After years of shunning automation and information sharing efforts, the security industry is now embracing them. Every vendor conference I attended this fall talked about the need to automate some security functions in order to increase security teams' efficiency and ability to quickly detect and respond to incidents. The vendors also focused on the need to break down the silos and share information across the security and IT organizations, between vendors, and throughout the security community.
Why the change? The pace of attacks along with the continued stress of resource-constrained organizations are forcing security leaders to find new solutions.
Automating some security processes helps to fill the infamous cybersecurity skills gap and provides faster threat response. Most of the automation comes in the form of orchestrating processes which support threat investigation and hunting. Automated mitigation functions like process stopping, user quarantining, IP blocking, etc. are also possible through integrations between security analytics solutions and security controls.
The willingness to share information is arising from necessity. Managed security service providers (MSSPs) often talk about the “neighborhood watch” benefit of their services. The idea is that, if they observe malware or malicious behavior in one customer, the MSSP can develop detection and protection for all of their customers to block the threat. Similarly, threat intelligence sharing provides greater visibility into the threats that individual companies are seeing. Vendors are also opening up their platforms for bi-directional data sharing via APIs, reducing the amount of “swivel-chairing” analysts have to do, and making it faster for security pros to take action.
Breaking down the silos between security and IT will become more important as we seek to orchestrate processes and automate remediation. For any of this to work, security and IT pros have to understand each other’s processes and gain agreement on how automation can work. IT pros may have an increased understanding of orchestration and automation thanks to their experience orchestrating cloud applications and virtual infrastructure. Security and IT pros also have to establish rules of engagement for automation. Read more about this in the Forrester report, “Rules Of Engagement: A Call To Action To Automate Breach Response.”
What does this mean for you? It means that you should start thinking about how you can take advantage of automation and any APIs available to better integrate your security technologies. Reach out to your account rep or support organization to learn what they’re doing to support automation or leverage threat intelligence sharing. Since this is the time of year you’re being contacted about renewals, take the opportunity to ask questions about current capabilities and roadmap, so you can negotiate new capabilities into your agreements.