We live in a world where everything is being automated – from the “smart” gadgets in your home to, eventually, the self-driving car that takes you to work. Now and in the future, it will be difficult to find something that is not suited to automation.
If we move the conversation to business, automation is even more commonplace. From business processes and software-as-a-service applications (SaaS) to more complex network and cloud automation, it’s all part of digital business already. So why does it sometimes feel as though cybersecurity is still playing catch up?
Cyber criminals are leveraging automation to launch effective malware and phishing campaigns, as it provides them with scale, speed and repeatability. As a result, we’re seeing these types of sophisticated attacks occur more frequently. This creates a challenge for security operations teams because they become overwhelmed with repetitive processes and tedious investigations into false positives. Put simply, there are not enough resources or time to keep up.
Security automation can help. The technology reduces the number of monotonous tasks that take up an engineer’s valuable time, yet ensures they are always completed accurately, regardless of frequency and quantity. This frees up the engineer’s time and skills to focus on other more business strategic tasks while maintaining network health and safety.
Automation Is the Answer
In our recent webinar, we discussed the importance of using security automation to combat today’s complex and persistent attacks, including malware that camouflages itself to remain in stealth mode until it arrives at the intended target. IBM was able to demonstrate this with its DeepLocker concept that was embedded into video conferencing software and only triggered when the targeted individual was seen on camera.
Security automation can help here, too – from monitoring unusual network behavior or data movement to creating rules for the network, the possibilities are endless. Here are a few key areas to keep in mind, when you are considering deploying this technology:
- Every day, analysts receive hundreds of alerts, most of which are benign. However, they still must watch for threats that may be serious. Automating this task reduces the number of alerts that must be looked at in detail, increasing analyst efficiency and reducing the risk of missing an important alert.
- Analyst fatigue can be aggravated by performing repetitive actions. Any alert has three possible states, known as good, bad or unknown. This leads to an analyst performing the same actions over and over again, increasing the possibility of error. Automation can use rules based on previous experience to determine if action is needed, resulting in only alerts that require further investigation to be flagged to an analyst.
- When an alert is deemed to be bad, an analyst must manually investigate and understand what has happened and what remediation actions are required. Even the most complex alert will require common and repetitive actions to establish remediation. This may include quarantining devices infected with malware or deleting phishing attachments from emails. Although security automation cannot yet be used to detect these attacks, it can be used to perform the repetitive actions and allow the analyst to move onto the next task that requires attention.
Now that we’ve established security automation can significantly reduce the workload of the SOC team, where do the two big technology buzzwords of today – machine learning and artificial intelligence (AI) – come in to play?
We’re still in early days, but machine learning and AI are going to be big – in fact, many experts predict these technologies will dominate cybersecurity in the future. There is an obvious need to improve the capability of automated security to provide clearer analysis, recognize behavior and patterns and help solve problems for analysts. Together, machine learning and AI could be key enablers, helping to reduce human effort and make cybersecurity faster, more consistent and accurate.
Juniper Secure Analytics (JSA)
JSA embeds the ability to lookup threats in the IBM Watson Cloud, which is effectively AI applied to the challenge of cybersecurity, trained by billions of pieces of threat information and coming from both structured and, crucially, unstructured sources.
Over time, Watson refines its ability to understand and process unstructured data in the same way a human does. This means that when JSA detects a threat on the network by correlation of ingested data, it can immediately give the security analyst the available context for the threat that would normally consume a large part of their subsequent response time – e.g. information about the exploit, how it propagates, where it originated, the protocols and applications affected, identified malicious file hashes, who else has run the malicious file and, finally, the availability of a patch for the exploit.
Machine learning can also be leveraged to train JSA on data sets and produce behavioural models. This is used in two ways – the first is to assess user behaviour on the network to provide risk prediction and, hence, an associated threat score; meanwhile, the second is to understand ‘normal’ DNS usage to detect threats or manipulations of DNS, such as domain generation algorithms.
This is a great example of using machine learning for threat detection – but what about threat response?
Traditional cybersecurity uses data from security solutions to create a strong posture, while machine learning builds on data to understand where a threat may be attempting to breach the network. By extending this to leverage not only security data, but also data from switches and routers, the security posture is improved further. With security integrated from the edge of the network and throughout network infrastructure, threats to valuable data and endpoints are significantly mitigated.
The full capabilities of both AI and machine learning as they relate to cybersecurity are untapped today, but that does not mean you should not be taking a close look now to see how they can make the security team more effective and improve your overall data posture.
For more information on how Juniper Networks can support your strategy for security automation and data protection, please visit juniper.net/data-protection.