IT environments are becoming increasingly larger and more complex. The growing BYOD trend means that employees are accessing their corporate network using a multitude of different devices, from potentially unsecured locations. Likewise, an increasing number of organizations are utilizing cloud services and virtualization technologies.
SIEM solutions aggregate event logs from DLP, IDPS, UBA and anti-virus solutions, which security teams must sift through in order to identify correlations that may be indicative of a security incident.
The threats posed by the evolution of complex and distributed environments is compounded by the fact that there is a serious lack of cyber-security professionals. As a result, companies across the globe are beginning to understand the importance of security automation, which is great; however, few companies really understand what it is they should be automating.
Below are 4 tips to help enterprises maximize the benefits that automation can bring.
Tip #1. SIEM Automation
SIEM solutions serve as the backbone of many organisation’s security architecture. They aggregate and correlate event logs from multiple sources, and generate alerts and reports based on a set of pre-defined conditions.
One of the drawbacks of most traditional SIEM solutions is that they generate large volumes of noise, which can overwhelm security teams and interrupt their workflow. SOAR (Security Orchestration and Automation Response) solutions can filter, correlate and respond to the vast number of alerts produced by SIEM solutions, whilst leveraging AI and threat intelligence services to identify events and patterns of behaviour that correlate with known security threats.
Tip #2. Reputation and Risk Scoring
SOAR solutions are able to use advanced threat intelligence to identify suspicious events or entities, and assign a score to them, based on the severity of the threat. Security teams can use this score to prioritize tasks and improve their workflow. For example, a SOAR solution can automatically scan emails for URLs, lookup the owner and location of a given website, and cross-reference the domain against a database of known malicious domains. As you can imagine, doing this manually would be an inefficient use of resources.
Tip #3. Threshold Alerting
Most sophisticated DCAP (Data-Centric Audit & Protection) solutions provide a feature known as “threshold alerting”. Basically, should a series of events match pre-defined threshold condition, a custom script can be executed, which can stop a specific process, disable a user account, change the firewall settings, shut down the server, or anything else that can minimize the chance of a security incident. Threshold alerting could be used to prevent the spread of ransomware, or to identify and respond to multiple failed login attempts.
Tip #4. Password Expiration Reminders
Automation doesn’t only help to detect and respond to cyber-attacks, but can also help to manage regular security operations, such as reminding users to reset their passwords. It is good practice to regularly reset passwords as doing so can limit the opportunity for an attacker to establish persistent access to the network.
Additionally, it can reduce the chance of an employee using the same credentials on multiple accounts and minimize the chance of an attacker gaining access to the network via credentials saved on a lost or stolen device. Again, most DCAP solutions provide built-in tools that can automate the process of reminding users to reset their passwords.
SOAR solutions can significantly reduce the need for human intervention – freeing up both the time and resources required to respond to potential/actual security incidents and eliminate false positives. Advanced DCAP solutions, such as LepideAuditor, can automatically detect, alert, report and respond to a wide range of events and scenarios. These may include unauthorised changes to user account privileges, suspicious file and folder activity, unauthorised mailbox access, unmanaged inactive user accounts, anomalous login failure, and a lot more.