Closing the security loop with automated incident response

Organizations need to automate low-complexity, high-volume tasks that are eating up so much of their experts' time

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

Organizations have poured billions of dollars into cyber security detection solutions, and while they are exceptional at uncovering potential anomalies and threats, none of these products can guarantee against a breach. Consequently, the next logical step is to pair robust detection and prevention technology with equally efficient and effective operations solutions, including incident response.


Detection solutions are now generating an average of 10,000 alerts per day, according to a recent survey Damballa--far too many for companies to inspect and manage. Yet, security professionals are still attempting to manually separate false alarms from real threats; decide what action, if any, to take; and then perform repetitive actions like gathering data, conducting basic analysis, and generating notifications and tickets.

Forced to complete each of these tasks manually, many expert security professionals are spending the majority of their days completing what are, essentially, administrative tasks.

Automation as a Solution    

Up until now, the way most organizations dealt with an escalating number of events was to add staff. Many CIOs and CISOs still think about security in terms of an alerts-to-employee ratio; that is, they determine the size of their security operations center (SOC) staff based strictly on the volume of alerts they receive from detection solutions. But with the number of alerts rising so rapidly, that strategy is quickly becoming unsustainable.

To progress into a new era for information security, organizations are going to have to automate some of the low-complexity, high-volume tasks that are eating up so much of their experts' time, just like they've done with detection. When an organization has the ability to remove mundane tasks from their experts' plates, they free them up to tackle the more-complex issues.

Process automation, at its core, is about understanding what an analyst does to protect the enterprise or the specific steps the analyst takes to deal with alerts based on factors like source, attack type, severity and other factors. So when you are considering automation, the first step is to break down existing SOC operations so you have an almost minute-by-minute understanding.

For instance, thinking about how analysts respond to particular types of alerts may involve asking them granular questions like, "What are the sources of you alerts?" This seems obvious, but alerts can come from detection technology or be reported by the Service Desk, reported via email or called in by a user. Other lines of inquiry:

  • "What applications do they use to investigate alerts?" Do they look up users in Active Directory, an ERP solution or a corporate address book?
  • "Where do they get their investigation information?" Does it come from other detection technology, external threat intelligence or an internal configuration management database (CMDB)?
  • "How do they make decisions about response based on the information they have available?" Is it based on severity, affected system, affected users or a particular application?

That kind of granular thinking should not be limited to simply security alerts, either. Leaders should make a concerted effort to understand how staffers currently work through particular functions like creating shift turnover reports, generating metrics for management, or assigning tasks to various team members.

Once you have gathered as much information as possible about existing processes, you can work backward to determine which operations, if automated, would free up the most time for the experts on staff. Some of the repetitive tasks a solution should automate include:

  • Alert classification
  • False positive identification
  • Additional Information gathering of contextual information
  • Initial investigation and triage
  • Ticket generation
  • Email notification
  • Report generation

Knowing what functions to automate is a great first step toward transforming information security operations. The next step is to identify and ultimately onboard a tool that allows the organization to execute that process automation.

First and foremost, a solution must be able to solve the issues of an organization's specific use case. That may sound obvious, but for organizations with complex, proprietary processes, it is not a simple requirement. The tool has to be flexible enough to meet those use cases, as well as the processes that don't have a name--the ad hoc processes that are unique to that organization.

It is also important to determine what level of automation is provided out of the box. One of the cumbersome obstacles that organizations want to avoid is being forced to go back to their vendors every time they want to add a process, report or mitigation. A true enablement tool allows companies to implement new processes, reports, notification and mitigations themselves.

There is some value in pre-canned solutions but, ultimately, an organization needs a tool that can go beyond offering the automations a vendor thinks the organization will need, to enabling the specific operations it actually requires.

Imagining a Better Future

What automation tools can't do is replace human expertise. They won't be able to perform all the functions of an expert security analyst's job. But what they can do is free up time for such experts, by eliminating the repetitive tasks that consume their days. That is critical being that attacks are changing and continuing to become more complex. And the most effective means we have of identifying the anomalous behaviors that signal these new kinds of attacks is allowing analyst to be creative and spend some of their time hunting for new attacks, rather than completing repetitive low value tasks.

Once these experts figure out how to identify and thwart these new types of attacks, they may be able to recreate the process and automate it--but only if they have the time to search for anomalies in the first place.

An incredible 71 percent of organizations surveyed admitted to having been the victims of a successful cyberattack in 2014. To begin to reduce this number, organizations in all sectors are going to have to do more than adopt new solutions; they are going to have to change the way they think about cyber security. Specifically, companies must begin to see detection--regardless of how advanced it might be--as only one-half of the entire cyber security picture.

The information security industry has arrived at a critical moment in time, faced with a threat landscape continuously growing larger and more complex. At this critical crossroad, a greater focus on automated incident response is the best way forward.

Swimlane is a developer of cyber security automation solutions which centralize an organization's security operations activities, automate incident resolution and integrates with threat intelligence.


Join the TechWorld newsletter!

Error: Please check your email address.

Tags network securitysecurityDamballa

More about

Show Comments