Recently I spoke with several security experts on a panel at NYU about current trends in security. My time on the panel was focused on trends around threat driven security process automation and changing the way companies approach incident response these days. A recent CBS news article was written based on some of the panel’s information provided around protecting against hackers. I wanted to expand more on the topic focusing around threat driven security automation.
What is threat driven security automation?
Threat driven security automation is currently a significant gap in the security industry. It is a process whereas an organization looks at their threat intelligence sources and then automates the processes around that intelligence. This approach is very different then the brick and mortar SIEM and analyst approach used today in most organizations. The approach around a SIEM is similar to looking through a haystack trying to constantly find the needle (e.g. attacker). On the other hand the threat driven automation approach has or knows about the needle (e.g. attacker or indicator of compromise) and reaches across other technologies to obtain more context, validate the attack, or hunt for more evidence.
How does threat driven automation work?
One example of the threat driven automation can be explained in the below sequence.
First assume you get some threat intelligence data (e.g. indicators of compromise) either via one of your key technologies or from a 3rd party organization.
Next there is a need to consume this data and keep track of it. One of the best ways is to use a middleware solution specifically for security process automation. For example, if you get a txt based feed you will want to parse out the indicators of compromise, perform de-duplication, and have some sort of whitelisting capability on the data. In another example, you may get a json based data feed from an appliance. Again you will want to perform all the similar tracking and parsing to pull out the key indicators and threat information.
Once you have the threat intelligence data feeding into one central place and you can consume it via an automated process on a regular basis the next step is to quickly check other aspects of the enterprise. For example, did the proxy show the same user and URL context (e.g. query to see if it was blocked and get context). Or did the AV detect or pick up this item (e.g. query to see if it was picked up, cleaned, quarantined, etc.). Maybe you also want to query other internal or external intelligence sources to understand if others have seen the indicators. All of this can be automated and tracked in one central place and then forwarded on to a workflow or ticketing system. Essentially reducing hours of investigation work typically done by security analysts.
Once you have an automation solution in place there are many benefits including:
- Freeing up personal for more difficult investigation and response tasks.
- Leveraging the data to hunt for attackers based on frequency analysis.
- Watermarking your security technologies to identify whether or not one technology is poorly performing and possibly should be replaced or removed entirely based on the overlaps of other security detection and prevention tools.
- Controlled intelligence sharing.
- Customized metrics and reporting around automation integration that can help understand your environment and the threat better.
Overall there are many ways to help defend against attackers, but the reality is they are getting better all the time and organizations must move toward a more threat driven security process automation approach to reduce the time of the response and free up the skilled workers from mindless tasks. These workers should be proactively looking or “hunting” for attackers that may already exist in the environment instead of just responding to alerts from their security tools.