Despite the increase in security breaches and incidents in today's headlines, many incident response teams are understaffed or struggle to find the right skill set to do the job.
As such, many corporate incident response teams are actively looking for opportunities to automate processes that are too time-consuming for highly skilled analysts.
These processes often require a lot of repetition and provide little value in investigations. Common activities that many teams consider automating include:
- Identify and correlate alerts:
Many analysts spend excessive amounts of time going through repetitive alerts and alarms from many log sources and events, and then spend time putting together correlation strategies for similar events.
While this is valuable for the later stages of investigations, it can also be highly repetitive and can be automated to a certain extent. - Identify and suppress false positives:
It can be tedious work on a good day and overwhelming on a bad day. Identifying false positives can be simplified or automated using modern event management and incident response automation tools. - Initial investigation and threat hunting:
Analysts need to quickly find evidence of a compromised system or unusual activity, and usually need to do so at scale. - Opening and updating tickets / incident cases:
Due to improved integration with call systems, the event management and monitoring tools used by response teams can generate tickets for the right members and update them as evidence comes in. - Produce reports and metrics.
Once evidence has been collected and cases are underway or resolved, generating reports and metrics can take a lot of time for analysts.
Incident response automation use cases
Automating incident response can enable companies to respond quickly and mitigate security threats. Consider implementing one or more of the following use cases to improve incident response:
- Automated DNS lookups of never-before-seen domain names targeted by proxy and DNS logs.
- Automated searches for detected indicators of compromise.
- Automated forensic imaging of a suspicious system's disk and memory, triggered by alerts from network and host-based anti-malware platforms and tools.
- Network access controls that automatically block the outgoing command and control channels of a suspicious system.
Incident response automation can also help with forensic evidence gathering, threat hunting and even automated quarantine or remediation activities on suspect systems.
Deciding which triggers to implement and which actions to take is the most time-consuming aspect of creating an automated or semi-automated response structure.
Do you focus on the user's actions?
Specific events generated by instances or storage objects?
Failure events?
Spending time learning about the behaviors of the environment and working to better understand normal usage patterns can have great operational value.
None of these tools or methods will replace skilled and knowledgeable security analysts who understand the environment and how to react appropriately during an incident scenario. However, unless security professionals start detecting and responding more quickly, it will be impossible to stay ahead of today's and tomorrow's attackers.
Conversys can help your company reduce the risks and impacts of this global crisis. Contact our experts now and find out about Aruba Networks' security, network management and connectivity solutions. We are on hand to help you overcome this challenge.
About Conversys
Conversys IT Solutions is a provider of Information and Communication Technology services and solutions operating throughout Brazil.
With a highly qualified technical and commercial team and a network of partners that includes the main global technology manufacturers, Conversys IT Solutions is able to deliver customized IT and Telecom Infrastructure solutions to clients.
We invest in our employees and partners and strive for a long-lasting relationship with our clients, because we believe that this is how we gain the skills and knowledge we need to innovate and generate value for the businesses in which we operate.
About Aruba
ARUBA, a Hewlett Parkard Enterprise company, is redefining the smart grid with mobility and IoT solutions for organizations of all sizes globally.
Offering IT solutions that empower organizations to serve the Mobile Generation - mobile-savvy users who rely on cloud-based applications for all aspects of their work and personal lives - and to harness the power of insights to transform business processes.
With infrastructure services offered as private or public cloud software, Aruba offers secure connectivity for mobility and IoT, allowing IT professionals to create networks that keep pace with change.
