Read 11 401 - jserpa-p/lisbon-ops-301n1_Reading GitHub Wiki

Cybersecurity Automation

In Cybersecurity, specificaly in the automation area, we can observe management products that can be configured to automatically detect and scan devices on an enterprise network. When discussing new automation practices, industry experts are generally referring to tools like security automation and orchestration (SOAR) products, robotic process automation (RPA) and custom-developed software and code that automate processes and perform analysis.

Why Cybersecurity Automation?

  • In terms of Engineering and Architecture the automation will allow the cybersecurity team to focus on designing and implementing cybersecurity strategies.
  • On the Remediation Activities part, the identified deficiencies from your automation efforts will assist your technical and mission teams by providing more repeatable and actionable insight into the enterprise environment leading to fewer vulnerabilities.
  • Automation Development and Engineering: Automation will become an important part of the cybersecurity program requiring its own resources related to ongoing and iterative automation design and implementation.

What comes next?

  • Cybersecurity teams have to become smarter when it comes to code and development practices
  • Embed development capabilities in your cybersecurity team. In this way, developers report directly to cyber leadership.
  • Partner cybersecurity with organizational development teams. This allows cybersecurity to leverage the capabilities of organizational development experts.
  • Adopt a hybrid approach. Utilize an internal team for tactical development work and organizational development capabilities for complex integration tasks.

Automated Incident Response

Automated incident response is a method of using technology and pre-defined procedures to quickly detect and respond to cybersecurity incidents. It involves using software and hardware tools to monitor network traffic and detect security incidents in real-time. Once an incident is detected, an automated response plan is triggered, which may include isolating affected systems, blocking network traffic, collecting forensic data, and alerting security personnel. The benefits of automated incident response include faster incident response times, reduced incident resolution times, and improved incident management processes. However, human expertise is still needed to review and verify automated actions and adjust response plans as necessary.

Questions

  • How would a security team benefit from implementing a SOAR solution?

By implementing a Security Orchestration, Automation, and Response (SOAR) solution, a security team can benefit in several ways. It can help automate tasks that are routine and time-consuming, thereby increasing efficiency and productivity. Faster response times can be achieved as the solution can rapidly identify, triage, and contain security incidents. The team can make better decisions as the solution can provide a comprehensive view of security incidents and related data. Standardization of incident response procedures can be implemented to improve consistency and effectiveness. Additionally, SOAR solutions can help security teams scale their incident response capabilities to meet the challenges of increasing security incidents. Overall, a SOAR solution can help security teams respond more effectively to a larger number of incidents, reduce the time and resources required to respond to incidents, and better protect the organization from cyber threats.

  • Explain how a SOAR solution fits into the Incident Response process.

A Security Orchestration, Automation, and Response (SOAR) solution is an important tool for managing security incidents. It helps organizations to quickly detect and respond to potential security threats using a combination of automation and human analysis. When a security incident is detected, the SOAR solution will prioritize and analyze the incident to determine the appropriate response plan. It can then automate many of the steps required to contain, remediate, and recover from the incident. The SOAR solution generates detailed reports of the incident response process, which can be used for auditing and analysis purposes. By automating data collection, correlation, and analysis, SOAR solutions can help organizations to identify patterns and trends in security incidents, leading to improved incident response processes. Overall, a SOAR solution helps organizations to respond more quickly and effectively to security incidents, while also providing valuable data for future analysis and improvement.