Banks and other financial institutions are leaning on automation for the ingesting of voluminous data and identification of potential threat activity, but many are still shying away from automating actual network responses to these events — instead relying on analysts to make those key decisions.
However, they are at least expressing interest in experimenting with automated incident response, while also further bolstering their adaptive defenses using deception technology, according to Mastercard Principal Security Researcher Donnie Wendt, speaking this week at (ISC)2 Security Congress.
Drawing from both a recent dissertation of his at Colorado Tech, as well as his own professional experience, Wendt shared with the virtual audience his take on automation’s benefits for the financial services vertical, its current and possible future use cases, and how to ensure one’s automation and active defense strategies are successful. Wendt’s research was informed through in-depth responses from 10 security professionals working in finance.
“The lessons learned from this research can be applied to increase security posture of both in institutions and the industry as a whole,” said Wendt, who is also an adjunct cybersecurity professor at Utica College. “The results hopefully can also assist cybersecurity leaders to justify further investments in security automation and adaptive Defense to improve overall adoption.”
The benefits of automation
There are many justifications for pursuing more automation within your SOC. But cost savings is not one of them. “You’re probably in for a rude awakening if that’s why you’re doing this,” said Wendt. In fact, “a couple of the [research] participants felt that the perception that automation is a cost-savings tool actually impeded their successful implementation.”
On the other hand, automation does help compensate for a shortage of talent within your organization, and it does also introduce substantial time savings.
“The current human-centered cyber defense practice … simply cannot keep pace with all the threats targeting us,” said Wendt. To keep up with the rising tide of alerts, “we have to drastically increase the speed of detection and response.”
Through automation, however, organizations can establish higher thresholds for ingesting, analyzing and flagging anomalous events, allowing a solution to perform the mundane work at a far faster pace, saving human analysts for the potential threats deemed most relevant and highest priority.
“This leads of course to the ability to free security analysts for that more advanced work such as threat hunting and improving automation, which further increases the visibility. So it's not just that we're better able to get through more events faster; we're able to see a lot of events that we weren't seeing before, and that's where the real benefit [is],” said Wendt.
Additionally, security automation can also ensure better consistency and standardization of process when responding to alerts, as well as facilitate the integration of disparate security systems, he continued.
In an ideal world, Wendt posited, companies would see even more gains by combining automated incident response with organized threat intelligence sharing, as well as active defense and deception technologies that make an attacker’s job more difficult and time-consuming.
“The underlying goal … is to be faster than the enemy. But to achieve that goal, the cyber defender not only has to streamline his command and control; he must also interfere with the attackers’ command and control.” Wendt explained.
“The intelligence sharing and automated response they work together to reduce the defenders cost and time. We know that collective action fostered by effective sharing of intelligence can act as an immune system for the collaborating organizations, while automation is increasing the speed of response to an attack, and the speed of proactively responding.” he continued. “While it's same time though, we can use advanced defense methods, such as active defense and deception to raise the cost to an attacker and slow the attack. Deception confuses and slows the attacker and makes him expand his resources, and also reveal his capabilities and tech techniques.”
Automation use cases
According to Wendt, right now the most frequently cited automation use cases are related to event enrichment and correlation — allowing the user organization to collect large amounts of internal and external data from sources (e.g. event management systems, firewalls and reputation scores) in order to build more meaningful context and situational awareness around cyber alerts. “So the analyst can make an informed decision,” Wendt explained.
Wendt has also encountered financial institutions that use automated tools for the “ingestion and processing of indicators of compromise … from intelligence feeds — because the volume of those IOCs inundating financial institutions … requires automation,” he said.
On the prevention detection and prevention front, common malicious activities that financial institutions use automation to watch out for include phishing campaigns and leakage of sensitive data. Some banks have even been engaging in automated threat response to certain flagged events. But such responses are generally restricted to the automatic blocking or quarantining of users/hosts, as well as malware remediation with the help of tools like firewalls, intrusion prevention systems and web filtering solutions.
However, based on Wendt’s observations, financial institutions are currently less inclined to automate more drastic threat response actions, instead relying on human judgment and hard evidence on such occasions to avoid shutting down operations on account of false positives.
Still, “there is a desire to move toward more automated response methods as organizations develop that trust and confidence,” said Wendt. “The main reluctance to automate responses is the concern over causing business impact. So that's why companies have to consider how to counter or undo incorrect actions taken by automation. Just like hopefully you've already considered how to correct or counter incorrect actions done by your security analyst."
Wendt also hasn’t seen much adoption of deception technology (e.g. honeypots) among banks yet. while some have “expressed a very strong interest" in such possibilities, "most of the participants had not fully implemented them,” he said. “There were a lot of concerns with the use of deception, including, of course, the risk of inviting attackers into [one’s] network, or allowing them to move freely within the network.” Additionally, “there was also a lot of doubts about the usefulness of data collected via deception.”
Even so, “All the [surveyed] companies that were raising these concerns were also saying that they're planning to do more with it.”
Cyber intelligence sharing, meanwhile, is quite strong in the financial sector, via peer-to-peer and arrangements and through organizations such as FS-ISAC. Here automation plays a notable role, said Wendt — particularly in the context of ingestion and enrichment of data, but not dissemination.
Ensuring automation success
Automation doesn’t guarantee automatic success. With that in mind, Wendt offered (ISC)2 attendees several recommendations for ensuring a fruitful automation implementation. Key among them is forming a team that’s specifically focused on security automation, featuring roles such as managers, engineers, SOC analysts and developers.
“You really have to understand the resources necessary. I’ve seen too many teams trying to do this as a side gig, and it's not,” said Wendt.
Wendt also emphasized the importance of earning trust, support and buy-in throughout your organization, ideally by finding low-risk use cases for automation that are mutually beneficial for both security and your various business departments, and/or can produce demonstrable “quick wins.”
