Automation Answers Security Skills Shortage

  /     /     /  
Publicated : 22/11/2024   Category : security


Automation Answers Security Skills Shortage


The often-discussed cybersecurity skills shortage may find a solution in security automation.



Hackers and analysts do battle with tools and techniques that are constantly evolving. Cybersecurity is an arms race, but its not a fair one: the bad guys get endless do overs during the attack, yet a single InfoSec mistake could invite a breach. This burden of consistency is probably why the good guys are losing. However, something new is coming over the horizon that could even the score.
If ever there had been a day when software automatically stopped breaches, that era is gone. Attackers continually alter malware. Complete certainty in threat detection is only possible for simple attacks. Advanced detection technologies are much more sensitive and require a partnership with humans that can quickly alert analysts to Take a look at this.
These human practitioners examining alerts represent a weakness. Outlier Security Founder and CTO Greg Hoglund compares them to the weary eyed night watchmen. Analysts are tired of the doing the same repetitious task, he explains. They have too much data bombarding them. It doesnt mean you can remove the human from the loop, but it does mean you can make the humans you have more productive.
Today, everyone uses Security Information and Event Management (SIEM) technology to consolidate alerts from their detection products into a single list of priority actions. Yet no aggregation technologies have arisen to organize the response to these alerts. These response activities are most of the work within a SOC, and employ myriad products including antivirus, sandboxes, and forensic tools like Volatility and EnCase.
Introducing Security Orchestration, Automation and Response (SOAR)
SOAR solutions really represent the first effort to act as a quarterback, guiding response activities across many products. Orchestration and automation vendors accomplish this by building connectors against each security products APIs. Take Phantom, for example. The SOAR vendor boasts third-party apps for over 670+ APIs across more than 135 security technologies, according to Chris Simmons, the companys director of product marketing.
SOAR orchestrates your many products inside a platform that encompasses:
Alert Ingestion & Management
-- SOAR products ship with connectors to ingest all the SIEM alerts requiring response. Case Management dashboards monitor ongoing activities and alerts that have become real incidents. Analysts can view daily dashboards to see what theyre supposed to prioritize and work on.
Automating Tasks in Playbooks
-- Displayed within these platforms are an organizations arsenal of owned security products, and any tasks that can be performed through these products API calls. These tasks can be dragged into visual playbooks to orchestrate and automate response. For instance, crosschecking alert information against threat intelligence feeds, using endpoint response products to collect telemetry, sandboxing files, or preserving forensic evidence.
Collaboration and Learning
-- Most of InfoSec personnels work is in chasing down alerts. SOAR products enable multiple incident responders -- Threat Hunters or people from IT HelpDesk to coordinate their logistics.
To this final point, Rishi Bhargava, CEO of Demisto, describes his companys product as a collaboration platform for enhanced learning among analysts. The vision is to replicate what your most skilled practitioners do, and walk junior analysts through these effective playbooks. Yet some take it a step further than humans working together. Bhargava adds that Demistos machine learning enables analysts to escalate their knowledge levels.
SOAR market growth expected
Big industry players are banking on SOAR to be a big deal, with few naysayers. Gartner predicts, A large percentage of the security budget will shift to SOAR. FireEye, Rapid7 and IBM have all purchased SOAR products. Mega IT ticketing company ServiceNow has released an orchestration and automation offering. SIEM giant Splunk has also stepped into the arena. Across the industry, momentum is swelling.
Meet the new players
Innovation usually arrives at the hands of startups, which often operate better autonomously than when pushing against an acquiring companys inertia. Despite the entry of large vendors, history shows that at least one new brand typically arises in the category they founded. These four US-based startups focus exclusively on SOAR, and most of them date back to the birth of this category in 2014 or 2015:
Demisto
was founded by former McAfee execs and has major venture capital (VC) backing. The company delivers more than the typical SOAR features. CEO Rishi Bhargava, describes the company as a social platform to collaborate. They were also one of the first to ship a solution with machine learning capabilities.
Phantom
also has an impressive list of VCs backing them. In addition to numerous connectors, Phantoms solution boasts an AI capability dubbed, Phantom Mission Guidance. Its designed to support analysts, Chris Simmons says, by suggesting possible steps to investigate, contain, eradicate, and recover.
Swimlane
focuses on a complete platform, going beyond response, compliance and automation to add the ability to bring these capabilities together where security teams are first class citizens, according to Founder and CEO Cody Cornell. Cornell believes automation will become a cornerstone capability of the SOC in the not too distant future.
CyberSponse
is building its future with open technologies and a traditional business model. Founder and CEO Joe Loomis says CyberSponse is the only platform with open source playbooks. Hes also thinking out of the box with funding: We are not VC based and happy customers are more important than revenue.
How much will automation impact the SOC?
SIEMs have been the main product that SOCs keep on the big screen to monitor overall security health -- they get more of InfoSecs eyeball time than any other product. Yet in the end they only produce a To Do list. Responses to these alerts encompass most of the SOCs activities. This begs the question, could SOAR products be the first category to steal the SIEMs eyeball time?
Bhargava believes so. That is absolutely happening, he argues. The real investigation work is starting to happen in the automation platforms, and I absolutely agree that we will get more. Not everyone is optimistic about slaying the goliaths. Certainly acquisition is in store for some of SOARs founding startups. Loomis comments: I think the future is that SIEMs will acquire a SOAR capability or build such an offering within five years.
No matter who brings automation to the people, it will fundamentally change the way SOCs operate.
Related posts:
The Gift of Simple Security
SOCs Become Service Targets
Cybersecurity Skills Gap Hits Across the Board

Paul Shomo is the Sr. Technical Manager, 3rd Party Technologies at OpenText.

Last News

▸ Sony, XBox Targeted by DDoS Attacks, Hacktivist Threats ◂
Discovered: 23/12/2024
Category: security

▸ There are plenty of online tools for reporting bugs. ◂
Discovered: 23/12/2024
Category: security

▸ 27 Million South Koreans Hit by Online Gaming Theft. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Automation Answers Security Skills Shortage