In an ideal world, this cybersecurity quandary is addressed through a security operations centre (SOCs) run by a team of specialists with access to the latest technologies and tools to help ensure that the organisation is well protected and proactive in thwarting cyber threats.
In the real world, many SOCs are also beset by the skills shortage that is endemic in the cybersecurity world.
According to a study1 by Frost & Sullivan, there will be a global shortage of 1.8 million cybersecurity professionals by 2022. Those holding up the house, security-wise, face a constant bombardment of alerts from a myriad of tools as the threat landscape changes and the number of attacks escalates. A survey2 by the Cloud Security Alliance found that half of enterprises have six or more tools that generate security alerts, and nearly 32% of IT security professionals said they ignored alerts because many were false.
Alert fatigue quickly sets in when already-stretched cybersecurity teams find themselves having to weed through an escalating volume of alerts to sift out the false positives, while being bogged down by a host of other time-consuming tasks ranging from creating tickets to patching systems and looking up IPs.
Faced with the downstream effects of chronic staff shortage, improvement in SOCs has to come through security orchestration and the use of automation tools to help reduce the burden on security personnel and ensure continuous response.
Security orchestration is the integration of security tools to streamline processes and make sure that they work together cohesively. Once these processes have been defined, automation can kick in with the deployment of technology to take care of repetitive and tedious manual tasks, freeing up scarce security resources to focus on higher value work.
With automation, the manual effort and time involved from detection to alert triage and remediation can be reduced and it may even be possible to stop an ongoing attack in its tracks. For example, actions such as quarantining a host or blacklisting an IP address can be carried out automatically with minimal human intervention.
So automation is good. But knowing what to automate is also important.
As a rule of thumb, it is always best to start with use cases that are easy to implement and can deliver quick gains, instead of gunning for problems that involve complex playbooks and processes.
One popular automation candidate is the investigation of suspected phishing emails, which ticks all the right checkboxes. According to a report3 on CSO Online, these investigations are “highly repetitive, follow a known process, and consume valuable analyst time when performed manually”.
It is estimated that security personnel could spend upwards of 90 minutes manually investigating a suspected phishing email. They would have to record the origin of the suspected email, which could be a report from the employee to received it; analyse the email for indicators such as URLs and attachments that could be malicious; and take steps to remediate the threat if these are found to be positive.
According to the report, automating the standard operating procedure enables the same investigation to be completed in less than a minute, freeing up the SOC team to focus on non-routine investigations that require human insight and expertise.
Today, as the security landscape evolves and the volume and variety of attack vectors escalate, manual responses are no longer tenable as a counter to cyber threats. Automation and orchestration will have to play a growing role in ensuring that detection, triage and response keep pace with the speed of cyberattacks and help set the stage for a more proactive approach to tackling cyber threats.
The benefit of a SOC is that it puts threat detection and response front and centre through a combination of continuous network monitoring and real-time incident response from dedicated security engineers. A well-placed SOC, such as Singtel’s SOCs around the world, can make all the difference with its extensive experience, knowhow and intelligence to improve the organisation’s security posture.
If you wish to learn more about our SOC services, have a chat with us at GovWare 2018 (18 - 20 Sep) in Singapore. Register for a free trade visitor pass here or contact us for a chat.
