Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

9/5/2019
02:00 PM
Chris Schueler
Chris Schueler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Automation: Friend of the SOC Analyst

Faced by increasingly sophisticated threats, organizations are realizing the benefits of automation in their cybersecurity programs.

Automation, artificial intelligence (AI), and machine learning (ML) are rapidly transforming nearly every industry, and cybersecurity is no exception. Automation in cybersecurity is growing so fast that analyst firm Gartner predicts that by 2021 a full 70% of enterprise organizations with a dedicated security operations center (SOC) will have security orchestration, automation, and response (SOAR) capabilities. That growth is remarkable given that less than 5% had these capabilities as recently as 2018.

Automation always raises concerns about peoples' livelihoods, but cybersecurity professionals shouldn't worry about automation making their jobs obsolete. On the contrary, automation, AI, and ML will bring tremendous benefits to SOCs, helping alleviate the growing global cybersecurity skills shortage and enabling the industry to improve threat-hunting capabilities and response times.

Cybercriminals Are Already Using Automation
The challenge today is that our adversaries have widely embraced automation. Hackers have realized that they don't just need scale, they need speed — and automation lets them launch sophisticated, fully automated attacks that spread malcode fast. Using automation, cybercriminals can quickly and easily spread malware strains that can hide within an organization's network, looking for vulnerabilities and automatically executing commands when it finds them. Cybercriminals even use automation to make their spearphishing campaigns more convincing, leveraging AI algorithms to impersonate targeted individuals in email conversations and tricking their co-workers into disclosing sensitive information.

Fortunately, AI is also helping those of us on the right side of the law to automate our responses and improve our defenses. Here are two examples:

Automating and Augmenting Time-Consuming Security Tasks
As Internet of Things-connected devices proliferate throughout enterprises and the attack surface grows, the volume of data that SOC analysts must search through when threat hunting has grown exponentially. Simultaneously, attackers are employing more sophisticated obfuscation techniques, making our work more challenging and time-consuming. All this is occurring at the same time the industry is facing unprecedented shortages of skilled cybersecurity professionals, with nearly 3 million unfilled cybersecurity positions around the globe.

With automation, under-resourced SOCs can more quickly analyze vast data sets to look for patterns and anomalies that may indicate a breach, triage and prioritize alerts, and automate response measures. Automating the more minute, time-consuming tasks that are heavy in data analysis enables SOC analysts to spend their time on the more meaningful activities that require higher-level thinking and decision-making. Whereas AI identifies the anomaly, SOC analysts use their experience and creative-thinking skills to understand the meaning of the threat — asking important questions such as whether we've seen this threat actor before or if this is a likely type of attack in this industry. Following these types of investigative threads enables a SOC analyst to get better results, often allowing us to identify and quickly contain zero-days or close vulnerabilities before nefarious attackers identify them.

Delivering Greater Flexibility and Faster Response Times
In addition to enhancing threat hunting, automation enables us to speed our response and remediation time while also providing SOC analysts greater flexibility in terms of how they respond.

Traditionally, without automation, once a SOC analyst identifies a threat, he or she must perform a time-consuming series of actions involving numerous technology platforms and devices in order to stop, contain, and remediate that threat. For example, he or she may need to make manual updates to block the threat at the firewall, as well as add the bad URL to the web security gateway product, not to mention killing the process on each infected endpoint, potentially needing to remove file systems on infected laptops, etc.

Each of these actions involves a different technology platform or system, so the SOC analyst may need to enlist the help of two or three other members of the cybersecurity team who have knowledge of each of those platforms. On top of that, change tickets must be annotated and pushed up the chain of command through multiple layers of reviews and approvals. In that way, something that should be fairly straightforward can become time-consuming and complex. As a result, a single event can often take several hours or even a full day to contain and remediate.

With automated orchestration tools, when SOC analysts are alerted to a threat, they can take action no matter where they're located and can respond much faster. Imagine being away from the office and receiving an alert on your smartphone that a threat has been identified. With the tap of a button, you can automatically begin an entire series of decisions, approvals, and actions to stop, block, contain, and remediate the threat. The automated solution can communicate with all the different platforms and systems in the organization, making the necessary changes on each to fix the issue. It can automatically create and submit change requests through the appropriate review and approval processes, automatically updating change logs for compliance purposes. The entire process is completed much more quickly and can be done from anywhere, making the SOC analyst's life easier while better protecting the organization's environment.

With the increasing sophistication of threats and ever-growing attack surface, organizations of all sizes are realizing the benefits of automation in their cybersecurity programs. However they go about it, cybersecurity professionals must embrace automation, AI, and ML soon. These technologies won't replace the need for SOC analysts, but they will ease the workload and maximize talent. By improving threat-hunting capabilities and speeding response times, automation is poised to revolutionize the cybersecurity industry, helping SOC analysts keep pace with the ever-evolving nature of tomorrow's threat landscape. 

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's story: "Meet FPGA: The Tiny, Powerful, Hackable Bit of Silicon at the Heart of IoT."

Chris Schueler is Chief Executive Officer at Simeio Solutions where he drives the overall vision and strategy. He is a proven leader with extensive experience in go-to-market operations and product development in the managed security services space.  He joined Simeio ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
theschue
50%
50%
theschue,
User Rank: Apprentice
9/23/2019 | 4:46:40 PM
Re: Geek squad support
Thanks @Geeksquad for the commentb and feedback. I'm pretty passionate about this as I've spent nearly 20yrs just in/with security operations and we have always struggled with load....automation can appear on the outside as opposing forces to an analyst.  Specifically, how automation is going to replace jobs, but in reality, it is going to allow people to grow and do higher level work which is NOT being done!  I will be writting more on this soon.  
Geek Squad
50%
50%
Geek Squad,
User Rank: Apprentice
9/9/2019 | 2:18:10 AM
Geek squad support

Thanks for the informative article. This is one of the best resources I have found in quite some time. Nicely written and great info, I really thank you for sharing it.

 

 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17098
PUBLISHED: 2020-09-30
Use of hard-coded cryptographic key vulnerability in August Connect Wi-Fi Bridge App, Connect Firmware allows an attacker to decrypt an intercepted payload containing the Wi-Fi network authentication credentials. This issue affects: August Connect Wi-Fi Bridge App version v10.11.0 and prior version...
CVE-2020-15731
PUBLISHED: 2020-09-30
An improper Input Validation vulnerability in the code handling file renaming and recovery in Bitdefender Engines allows an attacker to write an arbitrary file in a location hardcoded in a specially-crafted malicious file name. This issue affects: Bitdefender Engines versions prior to 7.85448.
CVE-2020-5132
PUBLISHED: 2020-09-30
SonicWall SSL-VPN products and SonicWall firewall SSL-VPN feature misconfiguration leads to possible DNS flaw known as domain name collision vulnerability. When the users publicly display their organization’s internal domain names in the SSL-VPN au...
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.