Automating Response Is a Marathon, Not a Sprint

One of the constants security professionals deal with is a high volume of alerts. Even after filtering out the noise and getting to the important events, that number is still usually much larger than what security teams can address in a normal shift. Budget is rarely available to acquire the necessary headcount of skilled professionals, or even a mix of teachable and skilled professionals, so security leaders are evolving their response plans to include automation where it makes sense to help them address the sheer number of events.

Let's look more closely at the different stages of response automation and what security teams should consider throughout this process. To illustrate these concepts, consider the following scenarios and responses.

Scenario 1: Potential Insider Threat
A financial service firm's IT administrator credentials are being used to access and modify systems that were previously untouched. This could be an early warning to a potential insider threat – or it could be nothing at all. The anomalous activity triggers a playbook that sends a push notification to the IT admin and their supervisor on their mobile devices. They are given the choice of disabling the user credentials on Active Directory or investigating further by opening a ticket in ServiceNow.

Scenario 2: Privileged Access Anomaly
The privileged credentials of a senior executive are being used to manipulate company information from an unusual geography. The incident triggers a playbook to contain the potential threat and notify the security team. The privileges of the credentials are restricted, a push notification is sent to the security administrator, and a message is sent to Slack to notify the security team so they can verify legitimacy of the activity.

Scenario 3: Complex Indicators of Compromise
A patient-admitting system at a healthcare clinic is demonstrating abnormal PowerShell activity consistent with known ransomware attack campaigns. The incident instantly triggers a playbook to isolate the compromised host and block communication from external sources at the edge to prevent spreading to other hosts.

Analysis
The first scenario is an example of an organization at the early stage of exploring automation in its response plan. It allows for a human-guided decision to take place before executing the change to the security control – in this case disabling the credentialed user. It also opens a ticket for teams to investigate further. At this stage the organization will want to ensure it knows the criticality of the assets and categorize them as "this is critical" to scale response automation.

The second scenario is an example of an organization starting to embrace automation. There is a condition that triggers the security control to automatically adjust permissions to be a bit more restrictive. This allows the user to still access internal resources and remain productive while the investigator confirms whether the anomaly is valid activity. At this stage there would have been enough of the same types of incidents and same types of actions to have the confidence to execute the action on the security control while the investigation is happening.

The third scenario demonstrates a company fully embracing automation. There is a set of conditions that were met, and the automated system automatically executed actions on the host and at the edge security controls to prevent propagation and getting pwn3d. Speed was critical, so there was no human decision point, although there will be some sort of notification to the appropriate stakeholders to do further forensics and hardening of the affected systems.

Each of these scenarios require multiple actions, which include informing the security manager of an incident and adjusting security controls. Most organizations beginning to implement automated response will start with informing staff when a condition is met until it is comfortable that an action on the security control will not have an unintended consequence that interrupts the business; then it will gradually implement automation where it makes sense. Ultimately, a successful organization is comfortable with its security posture and adopts controls at its own pace, balancing process automation and human interaction to address its security requirements.