Automation is becoming increasingly popular in today’s day and age and rightfully so. Particularly in incident handling and response, automation can save money, reduce resource workload, monitor and correlate events in real-time and ultimately lead to quicker identification, containment, eradication, recovery and documentation. In a study performed by the Ponemon Institute in 2019, “60 percent of respondents say their organizations’ leaders recognize that investments in automation, machine learning, artificial intelligence and orchestration strengthen their cyber resilience.” Automation has numerous benefits but is yet to be widely adopted in the community for reasons like trust concerns, fear of changes, or simply because companies may not know where to start. This paper will aim to review the requirements of incident handling and discuss some opportunities where automation can help, then examine concerns, limitations, standards and current trends. In closing, the goal is to have highlighted the landscape, opportunities and other important aspects of adopting automation in incident handling.
Before diving into opportunities and considerations of an automated approach, it is important to understand the structure and requirements of the incident handling process as a whole. Depending on the organization, the naming conventions and number of steps may differ but ultimately there are six steps or phases in the incident handling process: preparation, identification, containment, eradication, recovery and follow-up. In the preparation step, policies are established, emergency communications are planned, management support is developed for incident handling capability and other incident handling personnel are identified. Additionally, it is important to develop interfaces with the necessary law enforcement and other incident response teams. The next step is all about assigning personnel responsibilities, identifying or detecting when an event occurs and determining if it is indeed a valid threat before proceeding. If it is a real threat, the appropriate officials should be notified, and containment should then be the focus.
NIST considers the next three steps (containment, eradication, recovery) to be combined and the goal of these steps as you can deduce from their names, are to contain the breach, eliminate the threat, and recover any data loss or system failures that may have occurred during the event. From there, the last step is to develop a follow-up report. The report should be as descriptive as possible and highlight any lessons learned, recommended changes and should include some sort of executive summary. Additionally, interweaved into each of these steps, it is extremely important that legal requirements must also be taken into consideration. For instance, healthcare providers are bound to specific rules such as the HIPPA Breach Notification Rule which gives a strict definition of a what qualifies as a breach and mandates the necessary communications for those who may have been affected. Within these six steps, there are numerous opportunities for automation.
The six steps explained previously can also be closely mapped to the Cyber Defense Matrix. This matrix consists of five steps: identify, protect, detect, respond and recover in which each step has its own degree of dependency involving people, process and technology. The reason this is relevant is because when leveraging automation in incident handling, it is important to have a good balance of people, process and technology and this matrix helps as a framework. Starting with identification, technology is heavily utilized while the recover phase is mainly people oriented. So, in relation to incident handling, after preparation and in moving to identification, there is a heavy focus on technology and automation can be leveraged to carry out much of this step.
Automation can help particularly in identifying events and notifying staff. For instance, automation can be used to ingest data into an intrusion detection system (IDS) which could help identify an event by using behavioral analytics, immediately notifying the powers at be and even disseminate new threat identification information. “Organizations should attempt to automate as much of the information sharing process as possible to make cross-organizational coordination efficient and cost effective. In reality, it will not be possible to fully automate the sharing of all incident information, nor will it be desirable due to security and trust considerations.” (NIST, 2012). So again, this stresses the importance in finding a delicate balance that works for the organizations people, policy and technology.
After identification, automation can also be leveraged to contain the threat. An example of this could be an automated update to the firewall rules in order to block malicious traffic or an automated update to a switch or host to quarantine a device. Additionally, some tools and processes combine the containment and eradication of a threat. For instance, if a host-based IDS or antivirus software identified a security event, it could automatically attempt to contain the threat from spreading as well as eradicate the threat from the device. From there, a majority of the dependency switches back to people and process as the recovery and follow-up steps are not as easily automated. That is not to say there is no automation in these steps, just that they rely more on manual interventions. In the recovery phase there can still be automation in the data backup and data/image recovery for instance, on a PC or server. Then lastly, automation can be leveraged in consolidating and formatting some if the data, facts and logs related to a particular incident through a Security Information and Event Management (SIEM) or other tool.
Concerns & Limitations
While it is clear that automation can bring numerous benefits to the incident handling process, that is not to say that it is perfect, and it shows because while it is gaining popularity, it is still not widely adopted. The Ponemon Institute’s 2019 Study on the Cyber Resilient Organization stated 23% of respondents self-reported their organizations use automation extensively whereas the other 77% said they use automation moderately, insignificantly or not at all. As mentioned previously, there may be a few different reasons for this. Some companies may become overwhelmed in implementing automation and it could cause more issues than what they had previously or they may not even know where to start at all. Automation is an investment; it takes time to adopt and implement automation into previously established or even new processes. Also, there is typically a large investment needed into the IT infrastructure to have the ability to leverage the automation technology as well as an investment into training or hiring qualified and skilled staff to build, operate and maintain the new environment in the (likely, yet unfortunate) event the existing team is not skilled in these technologies.
For some companies, security concerns or even compliance regulations limit what can be done with automation. Or there may not be restrictions on using automation itself, but rather limitations on sharing information, which may ultimately defeat the purpose of automation. If there is no threat data to compare or analyze, then automation is far less valuable. For instance, some government agencies have disconnected networks as a security measure and this prevents or limits them from obtaining new threat intelligence such as malicious hash values, known bad domains or IPs, etc. Generally, these are some of the main issues organizations face with automating incident handling today. And although these concerns and limitations should be taken into consideration, organizations are ultimately seeing the value of automation and admit that it is important to start adopting it. It is also noteworthy that high performing organizations “are more likely to value automation in achieving a high level of cyber resilience” as well as “more likely to have streamlined their IT infrastructure and reduced complexity” (Ponemon Institute, 2019).
In regard to industry standards in automating incident handling, there are numerous standards established today. For example, some assist in the identification of threats/events and some are for information exchange. The NIST Computer Security Incident Handling Guide lists multiple standards in Appendix E - Data Exchange Specifications Applicable to Incident Handling. This section could take up an entire page so for the sake of brevity only a few will be named here. Two common standards around vulnerabilities today are Common Vulnerabilities and Exposures (CVE) which lists an ID and description of known vulnerabilities as well as Common Vulnerability Scoring System (CVSS) which is an open framework that describes characteristics and assigns severity levels to known vulnerabilities. There are are various standards around information sharing as well. “For example, a group of partner organizations may decide to exchange incident information using a Representational State Transfer (REST)architecture to exchange IODEF/Real-Time Inter-Network Defense (RID)data over Hypertext Transfer Protocol Secure (HTTPS)” (NIST 2012). Some others include RFC 5901 (Extensions to the IODEF for Reporting Phishing) and Security Content Automation Protocol (SCAP). Of these standards, some have become very prevalent in organizations and incident handling and in time, some trends have been identified.
Some of the of the trends seen today in regard to automation in incident handling revolve around threat intelligence and sharing, event correlation and defense in depth, to name a few. “Threat integration platforms consume, integrate and drive action on threat data through other products that are in these categories” (Yu, 2019). An example of a threat integration platform would be something like ThreatQ and these types of platforms are one of the most valuable ways to implement automation in incident handling. They can help identify, contain, eradicate and even follow-up with an event. Another trend that has been growing is the use of a Security Information and Event Management (SIEM) like Splunk. Tools like this can ingest data from multiple different sources, then correlate and organize the data into multiple customized dashboards with the ability to do flexible searches which can assist in incident handling reporting or even threat hunting. It can also perform behavior-based analytics and automated response actions. Lastly, (though many other market trends exist) is the idea of defense in depth. This is the implementation of multiple layers of security in the organizations environment and ideally, not only do they defend but they can also share intelligence between each other as to identify or contain a threat, or even give insight into the scope of a breach which can help with eradication and recovery as well.
In conclusion, after summarizing the requirements and steps of incident handling, it is apparent that there are numerous opportunities to benefit from implementing automation into the incident handling process. In doing so, it can help organizations save money, reduce resource workload, monitor and correlate events in real-time and ultimately lead to quicker identification, containment, eradication, recovery and documentation. The trend is growing and 75% of respondents in Ponemon Institute’s 2019 Study on the Cyber Resilient Organization “say they place a high value on automation.” It is important to note though, individual research should be done to consider any organizational concerns and limitations like legal compliance and information sharing before implementing.
Equally as apparent, is that the adoption of automation is an investment and the process can be a little intimidating with the different standards and tools available, so if an organization is struggling to implement automation or even get started, “Instead of trying to “boil the ocean” by completely automating the process from end-to-end, selectively automating just a subset of repetitive tasks makes building automations considerably easier” (Resolve Staffer, 2018).
This essay may use like a sample for your. If you need help with writing essay, homework or etc, check that website for choosing best tutors:WritingPaperSucks.com