Author: Chris Bedi, CIO at ServiceNow
The data breach landscape is ugly. Companies face a 26 percent chance of experiencing a material data breach in the next two years. The odds are definitely not in our favor, and most companies are not prepared to deal with the growing list of threats.
New survey results show 81 percent of CISOs are highly concerned that detected breaches go unaddressed in their organizations. That’s a scary notion—we can spot a breach, but we can’t effectively respond to it. The problem is two-fold: (1) organizations find it hard to prioritize security alerts based on the importance of the data under attack and (2) they continue to rely on manual, decentralized systems for tracking security incidents.
Security threats are too fast-changing and numerous for humans to handle without some assistance. We simply can’t throw more people at the problem and hire it away. CIOs and CISOs are already dealing with negative unemployment in InfoSec—there are not enough skilled workers to fill the open positions. Even if we could staff up, the volume of alerts is simply too big for humans to keep pace. We need automation to help.
Security response meets all indicators of a process that is ripe for automation. It’s complex, high volume, repetitive, data intensive and requires lots of staff.
Automation is the only sustainable approach to combatting security threats, particularly as access points to the network increases with IoT devices and we no longer have a perimeter. Automating security tasks—both routine and strategic—is a necessity. It helps organizations prioritize and respond to threats in real time. Automated security response can investigate every alert, prioritize them based on impact to the organization and trigger requests for remediation without human intervention.
By prioritizing threats through automation, CISOs can deploy their limited resources to make better decisions, respond more quickly to threats and breaches, and anticipate future dangers. It also frees security staffers to do higher-value work like threat hunting and remediation.
Most CISOs have done the basics—90 percent have automated alerts via email and phone. But just one-third of CISOs automate more than 40 percent of their security processes today. Most have not touched automated alert prioritization based on asset criticality, automated vulnerability management, and machine learning based threat detection.
Before jumping into automating complex security tasks, CISOs need to address some basics.
First, you need to know your security response playbook. Many companies don’t have well-defined processes. Security analysts tend to follow different procedures and do their own thing. But in order to automate security response, you need to standardize. Defining your playbook is critical.
Second, test how much of your security response playbook can be automated. You don’t have to bite off everything at once. Even partial automation can be effective. Start with one of your processes such as data enrichment. Map out the process, then use an automation and orchestration tool to take on the heavy lifting, and build on what you learned. It’s important to crawl before you walk and walk before you run in automating security response. You don’t want to take automation too far and end up with an automatic response blocking your DNS on a false positive.
Third, keep your humans. Automated security response doesn’t mean we replace our InfoSec employees with technology. It will be a combination of automation and humans that make security response effective. This is important because while machines are good at following rules, their adversaries—cybercriminals—are infamous rule breakers that come up with ever more creative attacks every day. We need to let the machines sift through data to spot patterns and automatically understand our security posture, and leave the final, most important decisions and strategy to be made by security analysts who understand how to react to a security incident.
Data breaches are inevitable and that’s not going to change. But, changing how we respond can help companies get ahead of future attackers.