By Eyal Benishti, founder & CEO, IRONSCALES
As email attacks grow more frequent and complex, organizations are scrambling for new ways to reduce risk and better detect and remediate threats. Today, many SOC and IT security teams are burdened with so many alarms that they can no longer keep pace with manual methods of email forensic analysis and remediation. Meanwhile, the advanced techniques that attackers use make it increasingly difficult for end-users to identify fraudulent emails.
Security Orchestration, Automation and Response (SOAR) solutions offer an end-to-end means to identify and remediate threats while continuously learning to better improve processes. Putting SOAR in the inbox can reduce remediation time, improve efficiency for SOC teams, and significantly reduce the risk of phishing across an entire organization.
Faster Detection and Remediation Needed for Sophisticated Threats
Phishing remains the primary attack vector, with malicious emails becoming so sophisticated that they regularly fool employees, security professionals and executives. In fact, attackers are doubling down on phishing as a strategy because it continues to prove so effective. According to the 2018 Verizon Data Breach Investigations Report, phishing is now the primary vector for 93 percent of all breaches worldwide.
Today, phishing is often used to perpetrate business email compromise attacks (BEC), which reached record levels in 2017 and have now resulted in more than $12 billion in losses since 2015, according to recent FBI data. Because these attacks are intended to be financially destructive, they are now a primary focus of security teams. It only takes one targeted and clever BEC attack to put an entire organization at risk of financial and reputational harm.
However, most organizations struggle to mitigate BEC and other advanced phishing threats with legacy email security resources, and SOC teams can no longer keep pace by manually addressing the hundreds of daily threats that are being flagged be people or technology. The lack of integration and orchestration with other security tools in the stack also adds to workload and response time. Finally, end users lack the tools to alert SOC teams about suspicious emails, and the absence of a feedback loop makes it difficult to predict, prevent, detect and respond automatically.
Security Orchestration, Automation and Response in Email
Gartner recommended in a recent report that organizations implement Security Orchestration, Automation and Response (SOAR) to improve security and incident response. The analyst firm expects rapid adoption of SOAR between now and 2020 as organizations look to security orchestration and incident response to cope with the growing number of alarms.
When put into the inbox, Email Security Orchestration Automation and Response (E-SOAR) can be a complete game-changer, streamlining phishing incidents and reducing manual email analysis and response. Specifically, E-SOAR can help SOC and security teams to:
- Improve efficiency – Automation and orchestration together can improve the efficiency of SOC and IT security teams by providing a framework for flagging, analyzing and classifying investigations in real-time. Filtering out false positives based on attack signatures and learned behaviors can also reduce the number of investigations SOC teams must deal with.
- Protect against zero-days– Orchestration offers SOC and security teams the ability to integrate with third-party multi AV, sandbox and CDR solutions to add another layer of real-time intelligence and protection from zero-day malware and phishing websites.
- Expedite remediation– Automated Response capabilities can reduce phishing risk by more than 70 percent (Aberdeen) and alleviate the resources and skills needed by SOC and IT teams for manual procedures, such as analysis, investigation and remediation. E-SOAR can streamline the response in phishing incidents, reducing the time phishing emails lay idle in employee mailboxes.
But perhaps the greatest benefit of E-SOAR is that it can be combined with machine learning and AI to continuously improve its capabilities by repeatedly collecting intelligence and learning from end-user controls, subsequently reviewing open incidents and automatically orchestrating a comprehensive phishing forensic examination of a suspicious email without having to manually create playbooks. If an email is determined to be malicious, it can then be remediated from all affected mailboxes, without human intervention.
At a time when SOC and IT security teams need all the help they can get, marrying SOAR and email security may be the missing link to hardening mailboxes and reducing risk from sophisticated cyberattacks using email as the vector of infiltration.