By Sarah Radin, Product Marketing Manager
In our previous post, “Automation, the Key to the Cybersecurity Skills Shortage” we discussed CISA’s Ukraine alert, the challenges organizations face hiring and retaining security talent, and how automation, specifically Securonix Autonomous Threat Sweeper (ATS), can help. Let’s take a closer look at what it actually takes to detect and respond to threats and incidents rapidly, and the thorny issues that have to be addressed before you can actually have an effective cyber rapid response.
It’s a 24 x 7 Job
The first challenge is the time and resources it takes to monitor the constant stream of threat information from multiple sources, including research blogs, CISA warnings, threat intelligence feeds, and more. Ideally, monitoring should be a 24 x 7 effort, though obviously many firms don’t have the resources to meet such a challenge. Why 24 x 7? Threat actors know to strike organizations during weekends and holidays when the staff is away from their desks. For example, the recent Log4J threat, which we discuss in this blog, hit right before the weekend.
But monitoring the firehose of real-time threat information isn’t enough. Your security staff must have the experience and smarts to know which threats are relevant and critical and, most importantly, when swift action is needed.
Assuming you get those things right, you must determine if you’ve been exposed, which involves pulling together and analyzing information on indicators of compromise (IOC), and tactics, techniques, and procedures (TTP) for each relevant threat. This is not easy, because this information usually trickles in and morphs over several days, during which threat actors may change their tactics and IOCs can become obsolete in a constant game of Whac-A-Mole.
This information is then used in queries that scan your environment for TTPs and indicators. But, there is a catch that slips up a lot of organizations. As you probably know, a lot of threats can lie dormant on your network for weeks or months before they’re discovered. In fact, according to IBM’s 2021 Cost of a Data Breach Report, it can take organizations an average of 287 days to identify and contain a data breach. Many organizations make the mistake of querying only recent event data to catch a threat in the act when they really should look at their historical data to find signs of previous attacks that are now dormant on their network. Along with conducting post-hoc detection, analysts must also stay ahead of the threats of tomorrow by understanding how threat actors’ tactics are changing.
If you find the critical threat, it’s time to alert stakeholders and figure out how to address it fast.
According to a survey run on IR and SOC teams, analysts are required to keep track of an average of 6.8 threat intelligence feeds and handle an excessive number of alerts manually: The average security operations team receives over 11,000 alerts per day. Securonix Threat Labs has found that this manual process can take up to 80 hours of a single analysts’ time per month in a typical mid-sized organization. According to Dark Reading, there were 50% more attack attempts per week on corporate networks globally in calendar year 2021 compared with 2020 resulting in the number of cyberattacks jumping to an all-time high of 925 per week per organization, partly thanks to Log4J.
The Wonder of Automation
Now imagine you have an automated tool that can do most of that work for you and cut that 80 hours a month in half or more. Imagine what that would do not only for your threat detection and mitigation capabilities but for your beleaguered staff struggling to swim against the relentless threat stream.
That’s exactly where Securonix Autonomous Threat Sweeper (ATS) service comes in. As we mentioned in the last blog post ATS acts as your own automated cyber response team, tracking and analyzing the streams of new threat information, determining threats which are relevant and critical, extracting IOCs and TTPs, querying event data, and creating threat reports, incidents, and suggestions for mitigation when threats are found. ATS runs the queries for you and goes back weeks or months in time to ensure the threat isn’t dormant on your network. Best of all, it addresses the three critical threat questions: when to act, how to know if you’re exposed, and how to address new threats today and tomorrow.
For more information on how ATS works and addresses just these three questions, check out our new white paper, “Address New Threats Today, Tomorrow, and Yesterday with Securonix Autonomous Threat Sweeper”. It goes into a lot more depth on the issues discussed in these blogs and exactly how ATS can help.