Incident Response Automation – Security Boulevard
The continuous growth of the company’s IT and information security infrastructure requires monitoring its security, managing incidents through specialized security orchestration, automation and response (SOAR) systems as well as incident response platform (IRP), and deploy a comprehensive security operations center (SOC). ) on their basis. How do you know the time has come for systematic incident management? How to reduce the cost of comprehensive information security monitoring? How can you proactively protect your entire organization and reduce the likelihood of Type I and II errors?
When is the best time to implement SOAR and IRP? What are the minimum requirements to start implementing?
The time will come when information security professionals will get bogged down in analyzing and responding to the flow of events, as this condition is a breeding ground for errors. In this situation, SOAR and IRP solutions should come to the rescue. To apply such solutions, it is necessary to have a department responsible for the development, implementation and maintenance of information security processes and systems both on paper and in the infrastructure, as well as only a basic set of information security tools. It is also desirable to have a Security Information and Event Management (SIEM) system in place that will support the processing and preparation of events sent to SOAR and IRP.
Every organization deploys at least a simplified version of IRP, for example in the form of IT Service Management (ITSM) and a Service Desk. The classic approach, however, is to combine SOAR and IRP to automate routine operations and speed up incident response. It is time to embark on this path as soon as the need to organize the process of handling cyber incidents appears. But a lot depends on the specifics of the company. A 50-employee organization may desperately need automated incident management, while another 5,000-employee company is quite happy with manual handling.
The minimum requirement to start implementing SOAR/IRP is only the maturity of IT and information security services. Recently, the Security by Design approach has gained popularity. It involves both executives in the design phase of the project.
How to reduce the cost of integrating SOAR/IRP into a large-scale heterogeneous IT and information security infrastructure already deployed?
To reduce the cost of implementing SOAR/IRP, it is necessary to elaborate in detail the architecture of the implemented system, which must above all take into account the organization chart of the company, the characteristics of its infrastructure computing, and network topology. The system itself should have a variety of implementations, flexible functionality, and a set of connectors that are ready-made tools for integration with external systems.
Cost reduction can be achieved by reasonably minimizing the number of systems the SOAR/IRP will integrate with. To understand what it will be useful to automate, a graphical or textual plan of the actions performed by employees in the event of various types of incidents before the implementation will help.
Another cost-saving factor is that information security professionals should have basic programming skills, which will reduce their reliance on paid integration services provided by third-party organizations. Many vendors offer turnkey integrations, but they often need to be tailored to your goals.
Refining Incident Analysis Scenarios in SOAR/IRP Solutions
First, we need a well-designed process for responding to incidents. Its components include data sources, categories, maps and fields, scripts, workgroups, integrations, metrics, and more. It helps to take advantage of best practices such as ISO, NIST, and MITER. Next, it is important to start using the system and several scenarios in combat mode. Gradually, points of improvement will surface so that their coverage, depth of enrichment and automation, convenience, flexibility and fault tolerance are available for future development.
The objective of improving incident analysis scenarios is achieved, among other things, by the continuous development of the expertise of employees in charge of information security both in terms of knowledge of the technical facets of modern threats and in terms of detection and prevention. It is also important that there is someone in the information security department who is able to convince business stakeholders that they need to invest in additional means of protection, which will help make more complete scenarios and to automate the process of detecting, investigating and eliminating as much as possible the consequences of a cyber incident.
[You may also like: What it Means to Redefine Success in Cybersecurity]
Where can I find professionals to work and analyze data in SOAR/IRP?
A professional hired on the market will not be immediately ready to perform tasks within the framework of working with SOAR/IRP. Regardless of qualification and skills, the specialist will have to deal with the specifics of the organization’s infrastructure and the protection mechanisms that are in place. On the other hand, an employee already working in the organization has the necessary knowledge about the infrastructure and, although he does not have the skills to operate the new system, he can acquire a basic understanding during the phase of implementation, and more specific skills as the system is used.
The best option would be to use a mixed approach, which includes the contribution of internal specialists who know the company’s IT infrastructure and the involvement of third-party expertise for the SOC. This interaction will build the skills of the company’s teams and leverage experience and expertise for independent monitoring and analysis of information security incidents in SOAR/IRP.
It should be noted that the search for qualified specialists in the labor market does not cover the personnel needs of modern SOCs, so you still have to train your own personnel. As a rule, there are basic tasks for young specialists, and a well-built training and mentoring system will allow them to quickly become professionals. Proper partner or vendor training is also important, although there is no substitute for implementing IRP and analyzing real incidents.
How do you know if an organization is ready for SOC?
The need for SOC arises when the company and its information security department reach a certain level of development. Its use as a service does not imply in particular the creation of a specific unit or the implementation of new systems. However, by the time a decision about the SOC is made, blocking tools such as a firewall, anti-virus software, as well as a network or host-based intrusion prevention system (NIPS or HIPS) should already be implemented and take priority over detection tools. . Then, it is necessary to make a calculation: if the costs induced by the risk events that the SOC can block are higher than the price of its services, you are ready to take the plunge.
Regulatory frameworks have helped many organizations mature, so it is important to consider whether or not there are regulatory requirements. Understanding the need for a SOC is done in much the same way as in the case of management reporting: at some point it becomes clear that there is too much data and it is time to change the angle of view (dashboards, reports, indicators). Another criteria is when you want to turn incident response into a constant and evolving feature.
In general, the SOC is a set of processes, and if the organization is ready for the implementation of SOAR/IRP, the main tool for the specialists of the response center, the introduction of the SOC becomes only one a matter of time.
[You may also like: What is Cybersecurity and Why It’s Important]
SOC: in-house or as a service
Each option has its advantages. Your own SOC means full consistency with infrastructure, business processes and rapid response to their changes. However, an in-house solution has the disadvantage of requiring skilled monitoring around the clock. This involves such a large amount of investment (OPEX and CAPEX) in systems implementation, research, development and staff retention that deployment is not feasible.
To make the right decision, it is necessary to decide which information security functions the company wants and can implement internally, and in which cases external resources will be involved. Much depends on the IT infrastructure and the number of information security specialists. The ideal would be to use a hybrid model, combining the skills of the internal team with the cybersecurity services, supplementing the internal SOC with expertise that is inappropriate to keep within the company.
Is it possible to introduce artificial intelligence (AI) technologies in information security incident management?
Of course, AI technologies inevitably penetrate all processes, including information security. There are problems in nondeterministic logic that AI can solve better than other approaches. But, one must be realistic in assessing AI capabilities. As in any other field, the principle of acceptable accuracy plays a role in information security. That is, the AI will never be able to handle every incident on its own, and in any case, a human will have to perform some of the actions, including working with non-obvious false positives, revising the correlation rules, etc In nature, the acceptable accuracy benchmark invariably moves towards increasing labor costs.
In a broad sense, AI in incident management is not expected to replace humans in investigations anytime soon, but in terms of automation, great progress is constantly being made, one of the application points of which is SOAR. . Many manufacturers are already trying to bring additional value to their customers through the use of AI. But the truth is that only a small percentage of organizations have reached the point where the simpler methods of detecting, investigating, and responding to information security incidents have been exhausted.
The main areas where AI technologies are most in demand are:
- partial automation of false positive checking;
- IRP training in automatic incident classification;
- the implementation of tools for predicting the development of attacks and complex IT incidents.
The general objective of these technologies is to increase the automation of the work of analysts and specialists who provide countermeasures to computer attacks. The use of AI technologies in this part will become more and more common.
Like this post? Subscribe now to get the latest Radware content delivered to your inbox
weekly and exclusive access to Radware’s premium content.