Why automation has become essential for SIEM

Jakub Szkandera
Chief Technology Officer
Jakub Szkandera
Chief Technology Officer

Data has value, and businesses have realised that making decisions based on data gives them a distinct competitive advantage. We shouldn’t be surprised anymore at the rate of growth in data capture and storage, but Statista are predicting the total amount of data created, captured, copied, and consumed in the world would increase rapidly to reach 149 zettabytes in 2024 .

We continue to capture and store more data. We are deploying more applications and new tools to get more telemetry out of more endpoints. We are doing what it takes to get more coverage, more security, more visibility, and more controls.

You have to protect your valuable business data.

The first step is increasing your visibility into information technology security which generates more data. This data is used to make decisions on controls to deploy, which, when deployed generate even more data.

Soon this will be taken to the next level through increasing pressure to ensure continuous compliance, where the effectiveness of controls is constantly measured – seemingly endless cycles of data!

SIEM has come to the fore as a solution for where to put this endless ocean of data and telemetry. But the continued influx of data requires more effort to maintain and manage resulting in SIEM showing signs of drowning under the weight of all this data.

SIEM needs a partner.

Enter SOAR.

Riding the data wave

Data lakes collect telemetry not only from a single source, but aggregate data from multiple sources. Analysis of this data are not only allowing us to see what is happening at an enterprise level, but across enterprises, nations or even globally. This enables us to link potential incidents on a micro level to understand the presence of an attack across multiple entities.

The triage capabilities of SIEM makes sifting through all that event data more manageable by using machine learning and AI to remove unimportant alerts, giving us a set of usable data. However, more data, more applications and larger attack surfaces invariably means more security incidents.

This leads to an interesting tipping point where SIEM is no longer able to effectively reduce the number of alerts to a reasonable level without compromising security, putting an unreasonable load on IT teams.

This reliance on human intervention is:

  • Resource intensive
  • Inefficient
  • Slow for emergency response
  • Open to interpretation and error
  • Unscalable.

When teams don’t have enough time and resources to meaningfully analyse, use and react to the data that SIEM provides, they stop responding to every incident. That, of course, defeats the purpose of using SIEM and is not an outcome any business should be living with.

That’s why SOAR (Security, Orchestration, Automation, Response) with SIEM is becoming essential to keep atop our data security in this growing wave of data. However, there is resistance.

Automation of data security scares us

Organisations do not want to lose the human involvement in their data security as they feel the automated alternative can’t be as effective. However, we automate more and more operations in businesses today across other disciplines including marketing, sales, and telephony platforms. So why not data security?

In our experience, organisations have been reluctant to take on SOAR because they feel there are still too many risks involved. They like the comfort of maintaining a human presence because they feel it provides a degree of safety, but this isn’t new. There has always been reluctance and a level of uncertainty with the first introduction of any automation over the years. The first automated elevator was in action in 1900, but funnily enough people were not comfortable using them until the 1950s!

Driverless cars are on the verge of being used on roads around the world, and China commenced using driverless highspeed trains in January 2020 in preparation for Beijing’s Winter Olympics in 2022. Automation is becoming more and more effective and entering so many areas of the enterprise, it makes sense to start reviewing how it can be used in response to data security incidents.

Step towards automation

Patterning your SIEM with SOAR does not mean automating your entire security incident and emergency management operation all at once. You need to understand the scope and the nature of what you are automating first.

There are subsets of incidents that you can automate and feel comfortable doing right now. These are where the remediation is consistent, or the incident is of low impact. For example, if there is a DDoS attack emanating from a single port, you can identify and automate the shutdown of that single user account.

It’s relatively simple to start with a process of automating low impact incidents. Once this has been tried and is successful, then start to look at how you can move forward and progress to higher impact active responses. Try, test, refine and repeat.

Effective data security uses both human and automated response

In the end, security responses can and should involve both machines and humans. It does not have to be one or the other. Implementing SOAR to work with your SIEM platform allows you to effectively harness your SIEM data so you can focus your resources on the subtler, more insidious threats that automation still isn’t ready to handle.

[1]Statista. 2020. Volume of data/informationworldwide from 2010 to 2024 [online] Available at: https://www.statista.com/statistics/871513/worldwide-data-created/#:~:text=The%20total%20amount%20of%20data,reaching%2059%20zettabytes%20in%202020 [Accessed 13 November 2020]

Why automation has become essential for SIEM

Jakub Szkandera
Chief Technology Officer
Jakub Szkandera
Chief Technology Officer

Data has value, and businesses have realised that making decisions based on data gives them a distinct competitive advantage. We shouldn’t be surprised anymore at the rate of growth in data capture and storage, but Statista are predicting the total amount of data created, captured, copied, and consumed in the world would increase rapidly to reach 149 zettabytes in 2024 .

We continue to capture and store more data. We are deploying more applications and new tools to get more telemetry out of more endpoints. We are doing what it takes to get more coverage, more security, more visibility, and more controls.

You have to protect your valuable business data.

The first step is increasing your visibility into information technology security which generates more data. This data is used to make decisions on controls to deploy, which, when deployed generate even more data.

Soon this will be taken to the next level through increasing pressure to ensure continuous compliance, where the effectiveness of controls is constantly measured – seemingly endless cycles of data!

SIEM has come to the fore as a solution for where to put this endless ocean of data and telemetry. But the continued influx of data requires more effort to maintain and manage resulting in SIEM showing signs of drowning under the weight of all this data.

SIEM needs a partner.

Enter SOAR.

Riding the data wave

Data lakes collect telemetry not only from a single source, but aggregate data from multiple sources. Analysis of this data are not only allowing us to see what is happening at an enterprise level, but across enterprises, nations or even globally. This enables us to link potential incidents on a micro level to understand the presence of an attack across multiple entities.

The triage capabilities of SIEM makes sifting through all that event data more manageable by using machine learning and AI to remove unimportant alerts, giving us a set of usable data. However, more data, more applications and larger attack surfaces invariably means more security incidents.

This leads to an interesting tipping point where SIEM is no longer able to effectively reduce the number of alerts to a reasonable level without compromising security, putting an unreasonable load on IT teams.

This reliance on human intervention is:

  • Resource intensive
  • Inefficient
  • Slow for emergency response
  • Open to interpretation and error
  • Unscalable.

When teams don’t have enough time and resources to meaningfully analyse, use and react to the data that SIEM provides, they stop responding to every incident. That, of course, defeats the purpose of using SIEM and is not an outcome any business should be living with.

That’s why SOAR (Security, Orchestration, Automation, Response) with SIEM is becoming essential to keep atop our data security in this growing wave of data. However, there is resistance.

Automation of data security scares us

Organisations do not want to lose the human involvement in their data security as they feel the automated alternative can’t be as effective. However, we automate more and more operations in businesses today across other disciplines including marketing, sales, and telephony platforms. So why not data security?

In our experience, organisations have been reluctant to take on SOAR because they feel there are still too many risks involved. They like the comfort of maintaining a human presence because they feel it provides a degree of safety, but this isn’t new. There has always been reluctance and a level of uncertainty with the first introduction of any automation over the years. The first automated elevator was in action in 1900, but funnily enough people were not comfortable using them until the 1950s!

Driverless cars are on the verge of being used on roads around the world, and China commenced using driverless highspeed trains in January 2020 in preparation for Beijing’s Winter Olympics in 2022. Automation is becoming more and more effective and entering so many areas of the enterprise, it makes sense to start reviewing how it can be used in response to data security incidents.

Step towards automation

Patterning your SIEM with SOAR does not mean automating your entire security incident and emergency management operation all at once. You need to understand the scope and the nature of what you are automating first.

There are subsets of incidents that you can automate and feel comfortable doing right now. These are where the remediation is consistent, or the incident is of low impact. For example, if there is a DDoS attack emanating from a single port, you can identify and automate the shutdown of that single user account.

It’s relatively simple to start with a process of automating low impact incidents. Once this has been tried and is successful, then start to look at how you can move forward and progress to higher impact active responses. Try, test, refine and repeat.

Effective data security uses both human and automated response

In the end, security responses can and should involve both machines and humans. It does not have to be one or the other. Implementing SOAR to work with your SIEM platform allows you to effectively harness your SIEM data so you can focus your resources on the subtler, more insidious threats that automation still isn’t ready to handle.

[1]Statista. 2020. Volume of data/informationworldwide from 2010 to 2024 [online] Available at: https://www.statista.com/statistics/871513/worldwide-data-created/#:~:text=The%20total%20amount%20of%20data,reaching%2059%20zettabytes%20in%202020 [Accessed 13 November 2020]

Get this document
Interested to learn more? You can download this document as a PDF file here.
Thank you!
You can download the document as a PDF file here.
Download
Oops! Something went wrong while submitting the form.