[BreachExchange] Is security automation the solution for overworked cyber-security staff?

[Audrey McNeil]

http://www.scmagazineuk.com/is-security-automation-the-
solution-for-overworked-cyber-security-staff/article/516305/

Security Operations Centres (SOCs) continue to be under significant
pressure to respond, manage and assure security. Ponemon Institute finds it
takes enterprises an average of 206 days to spot a breach and 69 days to
contain it. The speed with which an organisation can identify and contain
data breach incidents strongly corresponds with financial consequences,
which are significant; the average total cost of a data breach increased 23
percent over the past two years to US$ 3.79 million (£2.9 million).

Cloud sprawl escalates risk

These escalating costs are set against a backdrop of the growth of the
cloud and the resulting increased security risks. Recent independent
research into the impact of public cloud services found that over 85
percent of CIOs believe the proliferation of public cloud services is
reducing the control their organisation has over the IT services it uses.
Cloud sprawl is a particular problem; 80 percent of CIOs think the
widespread use of cloud services not sanctioned by IT, and not governed by
IT Service Management (ITSM) processes, is creating longer-term security
risks.

Overreliance on manual remediation continues

As threats and their impact continue to escalate, businesses are struggling
to cope, particularly as staffing and skills shortages can make it
difficult to find and retain security staff. As a result, many SOCs are
exploring how automation can help them manage the workload and, equally
importantly, deliver a better service. Automation is becoming more
widespread but, while there are several tools and systems that provide
automated incident visibility, few of them extend to the effective
management of response and remediation.

In fact, incident response and remediation processes are typically manual,
involving a variety of handoffs, systems, information sources and
stakeholders. They generally do not provide a ‘closed loop' solution; where
vulnerabilities are not effectively managed, leading to continued risk.
Further, reliance on tools such as emails, spreadsheets, phone calls,
meetings and text messages, makes it difficult to analyse how processes are
performing, where the bottlenecks are, and how to improve them. The number
one issue cited in recentresearch was a lack of coordination between
security and IT teams; while nine out of 10 respondents said that their
incident response effectiveness and efficiency is limited by the burden of
manual processes.

Service management technology integrates security

The good news, which many SOCs are unaware of, is that many can use their
organisation's current service management technology to improve automation
and process management across security operations. Benefits of this
approach include:

Providing a single platform for managing security incidents and
vulnerabilities: Modern service management software offers workflow,
automation, orchestration and systems management capabilities. These
platforms enable teams to manage the process of responding to and
remediating incidents, and remove manual processes that slow security
incident resolution times.

Prioritising security risks with business criticality: Users can attach
incidents to records, pairing security data with insight into the virtual
or physical asset at risk, and the business service that asset supports. By
doing this, a SOC can see, for instance, that the server being attacked
contains sensitive HR data and should be prioritised accordingly.

Automating manual functions frees SOCs to address critical issues: Through
service management platforms, SOC teams can trigger automatic patching and
configuration changes to security infrastructure, or other standard
workflows, to contain and fix security incidents and vulnerabilities.
Automatic post‑incident reports crucial to the auditing process can be
generated – eliminating the tedious manual process many organisations
complete.

Gaining greater visibility into current security issues by category, class
and priority, and status of tasks: Through the use of dashboards that
service management solutions typically have, SOCs can access real‑time
trending data that helps them understand their effectiveness in securing
their enterprise.

To increase the value of security products that organisations have already
deployed, these technologies can also integrate with third‑party software
applications; including security incident and event managers, and
vulnerability identification solutions.

Addressing the wider context

In addition to automating threat detection and remediation, the extension
of ITSM technology to security operations also ensures higher security
standards are applied to processes carried out across the business. For
example, when onboarding a new employee, automation can complete a new
password setup, or automate the authentication of a new mobile
device/account, ensuring optimum security processes are built in from the
outset. In the age of BYOD and ‘shadow IT', this will increase in
importance and value to businesses, as well as facilitating closer
integration between security teams and other functions. Finally, automation
of detection and remediation of security issues frees security teams to
focus on mission-critical activities and improved collaboration.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160831/4d477e84/attachment.html>