by Hariharan Madhavan
At a time when security products are competing to take a pie of the security budget, CISOs are tasked to figure out how to do more with less. CISOs need to exercise their judgement on what to automate and what is not worth it.
Security product vendors who specializes on automation on the other hand produce material to support the fact that they could automate most of the first level incident responses and threat data collection through automation and only advanced forensics and activities requiring physical access to assets need human analysts. While the argument that automation reduces MTTR (Mean time to Respond) is true, the exorbitant cost of automation kills significant interest in the consumer community.
This article aims to achieve the best balance yet not burn the wallet.
Use case 1: Phishing email analysis
Let’s face it. Users click on the fancy button in their email client, and down comes a pour of suspected emails that the security team must now figure out whether it’s legitimate or another attempt to invade.
Use case 2: SIEM event context augmentation
SIEMs do a great job of correlating a rule and showing us that something went bad. The buck does not stop there. If it’s complaining about a host, we need intel on the host – process list, network connection (netstat), browser cache, user logged in, if there is a process that’s suspicious and without threat intelligence, we would can query our EDR to sweep other hosts for the process or submit it to a sandbox solution to see how it behaves. Mere augmentation of all this additional information and context around the SIEMs correlation will go a long way in saving the security analysts time or if every IOC turns out benign, the automation itself can mark the alert as false positive.
Use case 3: Removing malicious files locked by malware
Malware can be tricky at times not allowing antivirus software to remove infected files. This is another reason why AV companies came up with the concept of quarantine, so that they could move it to an isolated folder and not allow the user to execute the file. Still these items would show up as active alerts in the dashboard. To remediate them the files, must be manually deleted with elevated privileges after moving file locks. Having automation attempt to log into these machines and delete them will save lot of time for security analysts
Use case 4: Ransomware protection for a file server
The best countermeasure against ransomware is being able to disable the user account using which ransomware encrypts a file share. The quicker this happens, the lesser the files in the shares are going to be affected. Nothing can be quicker than automation in this case.
Use case 5: IAM (Identity and Access Management) password resets
Many organizations have brought in automated password resets for users. If you are still asking your IAM team to perform password resets, it’s time to look at an automated solution where users can request password reset through their phone number and/or other means to validate their identity.