In a recent post, we noted that the emergence of automated cyberattacks presents IT security organizations with extraordinary challenges. Automation is allowing malicious actors to launch attacks with breathtaking scale and frequency. According to figures from the AV-TEST Institute, more than 350,000 new malicious programs are identified every day, and total annual malware volumes have increased by an astonishing 1,500 percent over the past 10 years.
Adding more security tools isn’t the answer. The typical company already deploys nearly 50 different security solutions that generate thousands of security alerts on a daily basis. The manual effort required to track, investigate and resolve all these alerts is more than most security teams can reasonably be expected to handle.
Instead, organizations must incorporate artificial intelligence (AI) and machine learning (ML) into their cybersecurity frameworks. By automating repetitive tasks and minimizing human intervention, AI and ML capabilities help security teams keep pace with escalating attacks.
A New Playbook
One way to incorporate automation is with Security Orchestration, Automation and Response (SOAR), which creates a framework for automating workflows and orchestrating multiple security technologies using software connectors. What’s more, this unified framework can ingest and correlate vast amounts of threat intelligence from the network, subscription services and other sources in order to “learn” the difference between normal and suspicious activity.
A key to this strategy is the use of gathered intelligence to create “adversary playbooks” that document the behaviors and methodologies used in cyberattacks. Once information about an attack’s unique tactics, techniques and procedures (TTPs) is fed into AI-powered systems, they can detect patterns and interrupt attacks by anticipating and shutting down the next step in the attack sequence.
Over time, ML-trained systems will become increasingly familiar with threat characteristics and won’t have to wait until the network is under attack to respond effectively. Remote learning nodes placed at the edges of the network act as reconnaissance sensors, identifying threat attributes as part of an early warning system that enables proactive intervention.
For example, Fortinet developed a playbook that organizations have been able to use to thwart Emotet, a notorious banking trojan that evolved into one of the world’s largest email spamming botnets. Emotet has been particularly active since the onset of the pandemic, infecting more than 1.6 million computers and causing hundreds of millions of dollars in damage since April 2020.
The Fortinet playbook described the Emotet infection process and its behavior after it infected a targeted device. Once that information was fed into AI-powered security fabrics, the system could automatically launch a variety of protective measures, such as blocking email attachments or IP addresses commonly associated with malware.
On the Hunt
The use of playbooks and security automation enables a fundamental shift in cybersecurity practices. For years, security has been a reactive process designed to minimize the damage from attacks after they’ve occurred. Increased automation enables organizations to actively hunt for threats, using threat intelligence to find and disrupt threats in advance of an attack.
A proactive approach to threat detection will only become more valuable as organizations continue to blur the network perimeter. Cybercriminals are increasingly targeting edge networks, remote workers, cloud applications, IoT devices and other resources that lack the robust security of core networks. Automated security solutions can regularly query these dispersed resources to identify potential threats as well as any configuration, patching or upgrade requirements.
Conventional security measures requiring human interaction to respond to attacks after the fact are no longer practical. The scale, frequency and sophistication of modern threats call for increased use of automation. Give us a call to learn more about building a smarter cybersecurity environment for your organization.