We have written extensively about the rapidly growing threat environment faced by mid-sized enterprises. The volume of security events that need to be carefully evaluated is increasing daily.
On one hand, the mid-sized enterprise, with its unique IT solutions and extensive integration with third parties, requires the same customized security solutions used by multi-billion-dollar companies.
On the other, they are not quite large enough to have dedicated security operation centers (SOCs) to implement the 24/7 monitoring and incident response required to protect themselves.
Free Security Event Automation Playbook
Check out our GitHub repo to access the new Security Event Automation Playbook library!
Legacy solutions like Managed Detection and Response (MDR) are simply not targeted enough to effectively prioritize and respond to the deluge of alerts. So, what is an organization to do?
Security Event Automation
A prominent solution that we are using extensively with our mid-sized customers is Security Event Automation. Using a Security Orchestration, Automation and Response (SOAR) platform such as Microsoft Sentinel or Splunk SOAR, we can automate:
- Responses to alerts to include orchestration in adjacent systems.
- Routing of playbook tasks to analysts.
- Sending of notifications to management.
For example, an abnormal login to a critical business application could trigger an alert that automatically locks the account in Active Directory, sends investigation tasks to analysts, and notifies the employee’s manager of the event.
The benefit of Security Event Automation is that it operates 24 hours a day, seven days a week. It does not sleep, get sick, or go on vacation. When it executes a playbook, it follows its instructions to a “T.”
For a mid-sized enterprise operating a security program on a tight budget, this represents an enormous opportunity for rapid incident response without the cost or human inconsistencies associated with a 24/7 Security Operations Center.
Of course, the devil is in the details. Taking our example of an automated account lockout above, there are several factors we might want to consider before disabling an employee account, like:
- Does the account belong to an executive?
- Is the owner of the account traveling abroad?
- Is the IP address of the offending logon coming from outside of the US?
To build further intelligence in triggering automated response and adjusting workflows for analysts and managers, we have built a library of scripts to infuse our alerts with additional data which then creates conditional changes to our automation playbooks.
For example, a known malicious IP might tip the scales in favor of an immediate account lockout vs. simply investigating. Today, our alerts are largely driven by linear logic, but the application of machine learning promises to add even deeper analytical insight that can be used in real-time modification and execution of Security Event Automation.
Continuing with the abnormal logon example, a machine learning process could analyze all authentications across the enterprise to make better decisions regarding what constitutes an “abnormal” logon event. Microsoft, with their Security Copilot offering, seems to be first out of the gate with this, but other vendors will surely follow.
Accord has spent considerable time and effort developing a library of automated alerts and playbooks to guide security response and orchestrate countermeasures. With such an exciting opportunity to improve incident management in mid-sized enterprises and with the Security Event Automation community in such an early stage, it is in our collective best interest to share this “know-how” with our peers. Our top reasons for doing this are as follows.
We are excited to share our ideas.
Security Event Automation is a relatively new discipline focused on a combination of computational and human processes. It’s exciting to be on the ground floor of something that’s going to be big.
We seek to help build the community supporting this and then become active participants in that community. The more we share, the quicker this happens.
There is plenty of room for Improvement.
We aren’t always the smartest guys in the room. This is new and there are lots of great use cases and countermeasures to be developed.
With the proliferation of SOAR platforms and options for AI integration increasing by the day, we believe that collaboration is the key to expanding the use of Security Event Automation into the mainstream.
Common knowledge leads to easy adoption.
Organizations and their critical data differ significantly. For now, Security Event Automation often requires some level of customization encompassing several rare disciplines including software development, process engineering, and threat intelligence.
For this reason, mainstream enterprises are often reluctant to get started with it and are, therefore, slow to receive the benefits of this technology.
It makes business sense.
We are passionate about automating incident response for lots of enterprises. That won’t happen if we are the only ones who understand how our technology can be used to solve real-world security automation problems.
Making our alert library available free of charge provides the potential for community members with an incentive to understand how the technology can be used to meet their unique needs. Please take a look and feel free to reach out. We are always happy to receive peer input and to answer questions. Please contact us at info@accordinfosec.com.