26 Oct Are You Automating Incident Response Responsibly?
Hungry for new solutions that will help secure the enterprise, security spending is up 3.7% according to Gartner. However, “interest in technologies focused solely on preventing security breaches is on the wane, in contrast to offerings that enable detection and response,” according to ZDNet.
Citing everything from the talent shortage, to needing consistent and objective responses, to dealing with the wealth of false positives being spit out by telemetry systems, a quick perusal of the many articles flooding the Internet reveals numerous reasons behind this shift to decrease the dependence on people and automate Incident Response (IR).
In pursuit of efficiency, some vendors would have you believe the pinnacle of automation, the holy grail of Incident Response is to achieve fully automated response and remediation. But that is ineffective and potentially irresponsible.
The Whole Truth and Nothing but the Truth
Like the amusing insurance commercial where a woman heads off on a date with a fanny-pack wearing, “French model” who she met on the Internet, not everything we read out there can be believed. And fully automating IR is one of those “too good to be true” claims. So below are a few common “partial truths” that are being used to support the business case for fully automating IR and the whole truth as we see it.
Partial Truth: Quick reaction to an event is essential for security.
WHOLE TRUTH: Quickly reacting to an event and making sure it’s handled right is essential to security.
With the median number of days, an attacker is within the network before being detected pegged at over 200, it’s no wonder the security community has become obsessed with getting faster. However, appropriately responding to an event is even more important. Quickly reacting to an event and inaccurately lumping it in with a bunch of false positives is exactly what cost Target so dearly. Automation may make things faster, but increasing efficiency without increasing effectiveness is money down the drain….and perhaps even a recipe for disaster.
Partial Truth: Full automation is your only option in the face of increasing volume of attacks and shortage of talent.
WHOLE TRUTH: There are varying levels of automation and should be aligned according to the maturity of your security organization.
Undoubtedly, this is vendors selling a vision, showing you the luxury model when you simply need a daily driver. However, security practitioners beware… like a car engine that’s too powerful for its braking systems, automating incident response and remediation can be catastrophic if your organization doesn’t have the people and process in place to work with the automation.
For new security organizations, simply standardizing workflows may help to impose order and reduce the number of fires you’re putting out. Whereas for more mature organizations, automating the process to close and memorialize an incident could dramatically increase the productivity of skilled analysts. Choose the level of automation that will most positively impact your security posture.
Partial Truth: Removing the human element from Incident Response will help to bridge the talent gap.
WHOLE TRUTH: Integrating human judgment into the Incident Response process will help bridge the talent gap.
By their very nature, automation systems are rules-driven. So as soon as rules are created to treat a specific incident, or even flag an anomaly, attackers can pivot to a new vulnerability to exploit. Completely removing the human from IR simply gives attackers another advantage. Instead, integrating human judgment into the process helps create new intelligence around incidents, and ensure that remediation is appropriate and effective.
Automation is not the enemy. It’s simply another technology that we must balance along with people and process as we build out effective Incident Response strategies. So start small with automated enrichment and alert handling, then move to semi-automation of workflows for quicker human decisions making. These small steps will return immediate value in terms of speed and consistency. Think of automation as an extension of your team, not necessarily a replacement.
There is no doubt that automation is needed to help address the management challenges security professionals face. Just remember that human judgment is essential for an effective incident response.
Want to talk about what the right level of automation is for your organization?