Maksim Kabakou - Fotolia
Security Think Tank: Take care of security basics before automating
How can organisations evolve their security operations teams to do more automation of basic tasks and cope with dynamic IT environments?
The pace of cyber security is daunting. IT and security teams are flooded with tickets, patches, vulnerabilities and incidents. Automation may be a solution for cyber security overload, but organisations need to take care of the basics before they can properly take advantage automation.
Automation reduces the amount of time spent on basic tasks, allowing more time to be spent on addressing unique needs of dynamic IT environments. By aligning with information-sharing organisations, organisations become stronger as part of a trusted community that works to keep information safe and protected.
What does this all mean? Cyber security impacts organisations of all sizes, and automation can expand the capabilities of smaller teams. Many solution providers offer resources to help security teams automate certain security functions. There are a lot of resources out there to help teams move some security tasks off their plates.
My recommendation: Automation can only do so much if an organisation is not properly prepared for implementation. Before implementing any new security and automation systems from a third-party supplier, it is always crucial for organisations to take the time to do an internal audit of their current architecture and applications.
If systems are broken or out of date, businesses will be able to take full advantage of all new and evolving technologies have to offer. You have to start with basic cyber hygiene and asset inventory before you can step up to automation.
When it comes to automation, we use open standards like the Integrated Adaptive Cyber Defense (IACD) framework, structured threat information expression (Stix) trusted automated exchange of indicator information (Taxii) and Open Command and Control (OpenC2).
With these standards, organisations are able to derive threat data from multiple sources, allowing organisations to tailor to their specific threat landscape.
Recently FS-ISAC partnered with the Johns Hopkins University Applied Physics Labs to promote adoption of the IACD framework in the financial sector. Through the IACD framework, organisations can better understand commercially available automation solutions and how to integrate them into their current security systems.
Stix and Taxii
Stix is a structured language for expressing cyber threat intelligence and Taxii is a mechanism for communicating Stix content. Together, they provide a foundation for organisations to communicate, collect, correlate and enrich threat data from a variety of sources. This allows for faster detection of threats and provides a more cohesive view into the threat for analysts and incident response teams.
OpenC2 is an open standard command language currently under development by the OASIS OpenC2 Technical Committee, designed for programmatically issuing commands to security applications like firewalls, intrusion detection systems and endpoint security applications, sometimes referred to as security orchestration. It provides a foundation for organisations to specify and communicate security controls with internal security systems using an open language that communicates at wire speed.
Read more about security automation
By integrating OpenC2 into Stix, threat intelligence providers and sharing communities can provide recommended courses of action that can be applied to any environment without the need to understand the specific technologies used.
With the ever-evolving cyber risks, organisations need to continue to find creative ways to use the existing and emerging technology and standards to stay ahead.