I remember sitting in a boardroom on a Monday morning with the CISO of a bio engineering firm along with several members of his security and legal staff. He had recently contacted me requesting incident response (IR) assistance following a call from the FBI. His organisation had been breached (based on another ongoing cyber criminal investigation).
After an initial IR triage, we informed the CISO that our investigators discovered evidence of an active ongoing attack that had started 18 months ago.
The necessary “indicators of compromise” were actually present but unfortunately they weren’t seen. They were buried amongst a mountain of other alert traffic. Like so many security teams today they were suffering from what the industry refers to as “alert fatigue.” Too many alerts for an already thinly stretched security staff.
Security automation is the personnel and technology force multiplier that security teams need to battle the challenges of accurately and quickly identifying and responding to security incidents and breaches.
The intent of security automation is not to remove the human factor from the security equation. Rather, the goal is to empower the security analyst with a way to automatically manage the large volume of traditional manual tasks in the background. Automation frees the security analyst to focus on genuine problems and proactive hunting tasks that allow their security teams to get ahead of the problem rather than wait for the alarms to go off.
An effective security automation solution needs to carry out four main tasks:
1) Alert ingestion
2) Add context
3) Verify alerts by conducting a forensics pull from the endpoint
4) Respond and take remediation action(s)
For additional details on security orchestration and how Proofpoint can help security response teams, please visit https://www.proofpoint.com/us/products/threat-response.