London cops will not use controversial and inaccurate facial recognition technology at this year's Notting Hill Carnival – in a departure from the trend over the previous two years.…
This week, John Strand returns and runs the show solo, presenting his Technical Segment entitled "Build A Purple Team"! In the news, we have updates from Skybox, Wombat Security, McAfee, AlgoSec, and more, on this episode of Enterprise Security Weekly!
Full Show Notes: https://wiki.securityweekly.com/ES_Episode92
Visit https://www.securityweekly.com/esw for all the latest episodes!
Many security operations centers (SOCs) face the same recurring problem — too many alerts and too few people to handle them. Over time, the problem worsens because the number of devices generating alerts increases at a much faster rate than the number of people available to analyze them. Consequently, alerts that truly matter can get buried in the noise.
Most companies look at this problem and see only two solutions: decrease the number of alerts, or increase the number of staff. Luckily, there’s a third option: automation, which can greatly maximize the efficiency of analysts’ time
Traditionally, automation has been viewed as an all-or-nothing proposition. But, times change. Companies can implement automation at various points of the incident response process to free analysts from mundane, repetitive tasks, while maintaining human control over how they monitor and react to alerts. Ultimately, the goal should be to strike a balance between low-risk processes that can be automated with minimal impact and the higher-risk ones that need to be handled by analysts.
Before launching into some level of SOC automation, the following should be considered: 1) Is the organization winning or losing the cyber battle?; 2) if it is winning, does it have the right tools to continue doing so?; and 3) if its is losing: what should it do?
Whether an organization is winning or losing, understanding the pros and cons of automation is critical to any project’s success.
Benefits of Automation
Automation has typically been favored in low-impact environments, but it has been frowned upon in high-impact environments such as utility and healthcare because of the negative impact false positives can cause.
The main benefits of SOC automation include:
Downsides of Automation
Nothing is more taxing than dealing with a false positive, which happens when a system interprets legitimate activity and flags it as an attack. In some industries, a false positive can disrupt business processes resulting in lost revenue, downtime for industrial organizations and even put lives at risk in hospital settings.
Major downsides include:
Best Practices for Automation
In the past, companies typically looked at automation’s potential downsides and then decided to avoid it because doing so seemed safer. However, today, more companies are realizing that if they do not implement some degree of automation, they increase their chances of missing an attack, which could cause more damage than the negative effects of automation.
Given this scenario, security practitioners should look at adopting the following best practices for automation.
Create a Thorough Strategy
The plan should address the following key questions:
Take a Measured Approach
One of the key rules of security is to always avoid extremes. For example, automating everything can open a can of worms — forcing security executives to justify the approach by claiming analysts could not keep up with the tickets.
Finding a balance by automating tasks/tickets that are manually intensive, are highly repeatable, and distract analysts from important functions -- is a good starting point. Automation should allow the company to improve SOC efficiency while maintaining acceptable levels of risk — both on the operational side and the security side.
The trick is to manage and control false positives, not eliminate them.
Know, and Don’t Automate, Tasks that Require Human Analysis
These include alerts that affect:
The need for SOC automation is increasing in urgency since adversaries are also harnessing software and hardware to develop and carry out attacks. Consequently, the velocity and sophistication of threats is rising. Keeping pace with programmatic attacks inevitably requires automating certain SOC functions and processes. Following the recommendations outlined above can help determine those that should be automated, and those that shouldn't.
About the author: John Moran is Senior Product Manager for DFLabs and a security operations and incident response expert. He has served as a senior incident response analyst for NTT Security, computer forensic analyst for the Maine State Police Computer Crimes Unit and computer forensics task force officer for the US Department of Homeland Security. John currently holds GCFA, CFCE, EnCE, CEH, CHFI, CCLO, CCPA, A+, Net+, and Security+ certifications.Copyright 2010 Respective Author at Infosec Island
A newly-disclosed malware infection has compromised more than 500,000 home and small office routers and NAS boxes.…
Introduction Risk optimization falls under the fourth domain of the ISACA’s Certified in the Governance of Enterprise IT (CGEIT) exam and constitutes 24% of the overall objectives of the exam. This domain ensures that the framework for IT risk management is in place to identify, evaluate, monitor, mitigate, and communicate IT-related business risk. In addition, […]
Hostile states targeting essential infrastructure and services in Britain should be dealt with in the same way as any other attack against the nation, the UK Attorney General said today.…