Security incidents, attempted breaches and similar problems are a risk that every company has to deal with. Most companies have introduced automated systems that can detect, investigate, and prevent such problems by themselves. However, mitigation processes and incident responses for endpoint devices and networks are a bigger problem and this cannot be automated as easily.
The attacks can start at any time and making such processes automatic would mean instantly isolating devices from corporate networks, re-imaging endpoint devices, and shutting down some of the network processes. An analyst from Forrester Research, Joseph Blankenship has said that there is a lot of potential but the technology is still in a period of discovery.
The companies will simply need more experience when it comes to automation security tools, and it’s estimated that it’ll take 3 to 5 years before this becomes widespread. For now, there are attempts to develop a machine learning system that will be able to deal with the problems on its own, while the analysts are free to focus on the more complex situations.
Some believe that there can be automation that doesn’t require a machine learning system. However this is only possible if there is a well-developed incident response playbook. This way, even if only a partial automation is achieved it would be effective enough. For example, if there is a malware and the playbook offers fifty steps for dealing with it, entire hours can be saved if some of the steps are already automated.
Ariel Tseitlin, a partner at Calif based firm Scale Venture Partners, thinks that the most important thing that determines whether or not an automatic incident response technology can be applied is if the company in question is ready for it. He says that not all of the companies are at the same stage of security maturity and that thinking about automation before thinking about the process itself is too premature.
Clean-up of Endpoint Devices
Automation has many uses and one of the earliest ones is removing malware from the endpoint devices even before they have the power to do any damage. There are no PCs set up without some sort of antivirus software, and companies will mostly use more advanced, behavior-based software to be used for malware detection.
Malware works quickly and the device could be damaged in no time. Of course, there is always the possibility of using the network to spread to other machines. This is why manual response would be useless as it is simply too slow, which is why malware-hunting software is necessary.
Then, there is the question of what would happen if the malware was able to slip by the defenses and start damaging the computer.
The most common way of dealing with this is to copy the device image so that it can be analyzed later and then wiping the entire machine and restoring it from another clean image. Files would also be restored from the backup and the user would receive anti-phishing training.
Security consultant, Rob Clyde who also serves as a member of ISACA‘s board of directors has said that some companies go through the automating process more easily than others; some use virtual desktops, while others have cloud-based platforms and can store their documents in there. Using this method reduces the risk of losing files in case of malware attack.
Isolation of the threat
Infected machines can also be quarantined to prevent further infection. It won’t be wiped, but the infection remains in control. This still requires network access controls, which is a first step in the process of keeping a device operational while at the same time sustaining the infection.
Clyde says products that are capable of this are often deployed but not implemented. Nobody is checking if there are implemented network access controls, which is something that must be checked.
Some of the large companies have an additional barrier when it comes to setting up these kinds of systems, and those responsible for endpoint devices aren’t the same people that are responsible for the networks. Therefore, good cooperation is needed in these cases.
There is also the question of the number of quarantined devices and the bigger this number is, the more complex the entire process gets.
The use of smart networks is getting more and more frequent, which is a very useful thing. Many different tools can be used to detect suspicious activities and then contain them. Of course, this doesn’t always work and some of the attacks are getting pretty sophisticated. The vendors are doing their best, but the attack methods evolve at a pretty fast pace.
Network security companies would often brag about automatic attack detection and even taking action when they’re detected, however, many believe that this isn’t a good idea. If the human isn’t involved and the process gets the wrong idea, a lot of damage might be done. Many would rather see a human team physically dealing with the problem themselves.
Still, the hardest part is detecting the threat and the tools are quite capable of managing to do so most of the time. Attackers are keeping everyone on their toes, especially with the range of innovative attacks that have been happening lately. However, the detection and dealing with the attacks have also advanced and so far, companies are usually capable of defending themselves as long as they employ proper security methods.
Interested in Security topics? Read more here.