Automation in operational cyber security: stop the hype
In cyber security, automation is often reduced to a marketing concept – SOAR. This describes the actions, once performed manually by cyber analysts, that can now be automated. Adopting automation in operational cyber security has become crucial for:
- Assessing and responding quickly to certain security incidents when every minute counts (i.e. ransomware attacks).
- Optimising the time experts spend working and preventing cyber fatigue (limiting tedious, repetitive and time-consuming tasks).
High expectations vs promises: a potentially vicious circle
Faced with a growing threat and increasingly fast and sophisticated attacks, companies have heightened expectations of their cyber protection – particularly regarding reaction time (identifying and responding to incidents) and relevant alerts (avoiding false positives).
In response, software publishers are inclined to offer quick-fix solutions, which inevitably struggle to deliver on their promises. These somewhat oversold solutions serve mainly to enable analysts to sort and assess alerts more quickly, but are less helpful for responding to incidents.
Three limitations of automation in cyber security
#1 Technical limitations
It is generally possible to automate detecting, classifying and identifying actions. But to perform remediation actions, clients’ technical solutions must be orchestrable, aided by the presence of an API to administer the targeted technology. It is also essential to ensure the scalability of an orchestration solution so it can handle multiple automations.
An on-premise solution, which can only be managed via a graphical user interface, is much more complicated to orchestrate remotely.
#2 Lack of context
To automate decision-making, you need context and repeatable, controlled patterns and models. But keeping context repositories complete and up to date is almost impossible! The information is often scattered and incomplete, or even stored only in the heads of experts within the organisation. And automating operational cyber security telepathically is not (yet) possible.
#3 Lengthy approval process
It is possible to establish automatic reaction strategies within specific areas that the client has validated. But approval is usually required to be able to take concrete action.
Some approval loops involve more than one person: the main contact might not be authorised to accept, or a third party might have to sign off on information before a decision is made, etc.
How Advens harnesses the power of automation
A data-centric and automation-by-design approach
At Advens, managing a security incident is a process that consists of several steps, each of which can be optimised. Background data and Cyber Threat Intelligence (CTI) must be integrated into the incident management process as early as possible (data-centric approach) to save time during analysis and limit the number of alerts.
A crucial part of optimising a process is eliminating “unnecessary tasks”. That is the essence of automation by design: optimising workflow and automating trivial, repetitive or costly tasks performed by analysts.
That is how Advens designed its SOC automation. It integrates and adds value to each step of the incident response process (collection, enrichment, threat detection, classification, communication and remediation).
Synergy and collective intelligence
By automating the CTI and the review of monitoring plans, Advens is able to provide a shared knowledge base to all the organisations it protects.
The Advens mySoc platform can also be orchestrated via APIs. It lets experts and analysts create automations for specific business processes – making them both operators and designers of solutions.
The Advens approach: four benefits for end users
- A security incident management process that is optimised at every stage.
- Shorter classification and remediation times.
- A reduced false positive rate.
- An adaptive and evolving vision of cyber security: when other areas need to be secured or new algorithms are introduced, companies can seamlessly integrate them into their security process.
“Automating operational cyber security means integrating the entire processing flow, from enriching the data collected to remediation actions. At Advens, this is made possible by the data-centric and automation-by-design approach of our platform.”
Mickaël Beaumont • Product Manager at Advens
“Automating operational cyber security means integrating the entire processing flow, from enriching the data collected to remediation actions. At Advens, this is made possible by the data-centric and automation-by-design approach of our platform.” Mickaël Beaumont, Product Manager at Advens
In light of increasingly aggressive and frequent attacks, automation is a must. But it is not a silver bullet! Incident detection and management can be automated, but remediation actions must be done by hand. Data context, collective intelligence and operational excellence are essential to achieving this. This is the core of how Advens’ mySOC solution works.