The People Crunch and the Role of Security Automation
As if enterprise security executives don’t have enough to worry about. Finding, hiring and retaining the right skill sets to protect their enterprise has become a real challenge; and it will only get harder.
- The eighth Global Information Security Workforce Study (GISWS), which includes feedback from over 19,000 information security professionals worldwide, projects an information security workforce gap of 1.8 million by 2022. An increase of 20 percent from the 1.5 million worker shortfall forecast by the 2015 GISWS.
- ISACA predicts there will be a global shortage of two million cyber security professionals by 2019. And one of the most in-demand security roles will be security analysts.
But the numbers tell only part of the story. Precisely as threat surfaces are increasing – think cloud, think mobile, think IoT – and cybercriminals get increasingly sophisticated in their tactics, techniques and procedures (TTPs), finding the right cybersecurity talent has become a serious problem for adequate enterprise security. A 2017 Cybersecurity Trends report states lack of skilled security professionals is top of the list of biggest obstacles to stronger cyber security (45%), tied with lack of budget!
Better automation and orchestration is top of mind for many security professionals, 72 percent of which say analytics and operations are more difficult now than 2 years ago:
For those scrambling on the front-lines of cybersecurity it must feel like shell shock. Every day brings new threats and more alerts.
Make Room for Real Analytics Technology can do more than generate additional alerts.
For starters much can be done to automate the existing, routine workflows of security processes. Day-to-day SOC operations that sometimes involve ‘manual’ phone and email communications, filling out operations, compliance and incident reports, even the use of spreadsheets, can be better integrated into an automated workflow.
The scope and sheer quantity of data is shown to wear down, if not overwhelm, many security teams. In fact alert fatigue is a serious problem. A recent survey found 40.4 percent of security professionals say that the alerts they receive lack actionable intelligence to investigate, and another 31.9 percent report that they ignore alerts because so many are false positives.
Automating routine tasks frees analysts to focus on investigation and mitigation – and makes them feel more effective. Like other business areas before it, such as IT help desk automation in the 1990’s, cybersecurity operations are maturing and now increasingly being operationalized. Workflow automation is required to efficiently operate and scale security operations.
Reduce Alert Noise – Getting to Real Indicators of Compromise
Data from internal systems: endpoints, firewalls, routers, IDS/IPS, etc. should do more than simply add alerts. The system must automatically correlate internal, proprietary intelligence, third-party feeds, and business specific data points to help weed out the false positives and provide actionable context to identify and prioritize real threats. At the very least the increasing volume of indicators can be automatically mapped into groups, including users, business function, locations, etc. and prioritized based on correlated real-time threat intelligence, network activity and enterprise security policies.
Applied context and threat intelligence can enable security professionals to more quickly focus on the threats that matter, the real Indicators of Compromise (IoC). Automatic correlation of threat intelligence with indicators and network activity/business context provides a clear line of sight through the noise of alerts. This increases not only the return on your investments in security technology but your human capital. At hand, actionable intelligence empowers security analysts and can help make them feel they are making a difference.
Automated-Assist Analysis and Threat ResponseFor advanced threat analysis automatically populating investigations with historical and real-time contextual intelligence makes better use of your experienced resources. Even a pop-up investigation display with some of the basic data can go a long way in helping analysts quickly get a picture of what is going on:
- Specific indicator with related threat intelligence, e.g. is this threat currently active, what are its known TTPs;
- User ID/Activity Directory;
- Destination IP, with reputation data;
- Port it was using, etc.
The security analyst can more quickly isolate network conversations between hosts and connection points of interest.
And as the analyst follows the breadcrumbs of suspicious or anomalous behavior, looks for potential lateral movement, these data should be carried forward automatically. Effectively, these recordings can be used to instantiate an investigation or forensics report. They can also be used to document for management why certain steps were taken.
Moving toward Operational Efficiencies
Effective enterprise cybersecurity has always been about integrating people, processes, and technology to reduce risk. Automating security processes goes hand in hand with leveraging staff more appropriately. For example, empowering Tier 1 resources to filter better correlated and contextualized alerts rather than Tier 3 analysts.
The real benefit of security automation has a powerful people component. This is in precisely how effective automation helps you better leverage the skill sets of security professionals and makes them feel more effective and motivated.
Visit our website to learn how Arbor Spectrum can help you optimize your security team.