Last month, at the Gartner IT Security and Risk Management Summit in a session about automation and threat defenses, a Gartner analyst talked about the rapid growth in the adoption of endpoint security automation and playbooks. There are several reasons driving the adoption of these capabilities.
The Impact of Complex, Fast-Moving and Stealthy Threats on Managed Incident Response
Today’s threat landscape includes a range of advanced, unknown and persistent threats such as fileless or memory-based attacks and polymorphic malware. These attacks move fast, often in seconds rather than minutes or hours; attackers can dwell in networks for weeks and months before detection. Managed Security Providers (MSP) have to analyze more threats; those threats are increasingly complex and capable of evading detection by traditional endpoint security tools. But human-driven analysis consumes precious time during which attackers can have access to your systems and data. Analysis is a manual process of painstakingly reviewing atypical compromise indicators and determining the appropriate response. For example, how many indicators of compromise do you have? How many do you need to warrant investigation? Threats are just moving too quickly to tolerate the delays inherent in manual response.
Compounding this program is the fact that incident response (IR) teams are often overloaded and unable to process all incidents fully. Every incident initiates a chain of events that spiral across a breadth of operations: classification, notification investigation, remediation and more. Several types of malware detected in 2018 reveal methods used by attackers to evade detection and strike faster than IR teams can respond. Research by enSilo demonstrated how fileless malware attacks, which use advanced techniques to execute in memory, can bypass traditional user-mode endpoint protection platforms, successfully execute ransomware and encrypt a workstation in less than thirty seconds. These increasingly complex attacks lead to more incidents which generate more costs by escalating the burden of human-intensive response operations.
Automation Strengthens Security and Enhances Service Delivery
Attackers are increasingly employing automation to target multiple endpoints in a single attack; it’s time to fight fire with fire. Automation technologies enable MSPs to deliver greater value by detecting and responding to threats in real-time, and ultimately preventing data breaches. Orchestrating automated response actions across multiple types of endpoints and operating systems dramatically improves efficiency, enabling a single operator to manage IR across several thousand devices or more. For example, establishing incident response playbooks comprised of automated actions which include isolating endpoints, automatically opening tickets, and remediating endpoints by terminating processes and removing persistent data and settings allows an MSP to contain and remediate a threat while also being able to focus on more complex systems.
Automation can virtually eliminate the painstaking discovery and clean-up steps involved in remediation, which can be among the most time consuming and costly aspects of incident response. Finally, Automation can enhance service delivery by enabling skilled analysts to focus on more critical threats.
Andy Singer is VP of product marketing at enSilo, an MSSP-friendly and channel-centric provider of real-time automated endpoint security and orchestrated incident response. Read more enSilo blogs here.
