Automating threat detection and response is a top priority for most enterprises – but the rapid shift to remote work models has forced many organizations to accelerate their adoption of automation. Faced with new challenges of reestablishing baselines and a growing number of endpoints, how can security teams leverage automation to maintain visibility and secure their remote workforce?
In the fourth webinar in our series on securing remote workforces, ReliaQuest VP of Product Management, Jason Pfeiffer, moderates a panel of security experts who provide practical guidance on leveraging automation for faster response. The panel, consisting of Joe Partlow, ReliaQuest CTO, and Chris McFarland, VP, CISO at Abercrombie & Fitch Co., offers the following advice:
1. Update your automation playbooks to reflect your new baselines.
As organizations switch to remote operations, baselines around insider threat and user behavior analytics must be reevaluated to reflect your new normal environment conditions. Look at use cases around geo-tracking and login times, as users are now working from different locations and at times of day they likely didn’t work before.
As your security team establishes what the new normal looks like at your organization, update your automation playbooks to reflect corresponding anomalies to decrease false alarms and allow faster response.
2. Take a risk-based approach, prioritizing automation that enables business continuity and consistency.
As the economy has also shifted to a largely online dependency over the past weeks, enterprises across varying industries must reevaluate their security priorities to align with new strategies to generate revenue. Those in retail, for instance, have been forced to quickly switch over to an almost exclusively digital business model. Security professionals must make critical decisions to balance security and confidentiality while keeping their digital business available at all times.
To decide where to focus your automation efforts, start by working with executive peers and stakeholders to detail how your business priorities have changed, as well as changes to where your sensitive data lives. From there, you can determine the greatest risks to the evolved business. For many security professionals, this results in shifting focus to redoubling endpoint protection. Automation can then be used to push out patches and updates on your endpoints, saving time and energy from doing these processes manually and improving consistency.
3. Think of creative ways to leverage automation, including among your operational teams to streamline processes.
As IT and security operations teams get pulled into multiple directions, enterprises should look for ways to automate mundane tasks to free up time for these teams to focus on higher business priorities. This means looking at automation creatively, beyond just running scripts.
For example, you can leverage automation when determining what insider events are malicious or merely a result of users adjusting to a new remote lifestyle. One creative way to do this is to send automated surveys to users, in which you can request specific feedback on ways they’ve adjusted to working from home. By automating these feedback loops, you can identify where your greatest user risks are, and address these by tuning alerts or providing user awareness training.
During this time, it is essential for businesses to take advantage of any opportunities for improving efficiencies. By establishing new baselines and leveraging automation in creative ways, enterprises can work towards faster and more consistent response, all while enabling business continuity and decreasing risk.
ReliaQuest believes security is a team sport, so we are sharing use cases, automation plays, and threat intel research powering our GreyMatter platform to help protect your organization. Sign-up for our Rapid Response Resources Series to receive specific use case queries to optimize in your SIEM, attack overviews, and recommended automation plays.