- Cyber Security Automation and Orchestration
- Posts
- Chasing the News or Chasing the Hunts
Chasing the News or Chasing the Hunts
Responding to Cyber Threats with Flexible Roadmaps
Being up-to-date with the latest news, the latest breaches and the newest techniques is absolutely paramount to creating an efficient security program. You can follow through all the standards and set up the best roadmaps, but if you are not up-to-date with the ever-changing landscape of the security industry your plans will become irrelevant in an instant. If history has taught us anything is that planning can be a double-edged sword.
SANS IR Planning
Why should you plan?
Few things can make seem an organisation as unprofessional as much as it not having a plan for itself for at least three years. There are multiple reasons for that:
Security is a long-term commitment: Effective, enduring changes cannot be implemented overnight.
Expect resistance: Changes made for security reasons often face backlash, requiring a gradual approach—one small step at a time.
Stakeholder engagement is key: Implementing a security program will likely require convincing and reconvincing several sponsors, navigating fluctuating budgets, and managing various perceptions of risk, influenced by the company’s financial status, board members' industry views, and personal experiences. All of these factors demand significant time and resources.
I encourage you to share additional reasons based on your experiences in the comments below
The point is that if you do want to make a change to the organisation’s security posture, you will need a plan and time. Definitely you need to check what are the crown jewels for the company, what are the major risks and what can be accomplished now and what needs three years of work with several resources from other departments.
When should you go against your plan?
It’s odd how one incident can help you exemplify perfectly an idea and I think everybody working in the industry will understand it without even thinking about it. You should go against your plan when log4j happens. There is little chance that there were people working in the industry reading about the vulnerability and going - no, we must fulfil our objectives for this quarter, this can wait another month. At least we hope that this is the case.
This incident serves as a benchmark for when to pause your existing activities and prioritise checking for a specific vulnerability across ALL systems. Here are some checklist items to help determine your response:
Are we using this affected software/library/vendor?
What is the potential impact of this threat?
What is the likelihood and timeframe of potential impact?
How easy is it for someone to exploit this vulnerability against us?
What details are currently available to evaluate the risk?
Are we reacting out of fear, or is there a genuine risk?
What's our threshold for action?
What’s my threshold?
Determining the threshold for initiating an investigation into a potential security threat can indeed seem like a million-dollar question. The answer, while straightforward, is highly context-dependent: it varies. The threshold should be individually tailored by each organisation based on several key factors such as risk appetite and the specific criteria discussed earlier. Consider the initial questions we've outlined—how would you answer them? Is it possible to quantify these answers into a matrix that sums up to a specific threshold triggering an internal investigation?
Example Scenario: Evaluating Software, Library, or Vendor Usage
Case 1: If our software inventory confirms we are not using the implicated software/library/vendor, we might conclude the investigation at this point.
Case 2: However, what if the software inventory is clear but part of the network is under-monitored due to its "unique" features used for specific business operations? In such cases, a deeper dive might be necessary to ensure nothing is overlooked.
Case 3: Suppose we do not currently use the software in question, but the vulnerability is so critical—akin to the Log4j incident—that it's expected to be globally exploited within the next 24 hours. We should then assess our exposure through third parties like vendors, possibly extending our investigation to evaluate the risk of indirect impact.
Resource Allocation and Decision Making
Determining how many resources you can allocate to potential threats is crucial. If your team is already stretched thin meeting set objectives, can you afford to allocate extra resources for a risk that's three steps removed? For organisations lucky enough to have a mature, fully functional Threat Hunting team, consider dividing their focus. Some team members could rotate to manage response to the news cycle weekly, allowing the rest to continue with ongoing security objectives.
This structure helps in securing buy-in for additional resources. When a high-risk issue arises, you’ll want to ensure that your response doesn’t disrupt the entire team’s focus. Can you structure your team so that routine checks and initial threat assessments are handled without pulling too much focus from other critical tasks?
Setting a responsive yet reasonable threshold for action, and allocating resources judiciously, helps maintain the balance between preparedness and overreaction. By establishing a clear framework for these decisions, your team can respond to potential threats more efficiently, minimising the disruption caused by the relentless news cycle while still protecting your organisation’s assets effectively.
How much can I automate?
This is the second million-dollar question. And it has the same million-dollar answer - it depends.
Automation in cybersecurity is not a one-size-fits-all solution—it's highly situational. The scope and effectiveness of automation depend on several key factors within your organisation.
Assessing Your Automation Capability
Dedicated Resources: Do you have team members solely focused on automation, or are they juggling multiple responsibilities? Dedicated resources can develop more sophisticated, tailored automation solutions.
Skill Level: The expertise of your personnel in automation technologies is crucial. More skilled teams can implement complex solutions that leverage advanced features and functionalities.
Existing Frameworks: Referencing the matrix developed for threat response, have you established standardised processes and procedures that can be automated? Structured workflows are easier to automate effectively.
Technology Utilisation: Are AI and ML part of your current automation strategy? These technologies can significantly enhance the ability to identify patterns, predict threats, and respond dynamically.
Budgetary Constraints: The financial resources allocated to automation will affect its scale and sophistication. More funding can enable the purchase of advanced tools and the hiring of specialized personnel.
Resource Availability: Consider the current workload and capacity of your automation tools and team. Overburdened systems and personnel are less likely to implement and maintain effective automations.
Platform Integration: Does your organization use a platform that seamlessly integrates various cybersecurity tools? A unified platform can simplify and enhance automation efforts by providing a centralized control point.
Implementing Effective Automation
Once you've assessed your capability, the next step is to translate potential into practice. Start by automating routine tasks to free up resources for more complex challenges. For example:
Automated Alerts and Responses: Implement systems that automatically alert teams to potential threats and, where possible, initiate basic mitigation steps.
Incident Analysis Automation: Use AI-driven tools to analyze incidents and scale responses based on threat severity and type.
And dedicated for our topic Automated News Ingestion, where you can use GenAI to crosscheck the overlap between the information presented in a feed/article and your corporate environment, making that piece of news into an actionable Hunt.
Measuring the Impact of Automation
To understand the true value of your automations, establish clear metrics:
Complexity Reduction: How has automation simplified processes? Measure this through the decrease in steps required to respond to incidents.
Response Times: Track improvements in time from threat detection to response.
Resource Allocation: Assess how automation affects the distribution and usage of personnel and technological resources.
Investigation Efficacy: Are automated systems accurately identifying non-threats, thereby reducing unnecessary investigations?
Strategic Automation
Think of automation not just as a tool to reduce workload, but as a strategic asset. It should evolve with your cybersecurity needs, capable of adapting to new threats and integrating new technologies. This strategic approach allows your team to stay agile and responsive, particularly when facing unexpected cybersecurity challenges prompted by emerging threats in the news cycle.
By starting with essential automations and gradually expanding as you refine your processes and measure outcomes, you can scale up your automation efforts intelligently. This makes it possible to handle more complex scenarios that may initially seem beyond your reach.
Conclusion
Instead of conclusion, we would rather say closing notes. This article does not intend to create a one-step solution for this critical problem affecting several organizations worldwide, but rather to create the discussion starting point and the steps needed to initiate the processes and procedures to handle this “conflict” in the best way possible.
Reply