Automating Cyber Security Incident Response: The Key to Stopping Breaches Before it is Too Late

Automating Cyber Security Incident Response: The Key to Stopping Breaches Before it is Too Late

Automating Cyber Security Incident Response: The Key to Stopping Breaches Before it is Too Late

This article was originally published in Pipeline Magazine.

According to ongoing research conducted by the Breach Level Index, more than 3.5 million data records are lost or stolen every single day. Furthermore, the costs and ancillary damages stemming from security breaches also continue to rise. In fact, the 2016 Ponemon Cost of Data Breach report revealed that the average cost of just one security breach has risen to a whopping $4 million. Perhaps more noteworthy, however, was the study’s demonstration of a direct correlation between how quickly an organization can identify and contain data breach incidents, and their ability to mitigate subsequent financial consequences.

In terms of malicious attacks, the average time it takes to identify a security breach is around 229 days. More importantly, the time to contain said breach averages out to about 82 days. Wider adoption of things like big data, cloud computing, and hybrid network architectures also bring with them greater risk of cyber security breaches. This reality is compounded by the fact that hackers are becoming more sophisticated than ever before. There is no single technology on the market today that can stop them. And hiring more personnel isn’t the answer either. So, how can understaffed and overworked security professionals meet this ominous threat?

The key is automation. Why? Because it’s a force multiplier. When combined with quality monitoring tools, automation can tie disparate systems and applications together, providing a highly-effective, closed-loop process that can improve response times by 80 percent while simultaneously reducing human errors by 90 percent (and even possibly eliminate them altogether). Will it replace the need for human workers? No – at least not yet. What automation can do, though, is augment existing personnel, allowing them to manage and protect against the ever rising tide of threats, without increasing headcount.

Improving Efficiency, Saving Time and Reducing Errors

Let’s look at an example. The manager of a security operations team at an overseas mobile communications provider realized his team was getting bogged down with laborious manual script-writing to manage a variety of repetitive tasks in their environment. He knew their time could be much better spent focusing on other important, business-critical duties, and automation seemed like it could help free them up for that.

So the mobile communications provider implemented an IT and Security Process Automation solution. The first process it automated was a massive cleanup of disk space on more than 4,000 workstations, followed by the monitoring of the company’s main website for any service downtime or incoming virus threats. Impressed with the results, the company expanded to automate the following:

  • Creation of password expiration reports and notifications;
  • Daily file maintenance;
  • Monitoring alerts from their SIEM-SOC and delivering them in real-time via mail and text message; and
  • Monitoring virus alerts throughout the network and notifying the appropriate employees who were affected.

The manager reported that, before rolling out the automation solution, they were spending a lot of time processing manual tasks and chasing down alerts, then trying to figure out who should be handling them.  Following the deployment, they stopped executing the same repetitive manual tasks over and over, by automating the most critical ones. His team was able to convert most of their manual tasks into automated workflows, easily and efficiently, which not only resulted in a huge time savings, but also provided peace of mind knowing that when an alert came in, the right person was notified.

Mitigating Financial Impact

In addition to solving operational efficiency challenges, automation provides the solution to another pressing problem keeping C-Suite executives up at night – that is, improving response times to security breaches in order to reduce business impact and mitigate financial damages. As the world learned from recent high-profile data breaches in the retail and health care fields, it’s not always possible to prevent attacks; but the faster your IT team can identify, isolate and remediate the breach, the less costly it will be for your organization.

Take, for example, a company that was attempting to manage a rapidly-growing number of cyber security alerts with a staff of just three security analysts.  The team was spending the vast majority of its time responding to, validating, and remediating the underlying incidents that generated those alerts.  Due to its manual approach and limited resources, resolving a single cyber security incident could sometimes take days or even weeks.  The team felt that its process was not only extremely inefficient, but that with the rising number of incidents, they simply would not be able to scale up to keep pace with the growing number of attacks.  By leveraging automation in its security operations center, the team was able to reduce the time needed to respond, validate, and remediate cyber security incidents to hours and even minutes instead of days or weeks, saving the company from potentially significant financial impact. The team’s approach involved two steps:

  • Automating the data enrichment process, enabling much faster determination of whether an incident was a false positive or not.  That reduced “noise pollution” in the alert stream, so greater attention could be given to legitimate security breaches; and
  • Automating remediation of legitimate security breaches (i.e. ransomware infections, website defacement, unauthorized domain admin access, etc.) much more rapidly using automated playbooks, specifically configured for particular breach scenarios.
Using Automated Playbooks

One of the biggest arguments in favor of automation lies in the fact that the majority of data breaches occurring today are being executed by software, not human hackers. This means that targeted attacks can be launched relentlessly around the clock – simply overwhelming the ability of even the most skilled security professionals to deal with them. To combat these often automated threats, organizations must fight fire with fire.  In order to react quickly and effectively to the actions of an automated attack, organizations require an automated response.  Essentially, the battle for cyber security is evolving into machine vs. machine, technology vs. technology.  As a result, automation has become a game changer.

Today’s automation technology has made it possible to collect and analyze event data, and even make predictions based on the results, all without the need for human intervention. This provides the enterprise with a more streamlined, timely and efficient process for detecting and addressing critical threats. By shortening or even eliminating the lag-time of manual incident management and the subsequent delays in remediation, the potential for damages is dramatically reduced.

Surprisingly, automating these tasks doesn’t have to be particularly complex or even difficult. In fact, organizations across the globe are finding that the simplicity of automating their cyber security playbooks can quickly result in a dramatically increased level of protection.  These playbooks can cover everything from how to handle ransomware and malware infections to thwarting unauthorized system access or multiple simultaneous logins. Once the threat in question is identified, the automated playbook immediately executes a remediation workflow.  The workflow can be configured to include pauses for human decision making (i.e. asking whether or not to deactivate someone’s Active Directory ID), or the workflow can execute on “auto-pilot” without any human intervention.  Either way, cyber security incidents are remediated much faster.  And when it comes to cyber security, speed of response can make all the difference between an incident that’s easily resolved and one that isn’t, between incurring no damage and suffering serious financial consequences, between quietly thwarting an attack and having to publicly disclose the embarrassing failure to stop one.

Adopting Automation

For larger enterprises with substantial resources and existing IT staff, automation can alleviate threat-overload and enable security teams to apply their skills to other, more mission-critical tasks and projects. For smaller or mid-sized companies that have limited resources, fewer or inexperienced IT personnel, automation can help bridge the skills gap, providing a much better chance of remaining a step ahead of security breaches.

As the number, frequency, and complexity of security breaches continues to increase, it’s no longer a matter of if your organization will be targeted, but when and how. Companies of every shape, size and industry – even those with small budgets and limited resources – now have the option of using automation to strengthen and fortify their incident response strategies. By incorporating automation as part of a holistic cyber security defense strategy, the inevitable threats that everyone faces can be quickly detected and contained before they have a chance to wreak havoc on your business.




eBook: 5 Reasons You Should Automate Cyber Security Incident Response