Automation, along with terms like artificial intelligence, machine learning and threat intelligence are common buzzwords that you will hear or read about when you are following industry trends. When it comes to security, we don’t typically lump automation in with these other terms. But, in fact, automation can help you respond to threats and increase your security posture.
Automation is nothing new and you see it all around you. Whether it is the stop light at the corner taking the place of a traffic cop, the home assistant device that can be programed to turn on lights or adjust thermostats, or the advanced automated industrial robots that make almost everything you use, automation takes the tasks that are time-consuming and repetitive and puts them on autopilot so you can focus on more productive projects.
Using Automation in Investigation
Automation will not make you a better threat hunter or provide your team with skills it doesn’t already have. It is a tool that can free up cycles for your analysts. It can be the glue that links disparate systems, can correlate information, automatically take action and provide your teams with intelligent information at the beginning of an investigation.
Imagine that you have a suspicious email come through that triggers an investigation. With automation you can quickly and automatically do the following:
- Check the file’s reputation with your threat intelligence service
- Detonate the file in a sandbox and retrieve the results
- Use your endpoint management solution to look for the file throughout your organization
- Check if the email was sent to anyone else in your organization
- Check the domain and URL reputation
- Load the URL in a sandbox and record the point-in-time results (crucial for evolving attacks)
- Geolocate and check the IP reputation
- Query logs for similar URL or domain access from your systems
- Whois on the domain and IP to look for other potential malicious domains by the same registrant
Using Automation in Remediation
With the collected data, a help desk ticket could be automatically opened and an analyst could quickly review the results to make an informed decision or investigate further if needed. But why stop there? With remediation actions, you could automate tasks scaling across multiple security solutions to:
- Trigger a quarantine of affected hosts with NAC
- Quarantine or clean up the device with an endpoint security solution
- Update your domain and IP blacklists
- Update your malicious file list
- Schedule a reimage of affected devices
This kind of automation is not easy to set up and it will take a good understanding of your environment, tools and processes to make it work, but solutions like Phantom, ServiceNow and ThreatConnect (to name a few) can help.
As you can imagine, the possibilities are virtually endless and can be crafted to fit most companies’ needs. Be cautious not to mistake automation for a strong security operations team. These tools do not replace skilled security professionals, but they can free up time to be effective and they offer a repeatable process to follow while investigating and responding to threats.