The critical importance for security automation

The critical importance for security automation

Of Rishikesh Kamat, Service Offering, Director of Management, NTT Ltd. India

The threat landscape is dynamic and rapidly changing. With cybercriminals more motivated than ever due to an ever-expanding digital footprint, cybersecurity is no longer about defense. To protect themselves, companies need to act decisively and be agile to take quick steps to prevent the next attack or data breach. The key lesson from the Covid-19 pandemic was that response speed is key, with recognition and understanding of the risks involved. In the digital age, agility is critical as every business needs to be alert to try and prevent breaches. In the event that breaches do occur, they must be agile to react quickly, limit the damage and prevent further breaches from occurring.

This is, however, easier said than done. Traditional approaches to security cannot react at the speed required by the world we live in today. From stealth attacks to modern ransomware attacks to exploiting zero-day vulnerabilities, the scale and complexity of attacks are growing exponentially. To address changing security threats more effectively, automation of security operations is critical.

The value of security automation

Businesses today need solutions that not only anticipate cyber threats in real time, but also automatically respond quickly and effectively. In this scenario, Security orchestration, automation and response (SOAR), a group of technologies that enable organizations to quickly manage, analyze and respond to threats, is rapidly gaining in importance.

Put simply, SOAR is a combination of automated security information processing, orchestrating elements of a workflow involving data collection, context addition, approvals, and other audit-based indicators and response or the associated action. This combination is important as each step can help improve the safety position. For example, automation and orchestration can only be effective if companies have the right level of threat intelligence data. Likewise, threat intelligence is only useful if threats can not only be detected, but actions are taken immediately.

Let’s try to understand this with the help of an example. Thousands of phishing emails are sent to businesses by hackers every day. A SOAR platform can capture security advisory data from security solutions such as SIEM. While the SOAR platform examines the malicious links, it collects key information from the malicious email and compares the data with external threat intelligence data. It can then proceed to scan all emails and other endpoints to identify malicious emails or compromised machines and delete all such emails. At the same time, information on indicators of compromise is added to the blacklist which can be used to automatically block future suspicious emails. In case the emails have no evidence of malicious indicators, the SOAR platform can be configured to work in tandem with other security solutions and ITOps to isolate such emails and then send them for further investigation to a security team IT for analysis.

A similar strategy can be adopted for malware protection. SOAR platforms can capture data from multiple threat intelligence sources, SIEM tools, and map the attack vector through several stages to determine if files are malicious. If the files are detected as malicious, the SOAR platform can automatically update the required watchlists and then proceed to quarantine or isolate infected endpoints and open the required tickets.

Improve the security posture

SOAR can help automate the incident response cycle. This includes the acquisition of alerts, analysis, investigation of incidents, hunting for threats and, finally, their containment through an automated response mechanism. It can also enforce standardization and compliance of processes through a defined and repeatable process. SOAR can also enable companies to automate repetitive manual tasks such as data collection and enrichment and provide machine speed countermeasures by orchestrating with other security solutions such as SIEM, IDS / IPS, EDR, firewall, etc.

Use playbooks to proactively respond

One of the most significant benefits of a SOAR platform is the ability to automate a workflow using a playbook. Businesses can create customized playbooks for any type of incident with an intuitive drag and drop workflow. For example, if numerous failed logins are detected on an end-user device, a playbook that tells the SOAR platform the key actions to take automatically will be extremely beneficial. The playbook, for example, can define that in case of suspicious logins, the SOAR platform should automatically send an alert to the affected user and confirm if they attempted to log in. If the answer is affirmative, the platform can reset the password and send the user a new e-mail requesting to update the new access password. In case the user has not tried to log in, the SOAR platform can send users an email that someone was trying to log into their account multiple times.

Likewise, automating incident response playbooks can help you quickly block suspicious IP addresses, close user accounts, or isolate certain devices or endpoints from a network. Depending on the type of attacks organizations typically face, custom playbooks can be created.

In conclusion, responding to today’s complex cyber threats requires companies to be constantly vigilant and vigilant, as a simple mistake by anyone can lead to a rapid erosion of business trust. To maintain a proactive security attitude, it is impossible for companies to combat emerging threats without a high degree of automation. In this context, SOAR is an efficient and comprehensive approach that can enable companies to respond effectively in a consistent and standardized manner, significantly reducing the need for human intervention to respond to security threats.


Leave a Comment

Your email address will not be published.