One of the key benefits of a Security Automation and Orchestration (SA&O) platform is its ability to strengthen your defenses and in turn reduce your organization’s security risk exposure. With new sources of risk constantly being added to the surface of your environment, leveraging SA&O allows you to reduce that risk in a number of powerful ways. This reduction in risk can be attributed to several factors including: Capacity, Speed, and Consistency.
Most security teams would agree that one of the largest security risks comes from their limited capacity to investigate and respond to the security alerts they receive. In fact, the Cisco 2017 Annual Cybersecurity Report reported that an average of 44 percent of alerts are simply ignored due to resource challenges. An unknown amount of risk lies in these uninvestigated alerts. Making matters worse, the Cisco report also indicates that only 54 percent of investigated and confirmed threats get remediated. These two statistics combine to create a sobering fact; resource constraints and unresolved threats create serious risk for an organization. The impact of a successful attack can be significant; customers may be lost, revenue may be impacted, and the organization could experience immeasurable brand damage.
SA&O platforms act as a force multiplier for resource-constrained security teams. They allow teams to automate time-consuming investigations and even automatically remediate well-known threats where the team has an established Standard Operating Procedure (SOP). This allows the team to dramatically scale their capacity and reduce the amount of uninvestigated and unresolved alerts, thereby reducing the organization’s security risk exposure in the process.
Adversaries have long since introduced automation into their attack suites. From Distributed Denial-of-Service (DDoS) attacks to automated port scanning and beyond, the bad guys know that they need automation to intensify and quicken their assault. Once inside a network, the more dwell time that a threat actor has inside the network can greatly increase the amount of damaged caused. Therefore, security teams should measure dwell time and actively work to reduce it. Demonstrating shorter dwell times directly correlates to less risk exposure.
Automation can help with this critical metric. It’s not uncommon for threat investigations to execute in seconds when automated versus hours or more if performed manually. SA&O platforms can also reduce the time to containment and remediation. Whether the platform is operating without an analyst approving security actions (e.g. on-the-loop or out-of-the loop supervision) or with analysts reviewing security actions before they are performed (e.g. in-the-loop supervision), speed is gained in all cases—resulting in reduced risk. SA&O platforms can help quantify and report on an organization’s dwell time. This allows security teams to demonstrate the reduction in risk as a result of implementing an SA&O platform.
A key factor that determines an organization’s operational maturity is attributed to their ability to act with consistency. It’s easy to understand that a lack of consistency increases risk. In a manual mode of operation, newer analysts are not as familiar with SOPs and are prone to making more mistakes. More experienced analysts know the processes well, but may be tempted to cut corners to save time (likely driven by the capacity issue discussed earlier). Both of these scenarios can increase risk and also create problems with auditors. In contrast, an SA&O platform processes alerts and cases consistently, following codified SOPs with precision—the same way every time. While processes should always be reviewed and iterated upon to improve efficacy, organizations gain significant ground in the reduction of risk through the use of automation.
If you haven’t already, download the Phantom Community Edition and give the platform a test drive. Learn how Phantom can help you increase your capacity, speed, and consistency, while driving measurable reductions in your organization’s risk exposure in the process.
Reference: Cisco 2017 Annual Cybersecurity Report http://www.cisco.com/c/m/en_au/products/security/offers/cybersecurity-reports.html