Improved threat-detection capabilities have led to the unintended consequence of “alert overload.” Whether due to detecting an abundance of real threats or generating an excess of false-positive alerts, security analysts have become overloaded with alerts from their cybersecurity controls. Most cybersecurity teams today do not have enough bandwidth to properly address every alert. Additionally, smaller cybersecurity teams often lack the expertise necessary to properly address even high-risk alerts.
Most threat-detection platforms, such as EDR (endpoint detection and response) and NDR (network detection and response) solutions, include some level of automated response capabilities to help understaffed security teams address detected threats. As the need for automated response becomes more urgent, it seems every threat detection and response (TDR) vendor is claiming some type of response automation capability. But what do vendors mean when they offer “response automation?” How can the average security person make sense of everything the vendors are saying?
In this article, we offer the five levels of response automation most often deployed by cybersecurity professionals and ranked by progressively higher levels of protection. Industry information for this edition of eWEEK Data Points is supplied by Eyal Gruner, Co-Founder and CEO at Cynet.
Data Point No. 1: Basic automated remediation on a single endpoint
The ability to auto-remediate a threat provides several benefits, such as the ability to rapidly respond to a threat before it successfully further infiltrates the environment or exfiltrates sensitive data. It also provides the ability to quickly respond to dangerous threats when security analysts are otherwise unavailable. This level of response automation is available in virtually all NGAV (Next-Gen Anti-Virus), EDR (Endpoint Detection & Response), XDR (Extended Detection & Response) and SOAR (Security Orchestration and Automation Response) solutions.
Data Point No. 2: Basic automated remediation on multiple endpoints
The ability to expand remediation beyond a single device significantly reduces time required to take necessary remediation actions on multiple machines to fully remediate an identified threat. Multi-endpoint remediation includes the ability to search and identify a threat at one endpoint or multiple endpoints across an environment — then take appropriate remediation actions.
This capability is especially critical for large and remote workforces so broader remediation actions can be accomplished without physical access to devices. It also provides a base level of threat hunting as newly discovered threats and IOCs can be found and remediated efficiently across endpoints. This level of response automation is available in most EDR and virtually in all XDR and SOAR solutions.
Data Point No. 3: Extended automated remediation across environment
Beyond identifying and remediating endpoint-specific threats, additional remediation actions are often necessary to fully eradicate all components of an attack. Many organizations are forced to move between multiple security applications to perform non-endpoint specific remediation actions, such as disabling a user account or blocking certain network traffic.
The ability to perform multiple types of remediation (i.e., file, host, network and user remediation actions) from a single pane of glass not only provides significant time savings, but it also better positions the organization to address all components of a threat before damage can be done. This level of response automation is available in most XDR and SOAR solutions.
Data Point No. 4: Extended remediation playbooks across the environment
Building upon the ability to perform multiple remediation actions across the environment, playbooks automate a predefined sequence of remediation actions in response specific threats. Remediation playbooks can be executed automatically in response to a detected threat for immediate response or can be triggered manually to provide more oversight and control.
An example of a remediation playbook could be one that responds to a detected ransomware threat. In response to detected ransomware, most responders would likely kill the malicious process on the endpoint and isolate the machine from the network. But, this is not enough to ensure the ransomware threat is fully addressed. Additional actions could involve disabling the user involved in case credentials have been compromised and perhaps blocking certain network traffic. This level of response automation is available in many XDR and most SOAR solutions.
Data Point No. 5: Automated investigation with extended remediation across the environment
While the ability to automate a gamut of remediation actions across the environment provides tremendous value, this next stage of response automation adds threat investigation.
Automated threat investigation moves beyond responding to the single threat at hand to helping determine if the detected threat is only one part of a larger attack, and if so, uncovering and remediating related attack components.
When a threat is detected, an automated investigation is launched to first uncover the root cause of the threat – how did the threat come to be in the environment? Was it downloaded from a specific site, embedded in a document, attached to an email? Was it spawned by an as yet undetected malicious process or planted from an RDP connection? Automated root cause analysis peels back the layers to ensure all elements of the attack are exposed, and ultimately uncovers the so-called “patient 0” — the origin of the attack.
Once additional components of a threat are uncovered automated investigation can search the environment to expose the full scope of the attack. This includes taking appropriate remediation actions across the environment to eradicate all attack components. Until the attack is fully rooted out, the organization cannot be assured of safety.
Manually performing these investigative steps takes time, the right skills and effort. It means that behind every alert will be a healthy volume of work. Unfortunately, many security teams do not have the bandwidth, and many smaller security teams do not have the skills to perform the necessary investigative steps required. Automating this workflow, at a minimum, provides security teams with a considerable head start on incident response. And, in many cases, it eliminates the need for manual intervention. This type of response automation is available in limited XDR and SOAR solutions.
Increasing response automation capabilities from Level 1 through Level 5 compounds the benefits realized in the areas of security and efficiency.