Automation is the key to crisis management, writes Faiz Shuja, pictured, co-founder and CEO of SIRP, a security response platform.
A ‘Black Swan’ event such as Covid-19 brings unprecedented change almost overnight. With it comes a fresh wave of new cyber threats. Whether it’s employees working from home, stretched cybersecurity resources where some security analysts are off sick, threat actors launching pandemic-related phishing campaigns or preying upon people’s desire for news or free assistance the cyber risks mount up quickly.
As a result, Security Operations Center (SOC) professionals still at their desks face a greatly increased workload as multiple security tools deliver high and higher volumes of threat alerts. However, by using machine learning and risk-based decision making to automate their security operations, SOC teams can prioritise alerts to ensure prompt decision-making and rapid response.
The coronavirus cyber threat
In a joint advisory, the UK’s NCSC (Nationl Cyber Security Centre) and the US Cybersecurity and Infrastructure Security Agency (CISA) warned that advanced persistent threat (APT) groups are using Covid-19 to target individuals and organisations. Together, the agencies highlighted that threat actors are using malware and ransomware attacks such as luring victims to coronavirus-related domains that purport to offer information but are in fact malicious files. This is exemplified by the fact that between beginning of February and end of March, more than 42,000 new Covid or coronavirus domain names were registered, around half of which are thought to be involved in malicious activity.
Additionally, both agencies have detected cyber criminals scanning for vulnerabilities in remote working tools to take advantage of the increase in home working. Using such vulnerabilities, threat actors can access an organisation’s network to carry out a variety of malicious activity.
The fact that employees are working from home in such vast numbers is also creating a huge security challenge. For starters it has greatly expanded the attack surface through which threat actors can infiltrate an IT network. This is likely to be exacerbated by shadow IT as employees potentially using their own equipment with varying degrees of security. Many will also attempt to use unauthorised apps in a bid to increase their productivity, but at the same time inadvertently create new vulnerabilities.
All of this is putting additional pressure on already overworked SOC analysts. Before the pandemic research from Cisco found that nearly half of all alerts received by security teams went unchecked, a proportion that has probably gone up under the strain of the lockdown. The same survey also showed nearly three quarters of alerts actually checked turned out to be false positives.
The workload that goes into manually investigating every alert is exacerbated by the fact that the average SOC can have up to 50 different platforms to check including firewalls and security information and event management (SIEM) tools. Trying to correlate all this information from different sources takes time and puts analysts under a great deal of pressure. The decisions they make can be mission-critical. One mistake could let a threat slip into the network or cause serious disruption to operations. Faced with this kind of pressure every day it is little wonder that, even before the pandemic struck, two-thirds of analysts considered leaving their jobs.
The key to helping SOC analysts deal more quickly with the rising volume of alerts is automation. Machine learning and risk-based decision making can do the heavy lifting when it comes to responding to lower-level alerts, meaning analysts are free to tackle more complex cases. Further accuracy and time-savings can be made by introducing a Risk-based Security Orchestration, Automation and Response (SOAR) platform. This approach brings together all the different security alerts, threat intelligence feeds, risks and vulnerabilities and fuses it together with assets to provide security analysts with a clear view of the nature and severity of alerts. This intelligence helps security teams prioritise incidents and to direct response quickly to the most serious threats.
In summary, these may be unprecedented times but the pandemic crisis is simply bringing to the fore what has been known for a long time. Old-fashioned, manual SOC processes were never designed to keep pace with today’s ever-increasing volume and sophistication of attacks. The time has come to let automation manage things. Through the use of ML and Risk scoring in a single SOAR platform, SOC analysts can have access to everything they need in one place, enabling them to prioritise alerts and make quick and accurate decisions.