Why automation isn't the answer to zero-day attacks [Q&A]
Last year saw almost 100 zero-day attacks, putting a strain on security teams and becoming known as the 'Hot Zero-Day Summer.'
In response to these attacks, the first instinct of many organizations has been to turn to automation. But Marc Rubbinaccio, manager, compliance at Secureframe, doesn't believe that this is the right approach. We spoke to him to find out more.
BN: Why can't automation be relied on to deal with zero-day attacks?
MR: Automation is essential for monitoring security incidents; it is impossible for an individual or a team to monitor all logs for anomalies without some level of automation. However, one of the main issues with relying solely on automation is that attackers developing zero-day attacks aim to bypass automated systems. If systems are vulnerable to an undiscovered threat, it is likely that signatures for this threat do not exist, and many pre-configured automated mechanisms, such as intrusion prevention systems, will not detect it. These predefined rules typically look for existing threats and known attack patterns, so if the introduced threat is unknown, the automated mechanisms will probably not alert against the attack.
Automated mechanisms are usually configured based on your current environment as well. In many organizations, the environment in which these automated systems are protecting is constantly changing. If there are no manual processes to ensure these automated systems are configured to be monitoring against current rules based on the current state of the environment or trained on the current environment, it is likely that these tools will be generating more false positives and false negatives, making it even more difficult to ensure attacks are being prevented.
Automation is indeed necessary for managing the hundreds or thousands of alerts across multiple systems which would be otherwise unfeasible. These multiple systems could be spread across multiple teams, which would require teamwork across the organization to help monitor, manage and respond to. Without the teamwork and collaboration needed to manage these alerts effectively, it is likely many true alerts could be falling through the cracks.
BN: What makes humans such a key part of the process?
MR: Humans are essential in the security process for discovering, alerting, mitigating, and responding to zero-day or security incidents. No matter how effective your automated incident detection or prevention solution is, it requires individuals or teams to ensure it is configured correctly to detect and prevent anomalies. Automated mechanisms can still produce false positives or false negatives regularly. Using the information provided by these automated mechanisms, the team must determine how an anomaly affects the environment as a whole. Investigating the anomaly involves several tasks that must be performed by individuals, as they cannot be solely answered by automated mechanisms. These tasks include determining if the anomaly is indeed an attack, establishing whether it is the first instance of the attack or if attackers are already present in the network, and identifying the root cause of the attack.
BN: How can organizations balance regulatory requirements with protecting their data?
MR: Regulatory requirements such as PCI DSS and HIPAA provide baselines and standards to protect your data. By meeting the requirements listed in these regulatory frameworks, organizations implement and maintain controls designed to protect the sensitive customer data they handle. Example controls include intrusion detection and prevention, audit logging and monitoring, vulnerability scanning, and penetration testing. Maintaining these required controls is just a baseline; organizations with higher risk should aim to uphold these controls at the highest standard possible, without affecting performance or business operations, by going above and beyond baseline implementations.
BN: What role does continuous monitoring have to play?
MR: Continuous monitoring is critical for the successful prevention, mitigation, and response to zero-day vulnerabilities. Combining automated mechanisms with the monitoring efforts of a security incident response team ensures your organization is as prepared as possible for a cyber attack. Regularly configuring and reviewing the results of implemented automated mechanisms will keep them operating at the highest level. This includes continuously fine-tuning heuristic detection systems to minimize false positives and negatives. Continuous monitoring should also include manual processes, such as daily log monitoring, regular access reviews, and ensuring timely security patching. Performing only point in time assessments, no matter how regular, will increase the risk of a threat from impacting the environment and will not be sufficient if you want to ensure that threats do not go unnoticed.
BN: What's the importance of the relationship with your cybersecurity provider?
MR: If you are utilizing an MSSP for managing and monitoring cybersecurity services in your organization, it is crucial to maintain a close and collaborative relationship with them. Regular communication with your MSSP regarding security alerts, necessary patching, and implementing secure changes to your infrastructure will help mitigate the risks of zero-day threats and other vulnerabilities. Establishing clear roles and responsibilities, SLA's, and a reporting channel will help ensure the security mechanisms in place will be running smoothly between the MSSP and your organization.
Any vendors or security tools used in your environment must be regularly reviewed. It's well known that many breaches in organizations stem from vulnerabilities in interconnected third-party services and vendors. Therefore, conducting due diligence on the security posture of these vendors both before and after establishing connections is crucial. Regularly assessing these third parties helps ensure they maintain an acceptable level of security throughout the use of the service or product.
Image credit: Profit_Image/Shutterstock