Closing the security loop with automated incident response

Organizations need to automate low-complexity, high-volume tasks that are eating up so much of their experts' time

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

Organizations have poured billions of dollars into cyber security detection solutions, and while they are exceptional at uncovering potential anomalies and threats, none of these products can guarantee against a breach. Consequently, the next logical step is to pair robust detection and prevention technology with equally efficient and effective operations solutions, including incident response.


Detection solutions are now generating an average of 10,000 alerts per day, according to a recent survey Damballa--far too many for companies to inspect and manage. Yet, security professionals are still attempting to manually separate false alarms from real threats; decide what action, if any, to take; and then perform repetitive actions like gathering data, conducting basic analysis, and generating notifications and tickets.

Forced to complete each of these tasks manually, many expert security professionals are spending the majority of their days completing what are, essentially, administrative tasks.

Automation as a Solution    

Up until now, the way most organizations dealt with an escalating number of events was to add staff. Many CIOs and CISOs still think about security in terms of an alerts-to-employee ratio; that is, they determine the size of their security operations center (SOC) staff based strictly on the volume of alerts they receive from detection solutions. But with the number of alerts rising so rapidly, that strategy is quickly becoming unsustainable.

To progress into a new era for information security, organizations are going to have to automate some of the low-complexity, high-volume tasks that are eating up so much of their experts' time, just like they've done with detection. When an organization has the ability to remove mundane tasks from their experts' plates, they free them up to tackle the more-complex issues.

Process automation, at its core, is about understanding what an analyst does to protect the enterprise or the specific steps the analyst takes to deal with alerts based on factors like source, attack type, severity and other factors. So when you are considering automation, the first step is to break down existing SOC operations so you have an almost minute-by-minute understanding.

For instance, thinking about how analysts respond to particular types of alerts may involve asking them granular questions like, "What are the sources of you alerts?" This seems obvious, but alerts can come from detection technology or be reported by the Service Desk, reported via email or called in by a user. Other lines of inquiry:

  • "What applications do they use to investigate alerts?" Do they look up users in Active Directory, an ERP solution or a corporate address book?
  • "Where do they get their investigation information?" Does it come from other detection technology, external threat intelligence or an internal configuration management database (CMDB)?
  • "How do they make decisions about response based on the information they have available?" Is it based on severity, affected system, affected users or a particular application?

That kind of granular thinking should not be limited to simply security alerts, either. Leaders should make a concerted effort to understand how staffers currently work through particular functions like creating shift turnover reports, generating metrics for management, or assigning tasks to various team members.

Once you have gathered as much information as possible about existing processes, you can work backward to determine which operations, if automated, would free up the most time for the experts on staff. Some of the repetitive tasks a solution should automate include:

  • Alert classification
  • False positive identification
  • Additional Information gathering of contextual information
  • Initial investigation and triage
  • Ticket generation
  • Email notification
  • Report generation

Knowing what functions to automate is a great first step toward transforming information security operations. The next step is to identify and ultimately onboard a tool that allows the organization to execute that process automation.

First and foremost, a solution must be able to solve the issues of an organization's specific use case. That may sound obvious, but for organizations with complex, proprietary processes, it is not a simple requirement. The tool has to be flexible enough to meet those use cases, as well as the processes that don't have a name--the ad hoc processes that are unique to that organization.

It is also important to determine what level of automation is provided out of the box. One of the cumbersome obstacles that organizations want to avoid is being forced to go back to their vendors every time they want to add a process, report or mitigation. A true enablement tool allows companies to implement new processes, reports, notification and mitigations themselves.

There is some value in pre-canned solutions but, ultimately, an organization needs a tool that can go beyond offering the automations a vendor thinks the organization will need, to enabling the specific operations it actually requires.

Imagining a Better Future

What automation tools can't do is replace human expertise. They won't be able to perform all the functions of an expert security analyst's job. But what they can do is free up time for such experts, by eliminating the repetitive tasks that consume their days. That is critical being that attacks are changing and continuing to become more complex. And the most effective means we have of identifying the anomalous behaviors that signal these new kinds of attacks is allowing analyst to be creative and spend some of their time hunting for new attacks, rather than completing repetitive low value tasks.

Once these experts figure out how to identify and thwart these new types of attacks, they may be able to recreate the process and automate it--but only if they have the time to search for anomalies in the first place.

An incredible 71 percent of organizations surveyed admitted to having been the victims of a successful cyberattack in 2014. To begin to reduce this number, organizations in all sectors are going to have to do more than adopt new solutions; they are going to have to change the way they think about cyber security. Specifically, companies must begin to see detection--regardless of how advanced it might be--as only one-half of the entire cyber security picture.

The information security industry has arrived at a critical moment in time, faced with a threat landscape continuously growing larger and more complex. At this critical crossroad, a greater focus on automated incident response is the best way forward.

Swimlane is a developer of cyber security automation solutions which centralize an organization's security operations activities, automate incident resolution and integrates with threat intelligence.


Join the CSO newsletter!

Error: Please check your email address.

Tags network securitysecurityDamballa

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Cody Cornell, founder and CEO, Swimlane

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place