Getting started with security automation

Stressed and stretched, IT security teams look to automation for relief from high volumes of alerts from their detection and response systems. Here's how three organizations started on the path to automated incident response.

robot gear automation

Network engineer Jose Arellano concedes that “the hardest part of my day” is keeping the network safe for 12,700 students, 1,900 staff and more than 10,000 connected devices at West Aurora School District 129 in Illinois. The two-person security team once focused primarily on getting the network running as securely and efficiently as possible for teachers and students. “We always focused on what was inside,” with the school’s limited resources and budget, Arellano says. 

When a DDoS attack took down the district’s network for more than six weeks last fall, however, they struggled to identify the problem. Now he’s had to shift his focus from prevention-only approaches to detection and response. “It is an incredibly difficult job,” he says.

Arellano’s frustration is shared by a growing number of security professionals. Security practitioners worldwide cited the “overwhelming cyber threat environment” as the single biggest challenge facing IT security professionals in 2015 and 2016, according to a study by research firm CyberEdge Group, and new reports offer even more cause for headaches today.

The number of vulnerabilities being reported is rising at an “unrelenting pace,” according to a report by threat intelligence firm Risk Based Security, which logged 4,837 vulnerabilities in the first three months of 2017 alone, up 29.2 percent over the same period in 2016.

The WannaCry ransomware attack marked one of the latest global assaults in a continuous bombardment of malware, ransomware, phishing schemes and various strikes by bad actors — and most are indiscriminate about their targets. Many organizations, regardless of size, receive tens of thousands of security alerts from their monitoring systems every day. Some 37 percent of banks, for example, receive more than 200,000 security alerts a day about possible attacks, according to research firm Ovum.  

The onslaught of attacks only adds to the pain points for security teams. Not only do organizations have to sift through data and prioritize responses to thousands of alerts, but taking action requires hands-on investigating by cyber professionals who are already in short supply. Eighty-one percent of respondents to a survey conducted by Oxford Economics on behalf of ServiceNow said they were concerned about detected security breaches going unaddressed. And a report by Cybersecurity Ventures estimates there will be 3.5 million unfilled cybersecurity jobs by 2021, up from 1 million openings last year.

A slew of new automated detection and incident response technologies are popping up to provide some relief, but many companies are still averse to security automation, says Joseph Blankenship, senior analyst serving security and risk professionals at Forrester Research. “In the past, [automation] has caused us problems,” Blankenship says. “We’ve stopped legitimate traffic, caused outages. There’s a lot of issues with taking automated action without necessarily having somebody look at the action and verify it.”

Now there might be some renewed optimism.  “Not until recently have we opened up APIs where we’ve got the ability to not only pull data out beyond just plain and simple log data, or to push an action back. There’s more sharing between platforms, and we’ve created this automation and orchestration layer thanks to APIs that allow a little more free-exchange of data,” says Blankenship.

To continue reading this article register now

How to choose a SIEM solution: 11 key features and considerations