Can the race between security solutions and cybercriminals ever be won? Probably not – and certainly not by relying solely on software tools. Of course, modern security systems are helpful. For example, they enable optimized and automated detection and response processes.
In this way, they recognize cyber attacks at lightning speed and limit their damage enormously.
But automation is not the solution to all security problems. Because these often affect highly sensitive areas of the company. Without human know-how, the scope of some decisions simply cannot (yet) be assessed. A combination of automated processes and expert decisions is the royal road to cybersecurity.
This comment by Wolfgang Kurz, Managing Director of indevis, describes why this is the case and what it looks like in practice.
Cybersecurity is one of the absolute top issues for IT managers every year. And rightly so! Security incidents cost more than just money: They can damage reputation and ruin a company.
The large corporations have therefore long been operating their own Security Operations Centers (SOCs). Here, employees focus on how they can protect their data and processes from external manipulation. Medium-sized companies would like to keep up here. But even if they raise the financial means to do so, the empty skilled labor market and the very resource-intensive construction of an SOC usually thwarts their plans.
To be too good to be true
Systems and methods for security orchestration, automation and response, or SOAR for short, are state-of-the-art on the cybersecurity market. They offer tools for analyzing cyber threats and support in actively combating security incidents. In addition, as the letter R for “response” indicates, they enable automated countermeasures.
That sounds too good to be true. It suggests: In the event of a security incident, automatically and dynamically implemented rules take effect and stop the attack faster than a human specialist could ever react. Lightning-fast automated countermeasures supposedly keep the attacker in check and the lack of IT security experts is obviously of little consequence. But if something sounds too good to be true, it usually isn’t true – at least not unreservedly. In practice, it is usually not advisable to rely solely on automatic reactions.
Here’s an example: A SOAR solution is actually able to derive an adjustment to the firewall rules from the results of the threat detection (“Detection”) – and to implement them automatically. But that means open-heart surgery: during ongoing business, massive interference in network operations would occur. It can easily happen that important services are suddenly no longer available or an entire production site is shut down without warning. The damage caused in this way may be greater than that caused by the cyber attack.
Smaller companies are at a disadvantage
The idea of an automated retaliation with a detection and response solution is certainly not wrong. But the conditions under which it occurs and the measures used must be carefully considered. The hope of completely replacing human expertise with automated processes will sooner or later be disappointed. Experienced experts are still in demand who can assess dangerous situations with all their consequences, propose suitable (re)actions and involve the company management. In most cases, top management then decides whether a system should be taken offline.
Anyone who operates an SOC will sooner or later deal with a SOAR solution and integrate it into SOC operations. Ultimately, attempts will also be made to implement automatic countermeasures. In the vast majority of cases, function will take precedence over safety. With the current technology, the SOC team can be relieved but not replaced.
Combining the best of both worlds
However, medium-sized companies can also benefit from such a solution. More and more companies are using the services of a Managed Security Services Provider (MSSP), which provides a virtual SOC and offers Managed Detection and Response, MDR for short. It takes over the operation of the SOAR environment and links it to the customer-specific log sources. He also provides the necessary IT security experts and develops playbooks that are used as a basis for automated cyber-fighting.
Because an MSSP serves many customers, they usually have a good overview of the current threat landscape and, in an emergency, can quickly decide whether and in what form it makes sense to intervene. He knows how to use the optimized automation processes, but does not rely on them alone, but consults specialists, such as IT forensic scientists, when the time comes. Above all, however, he coordinates all measures with the customer. In the interplay of automation and human know-how, it provides the best of both worlds.