These days, cyberattacks are heavily automated by machines. If organizations try to defend against these attacks manually, the fight becomes man versus machine, with highly unfavorable odds for the organization. To successfully protect against automated attacks, it is essential to fight fire with fire – or in this case, machine against machine – by incorporating automation into cybersecurity efforts. Automation levels the playing field, reduces the volume of threats, and allows for faster prevention of new and previously unknown threats.
Many security vendors look at automation as a way to become more efficient and a means to save in manpower or headcount. However, automation is a tool that can, and should, be used to better predict behaviors and execute protections faster. If implemented appropriately and with the right tools, automation can prevent successful cyberattacks. The following are four ways automation should be used:
1. Correlating Data
Many security vendors collect substantial amounts of threat data. However, data provides little value unless sense is made of it – with actionable next steps. First, organizations need to collect threat data across all attack vectors and security technologies within their own infrastructure, as well as global threat intelligence. They need to identify groups of threats that behave the same way within that large amount of data and predict the attacker’s next step; combined with dynamic threat analysis, this is the only way to accurately detect sophisticated and never-before-seen threats. When it comes to sequencing, the more data the better. Groups identified from small amounts of data might be considered a mistake or an anomaly. The amount of data needs to be large enough, and analysis must have enough compute process to scale. This can’t be done manually, and organizations that attempt to do so learn that it takes a significant amount of time and resources, and it is impossible to scale to meet today’s threat volume. With machine learning and automation, data sequencing can become faster and produce more effective and accurate threat analysis results.
2. Generating Protections Faster Than Attacks Can Spread
Once a threat is identified, protections need to be created and distributed faster than an attack can spread in the organization’s networks, endpoints or cloud. Because of the time penalty that the analysis adds, the best place to stop the newly discovered attack is not at the location where it was discovered but, most likely, at the attack’s predicted next step. Manually creating a full set of protections for the different security technologies and enforcement points capable of countering future behaviors is a lengthy process that not only moves slowly but also is extremely difficult when correlating different security vendors in your environment and not having the right control and resources. Automation can expedite the process of creating protections without straining resources, all while keeping pace with the attack.
3. Implementing Protections Faster Than Attacks Can Progress
Once protections are created, they need to be implemented to prevent the attack from progressing further through its lifecycle. Protections should be enforced not only in the location the threat was identified but also across all technologies within the organization in order to provide consistent protection against the attack’s current and future behaviors. Utilizing automation in the distribution of protections is the only way to move faster than an automated and well-coordinated attack, and stop it.
With automated, big data attack-sequencing and protections — generation and distribution — you are more accurately able to predict the next step of an unknown attack and move fast enough to prevent it.
4. Detecting Infections Already in Your Network
The moment a threat enters the network, a timer starts counting down until it becomes a breach. To stop an attack before data leaves the network, you have to move faster than the attack itself. In order to identify an infected host or suspicious behaviors, you are required to be able to analyze data from your environment, backward and forward in time, looking for a combination of behaviors that indicate a host on your environment has been infected. Similar to analyzing unknown threats attempting to enter the network, manually correlating and analyzing data across your network, endpoints and clouds is difficult to scale. Automation allows for faster analysis and, should a host on your network be compromised, faster detection and intervention.
Attackers use automation to move faster and constantly deploy new threats. The only way to keep up and defend against these threats is to employ automation as part of your cybersecurity efforts. Integrating automation provides significantly stronger security and has the added benefit of using your manpower more effectively. A next-generation security platform automatically and rapidly analyzes data and turns unknown threats into known threats, creates an attack DNA, and automatically creates and enforces a full set of protections throughout the organization to stop an attack from successfully progressing through its lifecycle.
[Palo Alto Networks Research Center]