-
Notifications
You must be signed in to change notification settings - Fork 0
Ops 401 Class 11
One of the trending topics in information technology is cybersecurity automation. Automating mundane and repeatable tasks that are people-driven allows businesses and individuals to concentrate on more productive problem-solving activities. A focus on these problem-solving activities can foster innovation and lead to a more resilient organization from a cybersecurity standpoint. Automation also increases the complexity of an organization’s information systems, and as malicious attackers expand their targets, cybersecurity programs must be ready to implement automated cybersecurity solutions.
Cybersecurity products designed to automate specific processes are widespread, and the likelihood is that you have already implemented automation tools within your organization. For example, vulnerability management products can be configured to automatically detect and scan devices on an enterprise network. They can then conduct an assessment based upon a set of security controls authorized by the organization. Once the assessment is complete, identified defects can be remediated.
When discussing new automation practices, industry experts are generally referring to tools like security automation and orchestration (SOAR) products, robotic process automation (RPA) and custom-developed software and code that automate processes and perform analysis.
SOAR products are purpose-built tools that orchestrate activities between other security tools and perform specific automation activities in response to identified threats. RPA tools are a broader set of automation tools that allow for a wide variety of processes to be automated. RPA tools have seen a significant increase in adoption in the HR and finance fields but can also be leveraged by cybersecurity teams. Custom-developed software and code can automate all manner of analyses and is often leveraged for a niche or specific challenge within an organization that may not have an out of the box tool available.
All of the aforementioned approaches interact with an enterprise’s instrumentation to gather intelligence, perform analysis and either take-automated action or prompt a team member to take further action.
Organizations are increasingly placing an emphasis on their digital transformation activities and, as a result, are increasing the technical complexity of their enterprise. This affects the very nature of the work organizations perform, how they stay competitive, how they interact with their customers and their overall level of efficiency. Increasing organizational complexity can lead to significant risk if cybersecurity cannot sufficiently manage the changing environment by properly defending, monitoring and responding to threats.
As companies press forward with a variety of digital transformation activities, it is important to realize that those activities increase the overall attack surface from a corporate espionage perspective.
Many organizations inspect systems and data manually for evidence of unexpected behavior and indicators of compromise or defect.
This is a losing proposition in a modern organization and one that cybersecurity automation can help address. Automation can also help address lean or ill-proportioned cybersecurity teams (in relationship to the growing digital footprint of the organization). Paired with human error and the insurmountable amount of data to manage, it is inevitable that a potential threat will slip through the cracks. It is simply unrealistic to expect human teams to catch potential cybersecurity events reliably. Implementing automation could be vital in order to reliably protect your organization and ensure resilience through robust and repeatable processes.
Automation is not just a technical buzzword or a passing fad. It is being adopted by large and small companies alike. By implementing automation in an organization’s environment, the cybersecurity team can focus on activities that are more complex. This means that the machine can perform the mundane, repeatable work and cybersecurity team members can devote themselves to more critical, creative and technical work to resolve issues and improve the organizational risk posture. Once the appropriate activities are automated, cybersecurity practitioners can focus on projects such as:
-
Engineering and Architecture: Automation will allow the cybersecurity team to focus on designing and implementing cybersecurity strategies, including initiatives such as zero trust and cyber hygiene within the enterprise.
-
Remediation Activities: The identified deficiencies from your automation efforts will assist your technical and mission teams by providing more repeatable and actionable insight into the enterprise environment leading to fewer vulnerabilities.
-
Automation Development and Engineering: Automation will become an important part of the cybersecurity program requiring its own resources related to ongoing and iterative automation design and implementation.
I firmly believe that the future of cybersecurity operations is intertwined with automation. However, as this future manifests, it is imperative that cybersecurity teams become smarter when it comes to code and development practices. In the future, the cybersecurity program may become a developer shop where automation capabilities will be created and advanced using multiple automation techniques.
You must ask yourself the following question: “How will my program implement these capabilities?” The first step on your journey starts with creating a playbook for the processes you want to develop. It is very difficult to develop a process if you do not perform a detailed systematic analysis to determine each aspect of the process. Your playbook should be detailed enough to include all of the steps needed to perform the activity, as though a human is performing the function. If this level of detail is not included, then you will not be developing a process that mirrors the current human executed process, which could result in a failed automation project.
Three basic approaches to successfully implement automation concepts include:
-
Embed development capabilities in your cybersecurity team. In this way, developers report directly to cyber leadership.
-
Partner cybersecurity with organizational development teams. This allows cybersecurity to leverage the capabilities of organizational development experts.
-
Adopt a hybrid approach. Utilize an internal team for tactical development work and organizational development capabilities for complex integration tasks.
As the complexity of cybersecurity increases and evolves, the need for security automation tools and techniques will continue to expand, becoming an integral part of an organization’s cybersecurity roadmap. What will your organization do to stay up to speed in this industry?
cited from forbes.
7 common scenarios that highlight the importance of automated incident response:
1. One of your users interacts with a malicious IP address. You need to update your firewall to block the IP.
Firewalls help protect you from bad actors by filtering network traffic. Still, they have limits. Most firewalls aren’t connected to your other security tools and their rules are infrequently updated, meaning they may not be current to address the latest threats. Addressing this situation might entail detecting the problem using other security software, prioritizing the event, and manually updating a firewall with a new rule to block the malicious IP.
With automated incident response, you can automatically update your firewall to block malicious IPs as they are detected.
2. One of your systems has been infected with malware. You need to limit the damage and find out how many systems are vulnerable before it spreads.
Relying on manual processes to contain and investigate a malware intrusion means you’re faced with a long to-do list of tedious tasks: identifying all the infected systems, researching the threat, gathering event logs from different locations to investigate, and more. Just as importantly, if your security solution bombards you with noisy alarms, you might not realize you have something significant on your hands until the damage has progressed.
Automated incident response tools can shorten your to-do list. With orchestration and automation tools, you can automate actions like fetching additional forensics data, disabling networking on an infected system, running automated vulnerability scans to identify other at-risk systems, and isolating those as well until you have a chance to patch or otherwise address them. By automating the incident response activities that do not impact or disrupt business operations, you can work faster and more efficiently.
3. You’ve contained a breach, but what was the scope of the damage? Whether for compliance purposes or just to understand what happened, you need to investigate.
Understanding the scope of a breach provides critical information about what happened and how it affects your organization. If sensitive customer data has been exposed or corrupted, you need to know right away. However, getting the information you need often means engaging in repetitive, manual actions like going into each system to review its events and logs to try to piece together how the breach took place and what was compromised.
As a starting point, having a solution with log management capabilities would allow you to search for relevant alarms and events instead of combing through them manually.
4. One of your systems interacts with a Command & Control server for a remote administration tool (RAT). You need to block any further communication with the malicious domain.
If your IDS tool detects traffic to or from a known malicious domain, such as a C2 server, you need to take a range of actions to contain the situation and investigate the scope of the potential intrusion. One of those actions is to block the known malicious domain to prevent further communication. To do so, just jot down the domain from your IDS on a Post-It note, then open Cisco Umbrella to copy the domain into your blocked list. Or…
With automation capabilities, you can move immediately from detection to response by blocking the domain automatically when your intrusion detection system detects the threat.
5. Breaking news: New ransomware has emerged that exploits a vulnerability in a common Operating System. You need to know if your systems are vulnerable and, if so, take action.
When your security plan relies on a lot of manual work, learning about new ransomware variants and how to protect your assets can inspire headaches – or even panic. Not only do you need to make sure your organization stays secure, you may also have to reassure other stakeholders who might not put cybersecurity at top of mind. If you don’t have visibility of the state of security across your infrastructure, these challenges can be significant.
In this case, automation can help you before an incident even occurs. A product that builds actionable threat intelligence updates into your security plan can ensure you’re up-to-date to detect new vulnerabilities and threats without needing to do your own research and setting up your own threat detection rules. With automated vulnerability scans scheduled to run at regular intervals, you can stay aware of at-risk systems across your infrastructure as new vulnerabilities emerge, allowing you to either patch them or limit their exposure to the rest of your network.
6. A breach occurs in one of your environments. You have a team of people handling the investigation, but you (and they) need to keep track of the incident response activities they’re taking on.
Even with automation tools, the incident response can involve a lot of different actions for a team of security analysts (or for one person wearing a lot of hats). With threat information in one set of products and ticketing in another—or with no workflow ticketing whatsoever—keeping track of the tasks on each person’s plate poses a challenge. Without a way to track IR activities, it’s easy to lose track of key priorities or focus on the wrong tasks. For example, two team members might find out belatedly that they’ve been working on the same issue, wasting time a resource-strapped team can’t afford to lose.
Luckily, some solutions include tools to help you keep track of your team’s IR efforts.
7. You detect ransomware activity on a server storing critical customer data – and the alarm occurs in the middle of the night.
Each organization has its own unique infrastructure needs and priorities, making one-size-fits-all security automation impractical and potentially disruptive. You wouldn’t want to shut down business-critical systems every time a false-positive alarm popped up in one of your environments. For certain situations, however, an immediate response can prevent you from waking up in the middle of the night to do damage control, or finding out in the morning that customer information has been corrupted or exposed for the past eight hours or more.
With the right automated incident response tools, you can tailor automated responses to protect your most critical data.
cited from at&t cybersecurity.
This content is relevant to our coursework because it highlights the importance and usefulness of automation and applications that provide that service from a system logging standpoint.