Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

12/12/2017
08:35 AM
Paul Shomo
Paul Shomo
News Analysis-Security Now
50%
50%

Automation Answers Security Skills Shortage

The often-discussed cybersecurity skills shortage may find a solution in security automation.

Hackers and analysts do battle with tools and techniques that are constantly evolving. Cybersecurity is an arms race, but it's not a fair one: the bad guys get endless "do overs" during the attack, yet a single InfoSec mistake could invite a breach. This burden of consistency is probably why the good guys are losing. However, something new is coming over the horizon that could even the score.

If ever there had been a day when software automatically stopped breaches, that era is gone. Attackers continually alter malware. Complete certainty in threat detection is only possible for simple attacks. Advanced detection technologies are much more sensitive and require a partnership with humans that can quickly alert analysts to "Take a look at this."

These human practitioners examining alerts represent a weakness. Outlier Security Founder and CTO Greg Hoglund compares them to the weary eyed night watchmen. "Analysts are tired of the doing the same repetitious task," he explains. "They have too much data bombarding them. It doesn't mean you can remove the human from the loop, but it does mean you can make the humans you have more productive."

Today, everyone uses Security Information and Event Management (SIEM) technology to consolidate alerts from their detection products into a single list of priority actions. Yet no aggregation technologies have arisen to organize the response to these alerts. These response activities are most of the work within a SOC, and employ myriad products including antivirus, sandboxes, and forensic tools like Volatility and EnCase.

Introducing Security Orchestration, Automation and Response (SOAR)
SOAR solutions really represent the first effort to act as a quarterback, guiding response activities across many products. Orchestration and automation vendors accomplish this by building connectors against each security product's APIs. Take Phantom, for example. The SOAR vendor boasts third-party apps for "over 670+ APIs across more than 135 security technologies," according to Chris Simmons, the company's director of product marketing.

SOAR orchestrates your many products inside a platform that encompasses:

  1. Alert Ingestion & Management -- SOAR products ship with connectors to ingest all the SIEM alerts requiring response. Case Management dashboards monitor ongoing activities and alerts that have become real incidents. Analysts can view daily dashboards to see what they're supposed to prioritize and work on.
  2. Automating Tasks in Playbooks -- Displayed within these platforms are an organization's arsenal of owned security products, and any tasks that can be performed through these product's API calls. These tasks can be dragged into visual playbooks to orchestrate and automate response. For instance, crosschecking alert information against threat intelligence feeds, using endpoint response products to collect telemetry, sandboxing files, or preserving forensic evidence.
  3. Collaboration and Learning -- Most of InfoSec personnel's work is in chasing down alerts. SOAR products enable multiple incident responders -- "Threat Hunters" or people from IT HelpDesk to coordinate their logistics.

To this final point, Rishi Bhargava, CEO of Demisto, describes his company's product as a collaboration platform for "enhanced learning among analysts." The vision is to replicate what your most skilled practitioners do, and walk junior analysts through these effective playbooks. Yet some take it a step further than humans working together. Bhargava adds that Demisto's machine learning "enables analysts to escalate their knowledge levels."

SOAR market growth expected
Big industry players are banking on SOAR to be a big deal, with few naysayers. Gartner predicts, "A large percentage of the security budget will shift to SOAR." FireEye, Rapid7 and IBM have all purchased SOAR products. Mega IT ticketing company ServiceNow has released an orchestration and automation offering. SIEM giant Splunk has also stepped into the arena. Across the industry, momentum is swelling. Meet the new players
Innovation usually arrives at the hands of startups, which often operate better autonomously than when pushing against an acquiring company's inertia. Despite the entry of large vendors, history shows that at least one new brand typically arises in the category they founded. These four US-based startups focus exclusively on SOAR, and most of them date back to the birth of this category in 2014 or 2015:

  • Demisto was founded by former McAfee execs and has major venture capital (VC) backing. The company delivers more than the typical SOAR features. CEO Rishi Bhargava, describes the company as a "social platform to collaborate." They were also one of the first to ship a solution with machine learning capabilities.
  • Phantom also has an impressive list of VCs backing them. In addition to numerous connectors, Phantom's solution boasts an AI capability dubbed, "Phantom Mission Guidance." It's designed to support analysts, Chris Simmons says, "by suggesting possible steps to investigate, contain, eradicate, and recover."
  • Swimlane focuses on a complete platform, going beyond response, compliance and automation to add "the ability to bring these capabilities together where security teams are first class citizens," according to Founder and CEO Cody Cornell. Cornell believes automation "will become a cornerstone capability of the SOC in the not too distant future."
  • CyberSponse is building its future with open technologies and a traditional business model. Founder and CEO Joe Loomis says CyberSponse is the only platform with open source playbooks. He's also thinking out of the box with funding: "We are not VC based and happy customers are more important than revenue."

How much will automation impact the SOC?
SIEMs have been the main product that SOCs keep on the big screen to monitor overall security health -- they get more of InfoSec's "eyeball time" than any other product. Yet in the end they only produce a "To Do" list. Responses to these alerts encompass most of the SOC's activities. This begs the question, could SOAR products be the first category to steal the SIEM's eyeball time?

Bhargava believes so. "That is absolutely happening," he argues. "The real investigation work is starting to happen in the automation platforms, and I absolutely agree that we will get more." Not everyone is optimistic about slaying the goliaths. Certainly acquisition is in store for some of SOAR's founding startups. Loomis comments: "I think the future is that SIEMs will acquire a SOAR capability or build such an offering within five years."

No matter who brings automation to the people, it will fundamentally change the way SOCs operate.

Related posts:

Paul Shomo is the Sr. Technical Manager, 3rd Party Technologies at OpenText.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.
CVE-2020-24565
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25770
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25771
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...