Threat detection automation won’t solve all your problems

To close the cybersecurity gap, look to incident response automation

threat spy unsecure hack

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

A recent Network World article argued that automated threat detection (TD) is more important than automated incident response (IR). But the piece was predicated on flawed and misguided information.

The article shared an example of a financial institution in which analysts investigated 750 alerts per month only to find two verified threats. The piece claimed that, in this scenario, automated IR could only be applied to the two verified threat instances, therefore making automated threat detection upstream a more important capability by “orders of magnitude.”

The problem with this assertion, however, is that automated IR can do more than just take remediation action once a threat is verified. Automated IR can be applied to each and every one of the alerts TD systems produce, pinpoint the verified threats, and take action to remediate them. In fact, it is because TD systems often return so many false positive alerts, that IR automation is experiencing a distinct surge in popularity right now.

In an ESG survey of 100 IT and cybersecurity professionals, more than half (62%) indicated they have already taken action to automate their IR processes. Another 35% reported they are either currently engaged in a project to do so, or plan to initiate an IR automation project within 18 months.

Perhaps the most valuable benefit of automated IR is it assumes the critical role of trained cyber analysts. Unlike humans, however, the technology can thoroughly investigate and respond to the constant onslaught of alerts produced by TD systems at scale, providing a much-needed solution to the chronic and rampant issue of alert fatigue. It’s an unfortunate reality, but most organizations have too many TD alerts to properly investigate. They don’t have adequate staffing to follow-up on alerts, and in order to act on even just a small percentage of severe/critical alerts, organizations require ample resources to first classify and prioritize the alerts and investigate every one of them.

According to research from EMA, 92% of organizations receive up to 500 alerts per day. A wide majority (68%) of research participants said they suffer from some sort of staffing impact to their security teams, and larger organizations reported collecting gigabytes to terabytes of data each day. It should come as no surprise then, that EMA found that 88% of organizations were able to investigate just 25 or fewer severe/critical events per day, with a mere 1% of severe/critical alerts ever being investigated.

So, yes, automated TD is certainly important to incorporate into cybersecurity workflows – anything that can be done to reduce the number of false alerts will help in the long run. But it shouldn’t be considered more important than automated IR, which today can help investigate the crushing volume of alerts, and do so at scale.

The only viable approach to keeping up with automated TD systems and the massive amount of information they deliver -- especially for organizations with limited resources -- is to stop prioritizing alerts to match capacity and instead leverage security automation tools that can investigate and remediate every alert in real-time.

To maintain business security without impacting the bottom line, organizations should seek out solutions that can automatically collect contextual information from other network detection systems or logs. They should also use known threat information and automated inspection capabilities to exonerate and incriminate threats, and fully automate their remediation process so that once a verdict has been made, a file is immediately quarantined, a process is killed, or a CNC connection is shut down.

The sooner organizations recognize that a human approach to TD and IR is unsustainable, the better. Equally crucial is acknowledging that more information (i.e. automated TD) isn’t a blanket solution for effectively fighting cybercrime. With rising threat volumes and a shortage of cybersecurity professionals, organizations need to look to artificial intelligence and automation throughout the threat lifecycle and leverage integrated solutions that continually investigate every single TD alert. In doing so, companies stand to boost employee productivity, gain a greater contextual understanding of their security data, drive impactful remediation action and mitigate cyber threats in real-time.

Barak is CEO and Co-Founder of the security automation company, Hexadite. Prior to founding Hexadite he was the Head of Elbit Systems Ltd.'s Cyber Training and Simulation Team, training analysts to respond to cyber threats – in both private and public sectors, and served five years in an elite intelligence unit of the Israeli Defense Forces (IDF).

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2017 IDG Communications, Inc.