For years the cyber security market has been dominated by vendors selling you their Terminator. These Terminators are purpose-built security controls with a singular, dedicated function. They are the killing machines (malware or threat killing to be specific) of the security world, and because they are so effective, they are often products everyone has because everyone needs. These traditional security prevention controls constitute the majority of the cyber security market, and they largely replace what would have been a manual human function.
These Terminator, traditional products are plentiful, and chances are you spend a lot of money on them today. It is the firewall that is performing network traffic filtering. It is the email filter that is getting rid of spam and trying its best to get rid of phishing emails. It is the endpoint anti-virus solution detecting malicious signatures as they arrive on your end users’ laptop or desktop. These are all Terminators. They solve a specific issue through the replacement of what would have been a manual task. Terminators are better and faster than humans at this type of task, and have reduced manual performance of these tasks down to a vanishingly small amount. No one is manually filtering through network traffic, email traffic, or endpoint activity. The controls in place provide highly tuned alerts with ever-decreasing false positive rates today.
These controls have been extremely successful in protecting organizations. If I don’t have to allocate resources to a manually intensive function and I can outright reallocate that resource to another function I am one happy CISO. Obviously, there is still care and maintenance that requires time allocation, but this is exponentially less time than what a human would require for the same outcome.
However, there is a growing trend that really seemed to solidify itself in the first half of 2017. I have seen more Iron Man style security products coming out of stealth and becoming commercially available than ever before. Let me explain my analogy first. Tony Stark is just a man. A billionaire genius, but just a man none the less. He essentially uses a tool to augment his own capabilities. His mechanical suit enables him to do the impossible and save the day, but the human is still in the driver’s seat. Terminators are here to replace humans, while Iron Man products keep humans in the driver’s seat, but augment their capabilities to superhuman levels.
Importantly, there are many tasks that cannot be fully automated by a Terminator-style tool – tasks where human intervention is mandatory. While full automation has long been a focus, these human-centric areas have been stagnant until recently. The development of Iron Man-style tools presents a huge opportunity for security practitioners to expand their capabilities further than ever before.
There are more and more security vendors out there today whose sole objective is to add value by supporting humans in completing their tasks more effectively and efficiently than they otherwise would have been able to do. One of the most mature augmentation tools (because calling them Iron Man tools sounds too cool) available today is the incident response orchestration and automation tools. These tools have been around for a little while now, and their main purpose is to take incident response, which was conventionally a manual process carried out by humans, and manage that function in a more efficient platform. Humans are still carrying out the actual incident response. But they can augment their capabilities with a platform to track their activities, aggregate information, push out alerts or notifications, and a multitude of other tasks. This tool does not replace the security professional at the heart of incident response. Rather this tool augments the professional’s ability to respond. There are more tools that truly are looking to make the security professional’s life easier.
There are a few common factors that make an Iron Man type product very attractive; in small to moderate-sized organizations, IT departments often wear so many hats that some critical security responsibilities inevitably fall far down their list of priorities. There are too many tasks that cannot be fully automated, but also cannot be done manually, and there are too many resource constraints to meet every need. This type of situation is very common and Iron Man products are at their most effective here. The two main areas where we see this happening are incident response and threat intelligence. Traditionally, incident response and threat intelligence were areas that required dedicated staff or at least niche areas of expertise and experience. It makes sense then to provide tools to support the normal security professional in these more peripheral duties and allow focused attention to be directed to higher priority tasks. Another area is digital risk monitoring, which augments a relatively new area. Let’s explore all three in more detail.
Most incident response functions at organizations today are relatively archaic when compared to many other security or IT functions. It is a highly manual effort requiring paper forms on clipboards, spreadsheets, and enormous threads of unstructured emails, and often includes some technology-focused security professional who struggles to interact with business stakeholders. The way technology has supported incident response (IR) has historically been haphazard or repurposed. Many incident response teams will use major ticketing systems such as BMC Remedy, ServiceNow ITSM, or the like to track their response actions. These tools were designed for IT operations and service desk functions, not for incident response orchestration. Many organizations have taken the extra step to develop some custom scripts connected to certain applications or databases in an attempt to make their IR more efficient. This can be very hard in itself, not to mention the challenges faced when the person who wrote the script ever leaves – it can become useless.
Hence, the entrance of the incident response orchestration and automation tools. The main goal is to ensure your security staff can respond to an incident in the best way. The tools cover two primary areas: orchestration and automation.
Incident orchestration is the collection, aggregation, and documentation of relevant information to support the incident responder. It does the heavy lifting when it comes to things like gathering and enriching security data, investigating phishing emails, or looking for indicators of compromise (IoC) related activities – all manual steps that require a lot of time. Most popular today is leveraging orchestration for relatively simple tasks such as information gathering.
Automation is the less popular function being leveraged today and with good cause. Automation is always a concern for security since simple blocking of ports of blacklisted IP addresses across all security filters can result in major business disruptions and potential self-inflicted denial of service. Most popular today is the automation of low-level remediation tasks like blocking known malicious command and control IP addresses or isolating a host with a known ransomware signature.
IR orchestration and automation is becoming more and more proactive due to increased maturity of other security controls and opportunities for integration. As proactive network monitoring (Arbor Networks, Cisco Lancope, ExtraHop, RSA) and endpoint monitoring tools (Carbon Black, Cylance, Cybereason) mature and become more common, IR tools can become near proactive in their response time.
At Info-Tech, we define threat intelligence as the production of actionable intelligence facilitated through various collection, analysis, and collaboration activities. I know – sounds time consuming. That’s because it is. Threat intelligence includes collecting and aggregating IoCs, identifying threat actors (IP address, domain names, network traffic content, email addresses, user names, file hashes, etc.), identifying attack methods (phishing, USB, DDoS, etc.), and then acting on the relevant data to improve incident response times, patching efforts, and enabling preparation for future attacks. Not to mention, to do all of this you need to develop a clear program with supporting processes and then allocate and manage responsibilities among various staff.
Conventionally, if you heard about the latest and greatest attack or had just restored a system after an attack and you are doing some in-depth post-mortem, you are going to be doing a lot of searching and filtering of threat data into practical intelligence that you can use. This means checking various online databases for signatures you may have, looking at the various open-source feeds you may have, and iteratively reading and narrowing your search.
Threat intelligence platforms provide the value of funnelling and analyzing your various threat data (whether or not you are taking advantage of open-source feeds today or not) and generating threat intelligence that is particular for your organization. Think of this simplistic example: a new POS malware scrapper has emerged in Eastern Europe, but I’m a bio-medical company in Boston – I don’t really care so don’t mention it. Right now you probably get that email or alert anyways, and have to take the time and effort to make a decision on it. This kind of white noise can make it difficult to find that needle in the haystack that will protect you against the next attack – the task of finding needles is made much easier if there is a machine that can remove 99% of the hay before you ever see it.
Many organizations today use SIEM solutions to aggregate their environmental data and analyze it for potential security incidents. SIEM data requires a lot of collection, aggregation, and normalization, and just pointing threat data feeds at a SIEM may not work and could result in a spike in false positives (or just higher SIEM storage costs). Threat intelligence platforms put a layer in front of SIEM to aggregate threat data, correlate it, distil it down, and then input it into your conventional security technologies. Threat intelligence platforms save security analysts time spent on general threat research as well as time spent parsing through data feeds.
In the future, these platforms will have the ability to generate a threat score for your organization. Similar to how governance, risk, and compliance (GRC) tools generate a risk view, threat intelligence platforms can generate a threat score. This would be the general threat your organization is under given things such as your industry, physical locations, number of end users, software and hardware being used, etc. You would then be able to answer questions around who you are under threat by, what attack types would be used, and how much do you care.
One type of tool today will aggregate and correlate data feeds (based on what the vendors choose) and generate custom alerts for your organization. The real value add here is time saving. Other types will provide the platform to aggregate data, correlate it, and then automatically push this information into your conventional security technologies (firewalls, SIEM, etc.). Most threat intelligence platforms are cloud based and sold on a subscription basis. Most will have additional managed service options.
Digital risk monitoring tools look to provide visibility into your organization’s digital risk across various dispersed channels and environments to give you greater situational understanding as a security professional. These are not the traditional risks of specific threats or vulnerabilities, but more peripheral risk. These are risks associated with brand damage, IP misuse, corporate defamation, terror acts, geopolitical events, supply chain disruptions, protests, and social unrest to name a few. I believe that information security at its core is a function of risk management. We have traditionally focused on mitigating cyber risk in the form of exploitable vulnerabilities or preventing cyberattacks, but digital risk monitoring tools attempt to expand our scope of risk management. Companies face cyber risk as well as brand and physical risk, and the latter two are increasingly moving to the purview of the security professional.
These tools attempt to aggregate as much information as possible, often with their own unique value-add methodology, to provide a larger digital risk score for your organization. This means monitoring, aggregating, and analyzing disparate touchpoints, mentions, affiliations, and instances that relate to your company. This comes in the forms of social (social networks, blogs, review sites, and code and file sharing sites), mobile (mobile apps, app stores, mobile device data, and mobile-designed sites), web (websites, domains, registry operators, search engines, digital ads, and deep unindexed web), and dark web (darknets, internet relay chat, and P2P). This information is highly valuable to risk management functions, and it has never before been so easily monitored, aggregated, and analyzed with a single tool.
Although we always want Terminator-style security controls that can outright complete a security function, many times a human will be required, and thus, we must look for tools to augment our own capabilities to become more effective and efficient. These tools by nature will have a higher level of intimacy with security professionals (maybe infrequently though), and thus, our ability to actually use them and just plain like them is paramount. Assess your security program staff today and ask: where can a tool make us better that warrants investment?