One of the things that security professionals constantly deal with is a high volume of alerts. Even after filtering out the noise and arriving at important events, that number is often still larger than security teams can address in a normal shift. Budgets are rarely available to get the required headcount of skilled professionals, or even a mix of educated and skilled professionals, so security leaders have evolved their response plans to include automation where reasonable. help them deal with so many events.
Let’s look at the different stages of response automation and what security teams should consider throughout this process. To illustrate these concepts, consider the following scenarios and responses.
Scenario 1: Potential Insider Threat
The IT administrator credentials of a financial service firm are used to access and modify systems that were previously untouched. This could be an early warning of a potential insider threat – or it could be without it. The anomalous activity triggers a playbook that sends a push notification to the IT admin and their supervisor on their mobile devices. They are given the option to disable Active Directory user credentials or investigate further by opening a ticket in ServiceNow.
Scenario 2: Privileged Access Anomaly
The privileged credentials of a senior executive are used to manipulate company information from an unusual geography. The incident triggered a playbook to contain the potential threat and notify the security team. Credentials privileges are restricted, a push notification is sent to the security administrator, and a message is sent to Slack to notify the security team so they can verify the legitimacy of the activity.
Scenario 3: Complex Compromise Indicators
A patient reception system at a healthcare clinic displays abnormal PowerShell activity consistent with known ransomware attack campaigns. The incident immediately triggered a playbook to isolate the compromised host and block communication from external sources on the side to prevent spread to other hosts.
Analysis
The first scenario is an example of an organization in the early stages of exploring automation in its response plan. This allows a human-guided decision to take place before the security control change is made-in this case, the user credential is disabled. It also opens up a ticket for teams to investigate further. At this stage, the organization will want to make sure it knows the criticality of the assets and categorize them as “this is critical” to measure response automation.
The second scenario is an example of an organization beginning to embrace automation. There is a condition that triggers the security control to automatically adjust the permissions to be more stringent. This allows the user to still access internal resources and remain productive while the investigator confirms whether the anomaly is valid activity. At this stage, both types of incidents and both types of actions would have been sufficient to have the confidence to carry out security control action as the investigation unfolded.
The third scenario shows a company that fully embraces automation. There is a set of conditions that are met, and the automated system automatically performs actions on the host and on the side of the security controls to prevent the propagation and retrieval of pwn3d. Speed is critical, so there is no point of human decision, although there will be some sort of notification to the appropriate stakeholders to do further forensics and hardening of the affected systems.
Each of these situations requires a lot of action, which includes notifying the security manager of an incident and adjusting security controls. Most organizations beginning to implement automated response will begin by notifying staff when a condition is met until they are comfortable that a security control action will not have unintended consequences that will disrupt business; then it will gradually implement automation where it makes sense. Ultimately, a successful organization is comfortable with its security posture and uses controls at its own pace, balancing process automation and human interaction to meet its security requirements.