According to CSO Online, the average time it takes a security team of a mid-sized company to respond to a successful attack is 46 days. This includes time spent manually investigating the incident, analyzing the data, jumping between unintegrated systems during triage, and coordinating the response. And while there are many reasons for slow incident response times, manual security processes are large contributors. This is where security orchestration and automation shines.
Security orchestration and automation helps to free up time for security teams to do their most important work. And considering the many tedious processes that security analysts and other security pros perform, not all of them require a human. Here are five specific security processes we believe can benefit most from security automation:
1. Monitoring and Detection
It’s vital to have visibility into all facets of your IT environment, but is it sensible to have a person involved every step of the way? Especially as your team and technology stack grows, this can become tedious and untenable.
Instead, employ security monitoring tools to do the watching for you, and then leverage security orchestration and automation to tie all those tools into a single command center for monitoring.
2. Data Enrichment
Once an alert comes in from your monitoring or detection system(s), you need to investigate the alert to determine if it’s a real threat. Take malware infections as an example here. Once your monitoring tool(s) alert you of a potential threat, your team will want to find out:
- Which machine was first infected?
- What damage was done?
- Where else did the attack go?
Investigations like this can be very tedious and time-consuming, yet necessary in telling the full story of an attack. Unless deeper forensics are needed, humans don’t need to be involved, and even so, automation can do a bulk of the work, inserting human insight only at critical points.
By tying together your process and systems using orchestration and automation, machines can conduct investigations for you — and in far less time. The time saved is time your team needs to spend conducting deeper forensics or responding to threats and developing better protections so that a similar threat won’t get through the next time around.
3. Incident Response
Once an attack is verified, it’s time to determine the appropriate response. Whether it’s containing and removing malware, deactivating an IT service when it’s under attack, or installing security patches or upgrades to protect against a new vulnerability, these actions need to be done fast.
When speed is the name of the game, and you can’t risk an error or missed step along the way, automate your response processes. By automating the response to your most common threats, whether it’s malware, phishing, or privilege escalation, you can ensure that when a response is needed, it will be taken care of efficiently and effectively.
4. User Permissions
Managing user permissions is a critical process all organizations should be able to do quickly and effectively, both when onboarding new employees, managing existing users, and removing departing ones. But the reality is that, with dozens of system logins for each user, adding, modifying, or removing them manually can take hours or even days. Especially when a threat involving a user account arises, the entire organization can be at risk.
Consider an insider threat. If a user is detected escalating their permissions from a standard user to a system administrator, or “root” user, you know you need to act fast. Investigating requires extensive manual effort, and by the time you’re done, the damage may be done, too.
Especially as your company grows, this can become a big issue. Automating the provisioning or deprovisioning of a user or investigating host escalations — among many other user-related tasks — will save effort, time, and ultimately, resources.
5. Business Continuity
Can you ensure the longevity of your systems and data during (and long after) an attack? This is where business continuity planning comes in, and something which automation can enable, so that in the midst of an attack, you can minimize the disruption of services for your customers.
Let’s say you’re being hit by a brute force attack and need to block the IP address(es) from which the attack is coming. You can automate IP blocking rules during an attack by telling your automation system that when an attacking IP address is detected trying to connect to your server, it’s automatically blocked so it can’t get in.
Equally as important is being able to ensure redundancy of your servers so that if something happens to one of them, service is not disrupted. Automation can help by replicating instances of critical servers the moment a threat is detected so that even if an attacker gets past your defenses and into a server, you can be sure the data customers rely upon will still be available.
Raising the Bar For Security Teams
As a security community, let’s work to improve our time-to-response; forty-six days is not a good number to hang our hats on. Security orchestration and automation can, in fact, save up to 83 percent of the time spent investigating incidents.
By streamlining workflows, security team report better organizational alignment and, as a result, decreased time-to-response. Let’s get ahead of our adversaries, keep customer and company data safe, and spend more of our time on truly interesting work by using automation to our favor.