Alleviating the cyberskills shortage with automation
By Gavin Wilson, Managing Director, Forescout ANZ
Wednesday, 02 November, 2022
There is a shortfall of tech skills and talent across the board, with cybersecurity skills among some of the hardest to find. Couple this with a growing reliance on IoT and OT, and organisations are facing an even higher risk to the already rapidly expanding attack surface of ransomware.
Recent data from KPMG shows 78% of organisations have employed more than 50 security tools to protect their networks across this expanding threat landscape. However, managing them effectively places a huge burden on already overstretched and under-resourced teams.
Fortunately, many of the security products and devices handled by SOC teams can be translated into automated actions that drive policy enforcement and accelerate response systems. Automating these tools can free up the limited cybersecurity talent to focus on areas where human effort is needed.
Response teams are at a tipping point
Businesses today exist in a constantly fluctuating and fast-evolving digital environment, with a proliferation of new devices joining networks every day: Internet of Things (IoT), operational technology (OT), cloud and, in the healthcare sector, Internet of Medical Things (IoMT). The use of connected devices is being seen in many different industries, with some managing highly confidential and valuable information. This makes these attacks attractive to not just cybercrime gangs, but also nation-state actors.
Furthermore, recent research from Forescout uncovered how critical vulnerabilities are inherent in OT because they were never built with security in mind and many organisations lack visibility of where these are located in their networks. Dubbed OT:ICEFALL, this set of 56 vulnerabilities affects popular devices from 10 OT vendors that allow for credential theft, remote code execution and firmware or logic manipulation. OT was traditionally air-gapped, so security was a low priority. But as external connectivity increases, so does the threat landscape, and these vulnerabilities highlight the mountain security teams need to climb.
Even security-mature organisations are now becoming overwhelmed by dozens of IT and security solutions that have remained on their networks for long periods of time and no longer possess any meaningful integration. They may lack insight into device context or be unable to respond to new threats. Multiple security solutions also tend to have conflicting data and overload incident response teams and security operations with more alerts than they can process. Many of these alerts are false positives or risks that have been mitigated by other means, such as network segmentation.
Likewise, many alerts are unactionable. Talk to almost any incident response team and you will hear the complaint that “we can detect threats but can’t respond to them in time” or “our controls send alerts but can’t automatically remediate them”. This is ultimately why incident response is such a reactive process — it has become a cumbersome manual task just to prioritise alerts.
Accelerate response actions with automation
The cybersecurity challenges faced by businesses today can no longer be solved entirely through the deployment of more and more products. The cyber risks of device security complexity and manual overheads can be addressed by optimising security automation:
Device context — Automation enables organisations to maintain up-to-date information about all their cyber assets as soon as they join or leave the network. Network context is key to understanding what the device is, where the device is connected, and from where it is connecting. This context enables tech teams to understand the difference between a Windows 7 PC vs a Windows 7 laptop that is operating a pill-dispensing cart on a hospital floor. This information can be easily integrated into other security tools.
Orchestrated workflows — Automated workflows can enforce policies and trigger a response, from finding vulnerable devices to isolating them until they can be remediated. Automatically triggering remediation, such as executing a script, fixing a missing agent or triggering a patch, is key to staying ahead of threats.
Accelerated response — Multifactor risk scoring and advanced threat detection can prioritise alerts to the risks and threats that matter most. Ideally, responses should include actions at the network level, as host-based controls are often disabled during a malware attack. Cyber attacks have become increasingly automated as well, so responding to incidents at machine speed is critical to preventing, mitigating and recovering from a breach.
The power of the long game
Organisations may be slow to implement automation because they are concerned about disruptions to their operations and potentially facing setbacks in an already mission-critical process. However, those that invest the time to set up automation capabilities will become far more efficient in the long run.
The key to setting up automation is to leverage in-depth data sourced from your networks so businesses can ensure information is accurate and aligned with how things work. Visibility and monitoring solutions can provide rich information into the depth and breadth of a network so that organisations can eliminate their blind spots. Fully integrated platforms enable organisations to employ multiple capabilities, moving beyond visibility and into automated action. In doing so, organisations can tackle the cybersecurity skills shortage and utilise their human workers to focus on higher-skilled tasks.