Automated mitigation on endpoint devices and networks can be tricky

Automating the incident response and mitigation process for networks and endpoint devices is a tough nut to crack

marketing automation gears

Many companies have automated systems in place for preventing, detecting, and investigating security incidents, but automating the incident response and mitigation process for networks and endpoint devices has been a tougher nut to crack.

That includes actions such as automatically re-imaging endpoint devices, isolating devices from corporate networks, or shutting down particular network processes in order to quickly and efficiently respond to attacks.

"I think there's a lot of potential," said Joseph Blankenship, analyst at Forrester Research. "We're definitely in a period of discovery, though, and that has to take place before we're going to see widespread, mainstream adoption."

Enterprises first need to get more experience with security automation tools, he said, and see what impact they have.

But full incident response automation is probably three to five years from becoming reality, he said.

"I think we're seeing some early attempts," he said. "Say, if every time you see the same threat indicator, the analyst gets action recommendations from an automated tool or machine learning algorithm and makes the same choice, to click yes, lets go ahead and take the next step. Then if we do that 500 or 1,000 times we can agree that this is a process that we can fully automate and take the analyst fully out of the loop."

At that point, the analysts can focus on their more difficult, complex situations.

But companies can also approach automation without a machine learning system, if they already have incident response playbooks in use at their company, said Ariel Tseitlin, partner at Foster City, Calif.-based investment firm Scale Venture Partners.

"Take one of those playbooks, and take security automation tools, and test how much of that playbook can be automated," he said. "That's a very practical and real way of going and determining if a tool is applicable for an individual environment and how much benefit you can get from it."

Even partial automation can be very effective, he said.

"Say you have malware on an endpoint, and your playbook for that has 50 steps in it," he said. "If you can, say, automate 80 percent of it, you can see how many hours of savings you'll get for your security team, and you can quickly get proof of value."

Tseitlin said that he talks with customers when deciding whether to invest in any particular security startup, and he's finding that there's already real value that's being realized.

One key factor that determines whether a particular incident response technology works is whether the enterprise itself is ready for automation.

"Different companies are at different stages of security maturity," he said. "If you haven't thought about the process, then thinking about automation is really premature. The first thing you have to do is map out the risks, threats and controls, and then you think about how you go through implementing each of those controls. But then when you've gone through that, automation is a great way to accelerate and improve the efficiency of the organization."

Cleaning up the end points

One of the earliest uses of automation on endpoint devices has been to quarantine or remove malware files before they do any damage.

Almost every PC now has some form of anti-virus, and many companies are also using behavior-based malware detection to spot new threats.

A manual response would be too slow, since malware can act quickly to damage a device, or even to start spreading to other machines on the same network.

"So it's not a new concept," said Rob Clyde, security consultant and member of the ISACA board of directors.

But what happens if a user clicks on a malicious link or attachment, and installs malware that is able to evade all the defenses, install itself on the machine, and begin to do damage?

A typical response would be to store a copy of the device image for later forensic analysis, wipe the machine, restore it from a clean image, and restore the user's files from the latest backup. While this is all happening, the user might get sent to take some anti-phishing training so to be more careful next time.

Automating this process is easier for some companies than others, said Clyde.

"Some have gone to complete virtual desktops," he said. "In essence, their desktop is always available to be re-imaged, because the physical machine is just a host for the virtual desktop."

Similarly, if a company has its employees use a cloud-based platform like Office 365 and saves all work documents on either their own servers, or in the cloud, then reimaging can also be relatively quick and easy.

In both cases, there's less risk of losing valuable files in the process, which reduces the potential damage that can be caused if there was no actual infection.

"At the very same time, we have heavy knowledge workers, say, someone in a marketing organization, who is constantly working on new ad copy and PowerPoint presentations," he said. "These are still often stored, at many companies, locally on the individual machine. The idea of wiping that machine and losing a day's work unnecessarily is putting some companies off of trying to adopt this."

Isolating the threat

Another common technique for automated mitigation is to quarantine infected machines.

"You might not wipe it, but it won't spread the infection any further," he said.

But doing this requires more than just having endpoint protection in place, he said.

"It does require network access controls," he said. "If you have a link between the detection of the infected endpoint, and the network access control system, that can automatically link back with network security products and actually keep that device from connecting to the network."

But too often, when products that have those capabilities are deployed, they aren't implemented.

"In some cases, there's a bit of a check-the-box mentality," he said. "And nobody is asking whether I've implemented the network access controls. They should add that to the check list."

In a large organization, there could be an additional barrier to setting up these kinds of systems in that the people responsible for the networks and the people responsible for endpoints are two different groups.

"It requires cooperation," he said, "and sometimes the cooperation is just too hard to get."

In addition, there's the question of how many devices have to be isolated, said Jon Oltsik, senior principal analyst at Enterprise Strategy Group.

"If I quarantine one system, that's fine," he said. "But if I'm quarantining more systems, it gets more complex."

As the required response gets more extensive, the more complicated it gets, he said. "And the more confidence you have to have that you're doing the right thing."

Smart networks

There are many tools available today that can detect suspicious activity on the network.

"You see a person in marketing has launched a network scan -- that shouldn't happen, so you can quarantine that system," said Oltsik. "Or you see systems beaconing out to known command and control servers, so you can stop them at the system level or the network level. That's pretty routine, and there are lots of companies that do that."

But the more sophisticated the attack, the harder it is to automate a response, he said.

That doesn't mean network vendors aren't trying.

Network security has been a hotbed of activity recently when it comes to automation, said ISACA's Clyde.

"If you were to walk around the last RSA show, you would see network security company after network security company touting how they automate detection of attacks and in some cases automatically take action," he said.

But opinion is divided as to whether this is a good idea.

"Some voice concerns about taking action without human involvement, especially if a system was not 100 percent deterministic," he said. "They might get it wrong, and take some action that might block legitimate activity. But others are like, 'The attackers move too quickly and we need automation.'"

If false positives are too high, companies prefer to send the alerts to analysts for manual response.

"We are making progress," he said. "But the state of the art tends to be about detecting, and not taking action, except for cases where it's 99.9 percent certain that it's real."

Fortunately, because of improving technology, human analysts are able to handle and monitor a lot more than they could even a couple of years ago, he said.

"That's the good news," he said. "The bad news is, I'm not sure that we're keeping up with the innovation on the attacker side."

Copyright © 2017 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline