It’s hard to read the news these days without learning about yet another security breach.
It is no longer a surprise when a business or government agency reveals that a breach has compromised data related to their customers, employees, partners — or all of the above.
We know that attacks routinely target critical networks and that they are as likely to target multiple organisations in a single or related industry as they are to focus on a single target.
What is surprising is the length of time it takes organisations to detect and resolve security events.
We know that attacks can unfold in the blink of an eye but can take months — even years — to be properly identified and eradicated from an organisation’s systems.
According to a newly released CSG Invotas cyber security survey, more than one-third of cyber-attacks take hours to detect.
Equally alarming, resolving breaches takes days, weeks and, in some cases, even months.
No matter how accustomed we may be to hearing about the increasing number of attacks, this state of affairs should catch the attention of the C-suite in organisations around the globe.
Consider the figures: according to the U.K. government, 93% of large corporations and 87% of small businesses reported a cyber breach in the past year.
In fact, affected companies in the U.K. experienced almost 50% more attacks on average than they did a year ago: dramatic increases which reflect the dynamics of a digital economy.
Technology is constantly changing and evolving, which means cyber attacks are constantly changing and evolving too.
Attacks that come in looking like one piece of software code quickly mutate and adapt to the target environment, multiplying the number and types of attacks and proliferating at machine speed to expose weaknesses.
The result? New vulnerabilities and attack vectors are continually discovered — and security teams are continually playing catch-up.
Advanced cyber attacks pose a serious risk to commercial and government concerns. To counter these threats, many organisations have established security operations centres (SOCs) that leverage advanced tools embedded in their standard operating procedures.
Typical SOC analysts will be trained to utilise multiple tools but will still spend a large portion of their time on the manual components of each tool.
Simple tasks such as updating helpdesk tickets, performing manual content enrichment (e.g., testing hyperlink safety and uploading malware protections) and gathering information from infected machines require a significant amount of analyst time.
When the time to complete all of these tasks is compared against the actual analysis of the incident, organisations frequently find that their highly trained analysts spend more time on repeatable processes than on using their extensive analytical skills.
What’s more, traditional cyber defence tools don’t provide adequate protection from attack.
If CIOs consider the time analysts spend performing the same manual tasks over and over, the inadequacy of legacy technology, the shortage of security workers in the industry, and the personnel-intensive integration of all of these tools to thwart cyber attacks, they are likely to agree that a more streamlined approach to cyber security is required.
Enter the cyber playbook. Given that specific incident or threat types determine the workflow, tools and processes analysts choose to respond with, a cyber playbook can become the repository for all such “plays” that can be orchestrated on the fly and combined for specific threat-response scenarios.
The playbook can — and should — contain all probable combinations of workflows, tools and processes to ensure that responses can change and adapt in real time to mirror and ultimately thwart attacks.
Similar to a rugby playbook of tactics, a comprehensive cyber security playbook will represent tested and successful routines that can be quickly repeated with minimal customisation or manual intervention.
The successful playbook is developed and honed through network analysis. By tapping into workflows and data directly from security information and event management (SIEM) tools and other enterprise-wide devices, security specialists can determine which tasks are being performed manually and routinely.
That data forms the basis of the playbook, which grows to incorporate all simple and repeatable courses of action that can be synchronised at speed and scale; such “plays” must be tested and pre-approved for repeated use.
For instance, the cyber playbook for malware remediation might contain email templates, a list of recommended resources for collecting web-address reputation scores, steps for collecting data packets, and instructions on how to add firewall rules, among other tasks.
Don’t recreate: automate
By capturing critical institutional knowledge, security analysts can determine which workflows should become part of the cyber playbook and which are likely candidates for automation.
As a result, pre-defined measures can be executed at sub-second speed without manual intervention wherever and whenever such automation makes sense.
By adopting a cyber playbook that capitalises on automated and semi-automated courses of action synchronised across a complex enterprise, security professionals can effectively counter cyber attacks with coordinated and comprehensive defensive strategies —strategies that can be evaluated and repeated on the fly to continually improve response actions.
By automating or semi-automating existing workflows, agencies can reallocate resources to other, more urgent areas. Security analysts perform a critical function, but their non-critical tasks can be performed more effectively with automation solutions that enable them to focus on what’s important: continuously secure enterprise operations.
New automation and orchestration technologies make such an approach both possible and practical.
We know the gap between detection and response grows wider every day, and we know the speed, versatility, and frequency of attacks have reduced the effectiveness of traditional threat responses.
Security automation can markedly reduce the current widespread dependence on manual intervention and passive defensive tools by allowing key resources to focus on threat analysis and containment, which are essential to keep complex large-scale systems and networks online.
One organisation that recently tested automation tools uncovered scenarios for increased efficiencies as part of the remediation of compromised VPN users.
During the test, the time to support VPN helpdesk tickets dropped from an average of 40 minutes to fewer than two, which in a production environment could allow the organisation to allocate its limited security resources on more strategic tasks.
Given the current size of most security staff, the growing demands on that staff, and the shortage of available skilled workers, using automation tools strategically to augment security personnel delivers benefits beyond the immediate bottom-line boost.
As an added benefit, automating basic processes to simple drag-and-drop actions makes the attraction and retention of security staff more strategic and cost effective. The cyber security skilled worker shortage is a major issue industry-wide – Cisco’s 2014 Annual Security Report points to a worldwide shortage of nearly one million skilled security professionals.
By utilising security automation, key hires can then be cultivated for more complicated security scenarios allowing organisations to benefit from the ability to tap the right mix of skills for the right tasks at hand.
A sound cyber security playbook will become an analyst’s best friend. It combines the best personnel, processes, tools, and workflows an organisation possesses into a dynamic and flexible real-time security response engine.
A winning coach would never show up to the big game without a proven playbook in hand; it’s time security professionals adopted the same practice.
Sourced from Paul Nguyen, President of Global Security Solutions, CSG Invotas