Most security vendors these days, including Lockheed Martin, are touting new capabilities for automatically detecting advanced threats through the use of data analytics and automation. In business, “automation” is often synonymous with downsizing. In this case, however, we would argue the implementation of automation tools is not about downsizing staff but rather empowering cyber analysts to do more, good work. However, while automating some of the more mundane and menial tasks of an analyst may free up cycles, it is not a cure-all solution that eliminates the need for human intelligence.
This post outlines three reasons automation alone won’t solve all of your network defense concerns. That said – a balanced approach to automation and analytics coupled with a mature security intelligence team can lead to an effective security posture with a healthy return on investment.
1. Automation tools can flag anomalies but not always imposters.
No matter how fast your shiny new automated malware analysis system claims it can process data, we are still faced with an ever-growing threat landscape where attackers are adapting to new forms of detection and analysis as fast as we can implement them. Even an extremely well designed machine learning framework is not going to detect everything no matter how many threat intelligence feed subscriptions you have. In fact, oftentimes false positives and incorrectly detected “anomalies” just add more noise for an analyst to decipher from the real threats.
By using a tool that automates the task of identifying anomalies, your analysts will have more time to spend collecting intelligence around those anomalies. When follow-on investigations lead to the identification of actual incidents, intelligence gained in the process will speed remediation and mitigations – keeping your analysts ahead of future attacks.
2. Automation tools can aggregate data but cannot create new intelligence or identify contextual gaps.
Consider a scenario where your security intelligence analysts are not spending time querying every indicator reputation tool but instead are presented with this information at their fingertips. Instead of writing complex queries to search all of your log files that can take hours to produce results, a well architected data analytics solution can turn complex searches into well formatted data returned within seconds. This data would then be enhanced by your threat intelligence providers, your own intelligence database as well as the reputation tools you have at your disposal. The end result is a clear picture presented to your analyst with all of the data at their disposal to make a determination on the severity of the threat which gives them the ability to generate intelligence about the incident and the adversary.
This is another example where analysts are spending their time on the more meaningful tasks of incident response. Instead of trying to cope with a myriad of tools, the analysts are making the tools work for them by presenting the appropriate context in a human readable form that they can then interpret into something meaningful. Over time, this process will lead to a well-oiled machine where analysts are more quickly able to identify true adversary activity and can effectively pivot across their intelligence knowledgebase to efficiently identify the threat and prevent it from inflicting further damage.
Threat context is essential for a proactive cybersecurity posture. Such context cannot be achieved without skilled analysts in the loop. Automation technologies can speed otherwise manual functions but cannot take the place of discernment. This leads to the final point.
3. Automation tools can inform context but not mitigation plans.One can argue that if you are already providing a rich data set to the analyst to make a determination on the threat then why not try to create a decision system that automatically does the same thing. The answer is that, in theory, an automated solution should be able to make those decisions more objectively and orders of magnitude faster. However, that still locks you back into a systematic and formulaic decision system that does not take into account the gray areas. For example, how would the system handle a compromised domain that does not have a bad reputation or how would it classify a signed executable launching that appears benign but is surreptitiously side loading a modified DLL?
The idea is that if there is a formula for determining if something is bad, the adversaries will exploit that formula. It is imperative to keep the human analyst in the loop in order to understand the full context of the threat and the true scope of the adversary activity.
This approach of automating data retrieval and enrichment will leave your analysts with more time to spend separating the wheat from the chaff and working up appropriate mitigation plans, both tactical and strategic. An efficiently deployed defense in depth solution will result in a more mature security posture and, over time, lead to a measurable return on investment. Once you have the mitigations and analyst framework in place, scoring your team and your defenses becomes an easy way to understand where your investments are bringing back positive returns.
Automate the mundane and manual tasks to help present a clear picture that will enable analyst-driven mitigation plans. The solution to a balanced automation approach is to apply the right tools – tools that work for the analyst and that make your analysts better.
Leverage intelligence and automation to empower your analysts and thwart cyber-threats.
There have been a number of advancements in this space recently, including interesting developments around user behavior analytics (UBA) and machine-learning based endpoint detection and response capabilities. Our team has been spending time in our labs integrating these tools into our methodology for both our own enterprise defense as well as for our clients. One such example of this integration is through our endpoint detection and response solution, Leidos EDR solution powered by Cybereason:
- Eliminates false positives in endpoint anomaly detection
- Creates a clear and contextual picture of activity
- Empowers your team to effectively develop and execute an endpoint mitigation plan