Data is all around us, but not all of it is actionable. Today's security operations teams are swamped with data-driven alerts, many of them false alarms. Tapping into relevant information -- that can quickly point analysts in the right direction to find and resolve significant security incidents, for example -- is key.
Purpose-built incident response automation tools can help. Such tools sort through oceans of data to quickly detect, analyze and prioritize potential cybersecurity incidents in an enterprise's infrastructure. They cut through alerting glut and help often understaffed security operations teams shorten their response times.
What is incident response automation?
- automatically analyze and correlate data from different sources to identify and triage incidents that threaten an organization's cybersecurity; and
- automatically complete routine, standardized tasks to expedite the incident response process and increase SecOps teams' efficiency and effectiveness.
Automated incident response technology is gaining significant traction in the enterprise security operations center (SOC). As infrastructures continue to grow in size and complexity -- with many now spanning multiple private LANs, data centers and clouds -- the data they produce grows harder to manage. Manually addressing each security alert is, therefore, inefficient and impractical, and locating the root cause of a security or performance problem is becoming increasingly challenging.
Automated incident response tools aim to find and show SOC teams only relevant, actionable alerts, suppressing those that correlate to benign activity. The technology can also use automated playbooks to resolve common, lower-risk incidents and suggest operator next steps for higher-risk cyber threats.
Incident response automation streamlines the steps necessary to recognize the following:
- a significant incident occurred;
- the incident's root cause;
- why it occurred; and
- what can be done about it.
What are the benefits of incident response automation?
By tapping into and analyzing the vast amounts of security and health data various network, system and security components produce, incident response automation tools offer the following benefits:
- Reduced alert fatigue. The typical enterprise SecOps team fields thousands of security alerts every day. Without the benefit of automation, security analysts can easily spend the bulk of their time investigating false positives, while critical incidents fall through the cracks.
Incident response automation and ML technology can learn to recognize and automatically suppress false-positive alerts, thus significantly reducing alerting noise.
- Alert triage. After dismissing false alarms, tools then analyze, correlate and classify others according to severity. This helps streamline decision-making by flagging the most critical incidents for immediate human intervention.
- Automatic investigation and response. Some advanced automated incident response technology has functionality that moves beyond alert triage. Security orchestration, automation and response (SOAR) tools are capable of responding to incidents using policy-driven playbooks. For instance, if a system appears to have a ransomware infection, a SOAR platform might initiate an automated workflow to isolate it.
These tools can also suggest response paths for SecOps pros as they work to remediate cyber threats.
- Automatic ticketing and alerting. Incident response technology can automatically open and manage tickets, as well as alert appropriate stakeholders to an incident and update them in real time.
- More effective use of human intelligence. In taking many routine, manual and repetitive tasks off security analysts' plates, incident response automation leaves them more time for advanced, high-value activities, such as responding to critical incidents and engaging in proactive threat hunting.
By automatically correlating event data from multiple sources, automation also reduces the amount of human investigation required to identify an incident's root cause.
- Faster response and resolution. By reducing mean time to detect (MTTD) an incident -- and by gathering, correlating and presenting contextual information from diverse data sources at the speed of machines and at scale -- automated incident response technology positions analysts to conduct their investigations of high-risk alerts as efficiently as possible. This should, in turn, lead to a shorter mean time to repair (MTTR), reducing attacker dwell times and minimizing damage to the organization.
- Automatic case management and reporting. Manually tracking performance metrics, such as MTTD and MTTR; weaving data from multiple sources into a single case narrative; and generating incident reports are tedious and time-consuming. Automation technology gathers and presents relevant information, nearly instantaneously.
- Cost savings. Automated incident response technology can support cost savings by reducing the burden on chronically overworked and understaffed security teams, improving productivity and talent retention. Better security outcomes may also mean an organization saves money it would have otherwise lost in a serious incident, such as a data breach.
While automated problem-solving capabilities in some tools, such as SOAR, are improving, in general, they still have significant limitations. For now, incident response automation's key benefit is to reduce alerting noise and handle basic, repetitive tasks so operations teams can spend their time identifying and solving high-priority security issues.
How does incident response automation work?
Automated response technology works by ingesting, processing and analyzing huge amounts of raw data from diverse sources. These vary depending on the type of tool -- i.e., SIEM vs. SOAR -- but may include the following:
- malware detection software;
- application logs;
- intrusion detection systems and intrusion prevention systems;
- identity and access management;
- external threat intelligence feeds;
- endpoint security software; and
- other third-party sources.
After analyzing the data using ML and AI, security automation technology aims to do the following:
- separate meaningful flags from false positives;
- prioritize the most significant alerts; and
- point to where in the infrastructure a problem might originate.
Incident response automation use cases
Consider implementing one or more of the following use cases to improve incident response via automation:
- automated DNS lookups of domain names never seen before and driven by proxy and DNS logs;
- automated searches for detected indicators of compromise;
- automated forensic imaging of disk and memory from a suspect system driven by alerts triggered in network- and host-based antimalware platforms and tools; and
- network access controls automatically blocking outbound command-and-control channels from a suspected system.
Incident response automation can also help in forensic evidence gathering, threat hunting and even automated quarantine or remediation activities on suspect systems.
Incident response automation best practices
Successful incident response automation largely depends on the ability to pull relevant data streams into tools that can analyze them and provide meaningful insights.
As such, security pros must identify the following:
- which data streams the enterprise's infrastructure produces;
- which data streams its existing automated incident response tools support; and
- any untapped data streams they could add to provide optimal visibility.
In this information-gathering process, one may find some hardware and software manufacturers require the use of proprietary tools for health and security analysis and incident response automation. In other cases, teams can use standards-based telemetry, which opens the door to any number of third-party tools. The good news is manufacturers are beginning to listen to customer feedback, with many working to integrate a more standards-based approach for those that demand it.
To summarize, incident response automation best practices include the following:
- Tool selection. Select a tool that can ingest and analyze the specific forms of an infrastructure's polled, sensor-driven and telemetry data.
- Data sourcing. Pick and choose the right data sources and connect them to the automation tool.
- Manual tuning. An infrastructure is likely to produce false positives and white noise that is not meaningful in identifying root causes. Use manual tuning to eliminate these where possible.
After deployment, such tools offer numerous ways to customize the prioritization of incident alerts, such as flagging appropriate operations team members responsible for remediating a certain type of incident.
Dave Shackleford contributed to this article.