Automating Incident Response
The ongoing growth of enterprise IT and information security infrastructure calls for monitoring its security, managing incidents via specialized Security Orchestration, Automation, and Response (SOAR) as well as Incident Response Platform (IRP) systems, and deploying a comprehensive Security Operations Center (SOC) on their basis. How do you know when the time has come for systematic incident management? How to reduce the cost of comprehensive information security monitoring? How can you proactively protect your entire organization and reduce the likelihood of type I and II errors?
What is the best time to implement SOAR and IRP? What are the minimum requirements to start implementing?
The time will come when information security professionals get bogged down in analyzing and responding to the flow of events, as this condition is fertile soil for errors. In this situation, SOAR and IRP solutions should come to the rescue. To apply such solutions, it is necessary to have a department responsible for the development, implementation, and maintenance of information security processes and systems both on paper and in the infrastructure, as well as a basic set of information security tools. It is also desirable that a Security Information and Event Management (SIEM) system be in place, which will take over the processing and preparation of events sent to the SOAR and IRP.
Any organization deploys at least a simplified version of IRP, for example, in the form of IT Service Management (ITSM) and a Service Desk. The classic approach, though, revolves around combining SOAR and IRP to automate routine operations and speed up incident response. It is time to take this route as soon as the need to organize the process of handling cyber incidents emerges. But a lot depends on the specifics of the business. One organization with 50 employees may desperately need automated incident management, while another company with 5,000 employees is quite happy with manual processing.
The minimum requirement to start implementing SOAR/IRP is only the maturity of IT and information security departments. Recently, the Security by Design approach has gained popularity. It involves the two frameworks in the project design stage.
How to cut the cost of integrating SOAR/IRP into an already deployed large-scale, heterogeneous IT and information security infrastructure?
To reduce the cost of implementing SOAR/IRP, it is necessary to work out in detail the architecture of the system being implemented, which, first of all, should take into account the organizational chart of the company, the features of its IT infrastructure, and the network topology. The system itself should have a variety of implementations, flexible functionality, and a set of connectors which are ready-made tools for integration with external systems.
Cost reduction can be achieved by reasonably minimizing the number of systems with which the SOAR/IRP will integrate. To understand what will be useful to automate, a graphical or textual plan of actions performed by employees in the event of various kinds of incidents before the implementation will help.
Another saving factor is that information security professionals should have basic programming skills, which will reduce their dependence on paid integration services provided by third-party organizations. Many vendors provide turnkey integrations, but they often need to be tailored to suit your goals.
Refining incident analysis scenarios in SOAR/IRP solutions
First, we need a well-designed process of responding to incidents. Its components include the sources of data, categories, cards and fields, scripts, working groups, integrations, metrics, etc. It is useful to leverage the best practices such as ISO, NIST, and MITRE. Next, it is important to start using the system and several scenarios in combat mode. Gradually, the points of improvement will be surfacing so that their coverage, the depth of enrichment and automation, convenience, flexibility, and fault tolerance are available for further developments.
The goal of improving the scenarios for analyzing incidents is achieved, among other things, by continuously honing the expertise of employees responsible for information security both in terms of knowledge about the technical facets of modern threats and in terms of their detection and prevention. It is also important that there be a person in the information security department who is able to convince the business stakeholders that they need to invest in additional means of protection, which will help make scenarios more complete and automate the process of detecting, investigating, and eliminating the consequences of a cyber incident as much as possible.
Where can I find professionals to work and analyze data in SOAR/IRP?
A professional hired in the market will not be immediately ready to perform tasks within the framework of working with SOAR/IRP. Regardless of the qualification and skills, the specialist will have to deal with the specifics of the organization’s infrastructure and the protection mechanisms that are in place. On the other hand, an employee already working in the organization has the necessary knowledge about the infrastructure and, although he does not have the skills to operate the new system, he can gain a basic understanding during the implementation phase, and more specific skills as the system is being used.
The best option would be to use a mixed approach, which includes the contribution of in-house specialists who know the company’s IT infrastructure and the involvement of third-party expertise for SOC. This interaction will enhance the skills of the company’s teams and will allow leveraging experience and expertise for independent monitoring and analysis of information security incidents in SOAR/IRP.
It should be noted that the search for qualified specialists in the labor market does not cover the staffing needs of modern SOCs, so you still have to train your own staff. Typically, there are basic tasks for young specialists, and a well-built system of training and mentoring will make it possible for them to become professionals quickly. Good partner or vendor training is also important, although there is no substitute for IRP implementation and analysis of real-life incidents.
How do you know when an organization is SOC-ready?
The need for SOC arises when the company and its information security service reach a certain level of development. Using it as a service does not imply, in particular, any specific unit to be established or new systems to be introduced. However, by the time a decision regarding SOC is made, blocking tools such as a firewall, antivirus software, as well as Network-based or Host-based Intrusion Prevention System (NIPS or HIPS) must already be implemented and have priority over detecting tools. Next, a calculation should be made: if the costs incurred in the risk events that the SOC can block are higher than the price of its services, you are ready to take the leap.
Regulatory frameworks have helped a lot of organizations mature, so it is important to determine whether there are regulatory requirements or not. The understanding of the need for SOC comes in approximately the same way as in the case of management reporting: at some point, it becomes clear that there is too much data and it is time to change the angle of view (dashboards, reports, indicators). Another criterion is the coming of the moment when you want to transform the incident response into a constant and evolving functionality.
In general, the SOC is a set of processes, and if the organization is ready for the implementation of SOAR/IRP, the main tool for the specialists of the response center, the introduction of the SOC becomes only a matter of time.
SOC: in-house vs as-a-service
Each option has its advantages. Your own SOC means complete consistency with the infrastructure, business processes, and high speed of response to their changes. An in-house solution has the disadvantage of requiring qualified round-the-clock monitoring, though. This entails such a large amount of investments (OPEX and CAPEX) in the implementation of systems, search, development, and retention of personnel that the deployment is not feasible.
To make the right decision, it is necessary to decide what functions of information security the company wants and can implement internally, and in what cases external resources will be involved. It largely depends on the IT infrastructure and the number of information security specialists. The ideal option would be to use a hybrid model, combining in-house team skills with cybersecurity services, complementing the internal SOC with expertise that is inappropriate to keep within the company.
Is it possible to introduce artificial intelligence (AI) technologies into information security incident management?
Of course, AI technologies inevitably penetrate all processes, including information security. There are problems in non-deterministic logic that AI can solve better than other approaches. But, it is necessary to be realistic in assessing the capabilities of AI. As in any other area, the principle of acceptable accuracy plays a role in information security. That is, the AI will never be able to process all incidents on its own, and in any case, a human will have to perform some of the actions, including working with non-obvious false positives, revising the correlation rules, etc. In the wild, the acceptable accuracy benchmark is invariably shifting towards an increase in personnel labor costs.
In a broad sense, AI in incident management is unlikely to replace humans in investigations anytime soon, but in terms of automation, big strides are constantly being made, one of the points of application of which is SOAR. Many manufacturers are already trying to bring extra value to their customers through the use of AI. But the truth is that only a small percentage of organizations have reached the point where simpler methods of detecting, investigating, and responding to information security incidents have been exhausted.
The main areas where AI technologies are most in-demand are as follows:
- partial automation of false-positive verification;
- IRP training in the automatic classification of incidents;
- the introduction of tools for predicting the development of complex computer attacks and incidents.
The general goal of these technologies is to increase the automation of the work of analysts and specialists who provide countermeasures for computer attacks. The use of AI technologies in this part will become more and more common down the line.