Cyber Security

By:Aadisankar R S,Aravind J S

The field of cyber security is expanding, bringing with it an ever-

increasing array of tools and solutions. There comes a moment when the
complexity of handling infosec-related tasks manually becomes too much.
Companies need to bring on board highly skilled professionals, yet a
significant portion of their time is dedicated to performing routine,
repetitive tasks.
When companies recognize that their problems have escalated, they
understand the need to enhance their management of security tasks.
Automation of some processes emerges as the only solution, enabling
faster operations while still keeping critical decisions in human hands.
The conviction towards automation, however, varies among companies.
For instance, some realize the importance of automating their security
operations center (SOC) only after reviewing the outcomes of cyber
security exercises and penetration tests.
In most medium-sized and some large organizations, a typical cyber
security solution can log up to a million security-related events daily that
need to be processed. Of these, 100,000 events are classified as critical or
“red” level, making manual review impossible. Some larger corporations
handle up to a billion events daily, with around 50,000 triggering alerts
based on correlation rules. Given that a single security officer can
manually process only about 200 to 300 events per shift, automation
becomes indispensable. It is the only viable solution to prioritize events
and manage risks effectively.
Automation saves analysts time and reduces errors. It also liberates
employees from monotonous routine tasks that can dampen their
enthusiasm for work. The automation of information security further
ensures better adherence to service level agreements (SLAs). It guarantees
high operational accuracy and prevents the oversight of important
elements.
Economic factors are the main drivers behind the growth of automation,
but they are not the only ones. Government regulations also play a
significant role. When it comes to compliance, companies must take stock
of their IT infrastructure, which involves collecting comprehensive details
about servers and their equipment. For some businesses, this could mean
regularly managing data for tens of thousands of machines.
Security automation debate
There are two conflicting views on automating cyber security. One
perspective advocates for giving customers automation tools across all
aspects of infosec operations, including log management, analysis,
playbook creation and cyber threat intelligence. This approach allows
customers to tailor automation to their needs across numerous security
tools.
The opposing view argues that detailed automation is too complex for
businesses, emphasizing the need for a simpler solution. It suggests a
straightforward, effective system that can immediately counteract hackers,
symbolized by a “big red button” for easy threat mitigation and system
recovery.
Cyber security automation strategy: First steps
When you automate processes, it is important to follow clear logic. If not,
you risk creating more problems: automation of chaos generates automated
chaos.
A practical approach to refining automation logic involves leveraging
experiences from cyber exercises, penetration tests or red teaming.
Analyzing the defensive strategies of the “blue team” during various attack
scenarios helps identify their response algorithms and steps. This process
starts with differentiating between true and false positive alerts, identifying
hacker attributes and evaluating compromised resources. Such insights
enable the automation of defenses by validating logged events, ensuring a
more effective and streamlined response to modern cyber threats.
The first step in enhancing incident response is to automate the collection
of contextual data that informs decision-making. This includes information
about the particular machine or another asset involved in the security
incident, user account details and intelligence on external threat elements
like domain names. This foundational data is important for understanding
the scope and impact of security incidents, enabling quicker and more
effective responses. If an attack still evolves, the context gathered initially
assists in correlating future defensive measures with a pre-established
hypothesis regarding the attack’s propagation.
The second phase can focus on automating processes triggered during the
incident investigation phase. This strategic automation ensures that, as an
attack unfolds, defenses can adapt quickly based on a solid understanding
of the attack’s trajectory.
Automation and machine learning integration
We should avoid using the phrase artificial intelligence (AI) when
discussing cyber security automation, as new technologies here tend to be
more closely linked with the concept of machine learning (ML). We can
refer to examples like automating the process of prioritizing security
events to pinpoint the most crucial ones. For example, data clustering
assists security analysts in swiftly determining what is most important to
them.
The application of ML in automation benefits from the extensive
experience gathered from calculating credit scores in banks. Similarly, in
information security, deciding between a false positive and a true positive
often relies on the same fundamental principles.
Another area where ML makes strides involves compiling a series of
events into a coherent sequence, helping security experts in their analyses.
Machine learning plays a key role here by uncovering extra connections
between labeled parameters and events.
The progression of automation tools is moving towards adopting a new
concept known as the Security Data Lake. This is anticipated to aggregate
indicators of all threats detected by the SOC. The automated examination
of this collected data, augmented with contextual information, is expected
to become a principal strategy in information security in the future.
SIEM necessity in security automation
Sometimes, a security information and event management system (SIEM)
is necessary for customers who want to automate routine tasks. However,
it is not always a must-have. For example, you do not need an SIEM if you
need to develop a standalone automation script for a specific function, like
supporting a WAF against DDoS attacks.
However, you cannot get by without a SIEM when it comes to fully-
fledged automation scenarios. That is because SIEM is crucial in achieving
situational awareness, enabling cross-tool interaction scenarios or
facilitating context exchange. As we know, even with solid protection
across the entire perimeter and centralized risk management, hackers can
still find a way through. Only a unified SIEM system can address the issue
of creating detection logic that goes beyond making decisions based on a
specific security tool.
Measuring security automation effectiveness
Cyber security officers can measure performance in many ways: how
quickly we respond to incidents, how many incidents we identify,
etc. Countless metrics are available, but business owners often do not find
these numbers directly relevant. It is crucial for a business to grasp what it
wants from its information security efforts. Counting the number of
blocked IP addresses does not provide that insight.
Business owners do not need to get into the weeds of information security.
Their main goal is to make money, whereas the role of information
security is to highlight any problems in terms that the business can easily
understand and propose solutions.
Indeed, to measure the effectiveness of automation, you are always free to
combine traditional information security metrics, such as detection time,
response time and the number of incidents, into a comprehensive
evaluation and calculate a specific performance score.
However, there is another approach: consider the chance of mistakes
during response actions and count how many staff members handle
information security duties. By measuring efficiency with these factors,
business owners can more easily grasp the tangible advantages of
automation.
The concept of “cost-effectiveness” always plays a significant role,
highlighting the balance between resources allocated at the beginning of an
information security project and those spent to achieve the desired results.
The ultimate goal is to prevent incidents that are considered unacceptable,
using the outcomes as a benchmark for success. The efficiency of
information security automation measures can be assessed by how swiftly
and effectively we achieve this goal. Additionally, the impact of security
measures can be measured through cyber exercises and pen tests,
comparing outcomes to a predefined list of events considered
unacceptable.
Automation stages
The process of automating cyber security routines unfolds in several steps.
Initially, the customer just acknowledges the real advantages of
automation, moving away from their old routines.
In the next phase, it is necessary to identify already well-defined processes
and where automated routine tasks cannot directly harm the core business.
They are chosen for the initial rollout of automation.
In the third stage, the customer may encounter some information security
failures caused by resource shortages. Automation comes in to resolve
these issues.
Moving on to the fourth stage, the customer’s interest surges as they
actively explore new security tools possibilities and seek possibilities for
further automation.
Challenges in implementing automation
Unfortunately, the implementation of automation in cyber security is most
often hindered by a lack of budget and support from senior management. It
is essential to understand that attacks are becoming more frequent and
complex; sooner or later, you will still have to deal with automation. As all
businesses aim for growth, it will inevitably become more expensive and
complicated in the future. Therefore, it is crucial to consider implementing
automation as early as possible.
The significant challenge in implementing automation lies in the need for
the customer to assume responsibility and acquire the security vendor’s
expertise to properly configure the system. The more complex the
infrastructure, the more challenging its implementation becomes.
When vendors provide customers with automation tools for information
security, they also assume the responsibility of supporting various
customer resources, such as the operating system version and hardware
configuration. When implementing such a solution, it is granted system
privileges, which are highly sought after by hackers. Not all IT
departments are prepared to incorporate and implement a powerful tool
with extensive control and account privileges. Ensuring the system’s
security and effectively handling access control poses a challenging task.
Another challenge in implementing automation is the absence of standards.
This becomes evident in real-world scenarios where there is no universal
format for data presentation, and inventory and user account records lack a
common standard. For example, when working with Threat Intelligence
data, total chaos prevailed until recently due to the absence of any
standards.
It is important to use automation thoughtfully. Automating security
operations demands careful attention and a willingness to enhance
expertise within the company, ensuring more effective information security
management.