With an ever-growing attack surface, security teams are being bombarded by skyrocketing numbers of alerts and false positives, making automation in security operations more critical today than it has ever been.
The success of your security operations automation strategy depends on having all of the necessary data readily available so that threats can be prioritised and rapidly resolved but establishing a centralised source of enterprise visibility is no small order.
We invited a group of security directors, enterprise architects, and heads of security risk to discuss how their organisations are managing risk and more about:
- The challenges around enterprise visibility
- Quickly determining the scope of cyber threats
- Enriching alert systems with valuable data points
Rela8 Group’s Technology Leaders Club roundtables are held under the Chatham House Rule. Names, organisations and some anecdotes have been withheld to protect privacy.
About Infoblox
Infoblox delivers modern, cloud-first networking security experiences that are simple, automated, scalable, and reliable. With over 12,000 customers worldwide, including over 70% of the Fortune 500, Infoblox empowers organisations to leverage the advantages of on-premises and cloud-first architecture securely. Through a combination of NIOS, BloxOne DDI, BloxOne Threat Defence and threat intelligence services, Infoblox provides a robust foundation for connecting and securing the modern enterprise.
Growing pains
As modern organisations grow, it becomes increasingly difficult for network and security staff to keep track of everything. As the old saying goes, you can’t protect what you can’t see, and without visibility of their systems, organisations run the risk of exposing themselves to attack. Visibility is therefore critical to understanding and managing an organisation’s cyber risk. Conversely, the more awareness you have, the more focused and intentional your security efforts have to be. Knowing where everything is and trying to protect it all is a sure-fire way to flood your SOC with alerts. Balancing visibility and intent is the key to success.
Accounting for your assets
System visibility is no mean feat, but it is one that has been on the radar of security and network experts for some time. Our panel of experts were all confident in the tools and processes they had in place to establish visibility – at least within their own systems. By segmenting their environments, effectively classifying their assets, and reinforcing monitoring efforts with processes and education, internal visibility could be quickly established. However, internal visibility is one thing, managing asset inventory in the Cloud poses another challenge.
The vast majority of organisations today leverage the Cloud in some way or another and most organisations are spread across multiple hybrid Cloud environments. Maintaining visibility outside of your own network requires consistent monitoring as well as effective communication with your Cloud service providers. Agents in the Cloud need to be trained and equipped with the knowledge to understand the organisation’s classification system to ensure that regular asset monitoring remains effective.
As monitoring these environments is an ever growing task, our experts had seen success reinforcing visibility with automation and machine learning. Once an organisation has defined and understood what assets should be where, who should have access to what, and how assets should be classified, they can leverage automation and machine learning to automatically monitor their environments to track deviating behaviours. Unfortunately, if not carefully optimised, automated systems can quickly lead to an avalanche of alerts and false positives, all of which have an impact on your security team. Providing the SOC with the means to quickly determine the risk of potential cyber threats is vital.
Is it actionable?
Context will always be vital when it comes to determining the risk of a security alert. It is this context that allows security teams to determine whether or not a threat is actionable, or if it is simply noise that can be filtered out. Technology today is great at understanding issues at a static level, but it isn’t quite ready to bear the responsibility of providing the whole picture, meaning that people will continue to play an important role for the foreseeable future.
Getting this context quickly and efficiently is often the problem faced by security teams, but if people are the problem, then they can be the solution. To prevent needless back and forth between the security and network teams, greater engagement and knowledge sharing between the two is required. Our panel recommended bringing network specialists to work inside the SOC and vice versa for the NOC. By bringing the two teams together like this, our experts had seen the communication issues between them vanish as they started functioning more like one team than two.
Enriching your alert data
While providing context behind alerts is invaluable, ensuring the right context is being provided is the next challenge. There are key technological fingerprints that will go a long way to helping your security teams quickly establish the risk level of alerts. For example, IP addresses are not that useful for security teams, but when connected to a MAC address, they become more valuable. In turn, if that MAC address can be connected to a DHCP fingerprint and then to a user, all of a sudden, the context provided becomes much more useful. Another valuable point of data is DNS mapping. By looking at DNS information to understand what is talking to what on your network, you can map DNS activity to identify aberrant behaviours.
Filtering important information into one pane of glass through a Security Orchestration Automation and Response (SOAR) or a Security Information and Event Management (SIEM) capability will prove to be invaluable when it comes to centralising all the most critical information and streamlining the process.
Filtering out the noise
As more and more alerts come in, facilitated by automation, mitigating alert fatigue is essential to ensuring your security teams don’t burn out and let something through the net. By prioritising alerts around critical assets, businesses can reduce the noise coming in around everything else. Machine learning and automation can be effectively leveraged to filter out the alerts that can be safely ignored, or even removed altogether. When organising and prioritising alerts, security teams need to be asking themselves that if the response to this alert will always be ignoring it, can it be removed altogether? Or if something can be done in response to an alert, can it be automated?
Ultimately, if it isn’t already, it will soon be impossible for organisations to stay on top of the level of alerts coming in without some capability to automate the security alerts and filter out the noise.
Visibility, enrichment, and automation
With IT environments spilling over into the cloud and beyond, we have made it harder than ever for our security teams to effectively manage risk. What are the crown jewels of your organisation? If you don’t know what it is you are trying to protect, how are you supposed to be able to secure it? Establishing visibility around the organisation’s assets is critical to identifying where risk lies, and a central asset inventory will go a long way to improving your security team’s ability to respond to threats.
Automation is an invaluable tool for quickly identifying threats, but will never replace a human’s ability to understand business context and think critically. As such, investing in your staff is a key piece of the puzzle. Foster an environment of collaboration and knowledge sharing that removes the ‘us and them’ divide between security and the wider business. The better the business becomes at identifying and flagging risks, the more efficient your security team will become.
Testing a comment here.