions of the workflow for a faster security response

Deep IT integration

• Enhance the coordination between your IT and security teams throughout the investigation process