Paranoia rules -- how automation can enable better detection and response [Q&A]
Security analysts want to capture more events in order to spot threats earlier which requires more detection rules. But doing so risks driving up alert volumes leading to issues with alert fatigue.
The solution is automation which can be used to increase the throughput of alerts and the threat intelligence around these, creating a ‘paranoid’ form of posture management. We talked to Martin Jakobsen, CEO of Cybanetix, to learn more about how this works.
BN: What is ‘paranoid posture management’? What does this mean in practice, and how does automation help enable it?
MJ: A massive problem for security monitoring is that Security Operation Centres (SOCs) can become overwhelmed by the sheer volume of alerts, as a consequence of which a lot of SOCs end up either ignoring or tuning out low severity alerts. The ideal scenario is to have a big red alert when you have a breach, but the reality is that attackers will make initial forays, and that those telltale signs will be missed. If you’re only looking for the obvious indicators of a breach, incident response is already caught on the back foot.
Modern-day attacks are so subtle that we need to capture everything so that we can create an early warning system. We do now finally have the technology to be able to do that and to cope with the resulting influx of data. It sees the business adopt a paranoid posture whereby the SOC is constantly monitoring and looking at all alerts and indicators of compromise to identify potential breaches. This is only made possible through the use of automation which can use predefined rules to identify these events, enrich them with threat intelligence and even remediate them.
BN: Doesn’t capturing more events lead to greater risk of missing something important?
MJ: Most attacks are best identified through lots of smaller indicators which when combined clearly point to a breach. Just as individual pixels may seem irrelevant when looked at in isolation but together form a complete picture, so too can these seemingly innocuous events indicate an attacker’s intent. So, the more events we collect, the better the visibility and our ability to ascertain where we are in the kill chain to prevent the attack from progressing. However, if you seek to analyse more events without having automated processes, playbooks and automated remediation in place, you could well increase the risk of missing a critical event. It’s also critical to look at how you apply that automation because unless you get the balance right between visibility and tuning you risk reducing the chance of detection in the first place.
BN: How does the automation of threat intelligence and contextual information enrichment improve the quality of a SOC analyst's investigation?
MJ: Automation can be used to enrich every alert that is processed by enhancing it with threat intelligence, organisational context, and correlating it with other events pertaining to the same assets and users, as well as other SIEM and EDR data pertaining to the event.
For example, using Security Orchestration, Automation and Response (SOAR) in combination with the SOC can be used to carry out the two or three enrichment opportunities each alert typically presents which would take an analyst several minutes to research manually, losing valuable time.
SOAR can also be used to automatically close cases that meet predefined criteria or to automatically remediate such as through the containment of users or devices. And, through the creation of prebuilt playbooks, it can help guide level one SOC analysts through the investigative stages.
All of this enrichment combined with advanced playbook logic enables either the automated analysis and processing of the alert or faster handling by a SOC analyst. It really does the heavy lifting, by dealing with alerts that meet predefined criteria or by doing a large proportion of the investigative actions required on the behalf of the analyst.
BN: What are the potential risks of relying too heavily on automation in threat detection and response?
MJ: Automation is at its most valuable when it’s applied in a defined way that meets the security needs of the business. Blanket applications can do more harm than good. Where an organisation introduces the automated closure of cases, for instance, they need to ensure that the logic is bullet-proof so that they’re not closing down security incidents that require remediation or human escalation. It’s also worth talking here about local automation by which I mean AI. AI can be hugely beneficial in augmenting the analyst by facilitating free text hunting, natural language explanations, trend analysis and playbook and detection engineering. But it also has a cost. In many cases, AI is being used to perform much of the actions automation can but the commercial viability of high volumes of AI prompts needs to be taken into account. It’s for this reason that we believe automation and AI should be used in tandem but with each playing to its own strengths.
BN: How does this approach change the role of human SOC analysts? Does it make their job more or less critical?
MJ: The role of the level one SOC analyst has been evolving greatly over the last few years. Going from very slow manual data correlation to now dealing with data enriched events and at a faster pace has seen the modern-day SOC analyst compared to an online poker player, playing six tables at a time. They’re having to make very fast decisions based on the complex presentation of data and that can lead to burnout. Thankfully, the need for level one analysts to deal with low fidelity alerts is decreasing due to automation. What’s more, AI and automation are effectively upskilling these analysts, enabling them to deal with critical alerts that would formally have been the preserve of more senior analysts. That’s good news for the analysts who are now guided through the investigative steps, good news for MSSPs because they are no longer having to compete to recruit experienced analysts from a dwindling talent pool, and good news for customers because it sees the cost of that human resource go down and with it service costs. But what it’s important to emphasise here is that human expertise is a very necessary part of the process. To get better detections you still need to know the right questions to ask and that requires human analytical capabilities.
Image credit: Napong Rattanaraktiya/Dreamstime.com
