Everything you need to know about automated incident response
Picture this: It’s 2AM on Saturday and you’re startled awake by an alert on your phone. Indicators of a new variant of WannaCry ransomware have been detected in your network. But your home network provider is having an outage (again!) and you can’t remote in. You get dressed and race to office, maybe breezing through a few stop lights on the way, all while new alerts arrive on your phone indicating more systems have been compromised. As you arrive and start investigating the alarms and logs, the attack continues to spread rapidly . Desperate to stop it, you run to the server room and rip all the cables out of the routers and servers. In the stillness of your dead network, you sigh. You head to the break room to brew a pot of coffee and settle in for a long weekend.
Now imagine how vastly different that experience would be with automated incident response capabilities. As soon as the ransomware is detected and an alarm is raised, your system automatically responds by isolating the infected machines, and you hit the snooze button.
With the right automated incident response tools, IT security teams can stay in control of their incident response (IR) activities and respond to threats and intrusions swiftly and effectively, with less manual work—no wire-ripping required.
This is Part Two of a three-part blog series that examines how incident response automation and orchestration can make life easier for security teams. The blog series covers the following topics:
- Part 1: Incident Response Orchestration: What Is It and How Can It Help?
- Part 2: Automated Incident Response in Action: 7 Killer Use Cases
- Part 3: Incident Response Automation and Orchestration in USM Anywhere
In Part One, we looked at what incident response orchestration is and how the right automation tools can help security teams respond to intrusions more quickly. While automation can’t replace human security analysts, it can help analysts conserve time for higher priorities and make the incident response processes run as swiftly as possible.
In this installment, we’ll take a look at examples of incident response automation in action, comparing them to what it would take to handle them manually. As you read through these examples, consider what kinds of automated IR capabilities would have the greatest impact on your own organization’s incident response processes and timelines.
1. One of your users interacts with a malicious IP address. You need to update your firewall to block the IP.
Firewalls help protect you from bad actors by filtering network traffic. Still, they have limits. Most firewalls aren’t connected to your other security tools and their rules are infrequently updated, meaning they may not be current to address the latest threats. Addressing this situation might entail detecting the problem using other security software, prioritizing the event, and manually updating a firewall with a new rule to block the malicious IP. At some organizations, you might even need to open a ticket to have another team or team member take action, further slowing down the response process.
With automated incident response, you can automatically update your firewall to block malicious IPs as they are detected. For example, USM Anywhere detects traffic to and from an external IP address that, through its integrated threat intelligence, it knows is malicious. USM Anywhere can instruct your Palo Alto Networks next-generation firewalls to block or isolate the IP address, using an automatic or manual incident response action.
2. One of your systems has been infected with malware. You need to limit the damage and find out how many systems are vulnerable before it spreads.
Relying on manual processes to contain and investigate a malware intrusion means you’re faced with a long to-do list of tedious tasks: identifying all the infected systems, researching the threat, gathering event logs from different locations to investigate, and more. Just as importantly, if your security solution bombards you with noisy alarms, you might not realize you have something significant on your hands until the damage has progressed.
Automated incident response tools can shorten your to-do list. With orchestration and automation tools like the ones in USM Anywhere, you can automate actions like fetching additional forensics data, disabling networking on an infected system, running automated vulnerability scans to identify other at-risk systems, and isolating those as well until you have a chance to patch or otherwise address them. By automating the incident response activities that do not impact or disrupt business operations, you can work faster and more efficiently.
3. You’ve contained a breach, but what was the scope of the damage? Whether for compliance purposes or just to understand what happened, you need to investigate.
Understanding the scope of a breach provides critical information about what happened and how it affects your organization. If sensitive customer data has been exposed or corrupted, you need to know right away. However, getting the information you need often means engaging in repetitive, manual actions like going into each system to review its events and logs to try to piece together how the breach took place and what was compromised.
As a starting point, having a solution with log management capabilities would allow you to search for relevant alarms and events instead of combing through them manually. For example, USM Anywhere aggregates events and logs from across all your systems and networks, so you can get the information you need right away using powerful search and filtering capabilities. You can search for events or alarms based on criteria like event type, source name, username, and asset group, and you can examine detailed information on each event including the original log entries and network packet payloads. If there’s a specific system you want to get additional forensic data from, you can do that directly from within USM Anywhere using the Forensics and Response App in just a few clicks.
4. One of your systems interacts with a Command & Control server for a remote administration tool (RAT). You need to block any further communication with the malicious domain.
If your IDS tool detects traffic to or from a known malicious domain, such as a C2 server, you need to take a range of actions to contain the situation and investigate the scope of the potential intrusion. One of those actions is to block the known malicious domain to prevent further communication. To do so, just jot down the domain from your IDS on a Post-It note, then open Cisco Umbrella to copy the domain into your blocked list. Or…
With automation capabilities, you can move immediately from detection to response by blocking the domain automatically when your intrusion detection system detects the threat. For example, if USM Anywhere detects communication with a known malicious host, you can send the IP or domain information of that malicious host to Cisco Umbrella using an automated incident response action or a manual action, so it can block communications with that domain not just from the infected system, but from any employees or other systems that may try to communicate with that domain.
5. Breaking news: New ransomware has emerged that exploits a vulnerability in a common Operating System. You need to know if your systems are vulnerable and, if so, take action.
When your security plan relies on a lot of manual work, learning about new ransomware variants and how to protect your assets can inspire headaches – or even panic. Not only do you need to make sure your organization stays secure, you may also have to reassure other stakeholders who might not put cybersecurity at top of mind. If you don’t have visibility of the state of security across your infrastructure, these challenges can be significant.
In this case, automation can help you before an incident even occurs. A product that builds actionable threat intelligence updates into your security plan can ensure you’re up-to-date to detect new vulnerabilities and threats without needing to do your own research and setting up your own threat detection rules. With automated vulnerability scans scheduled to run at regular intervals, you can stay aware of at-risk systems across your infrastructure as new vulnerabilities emerge, allowing you to either patch them or limit their exposure to the rest of your network. (Note that built-in asset discovery and vulnerability assessment capabilities like the ones in USM Anywhere help ensure that you’re continually discovering and scanning all of your assets. )
By the time you hear about new malware in the news, you can feel confident that you know your organization’s level of risk exposure.
6. A breach occurs in one of your environments. You have a team of people handling the investigation, but you (and they) need to keep track of the incident response activities they’re taking on.
Even with automation tools, the incident response can involve a lot of different actions for a team of security analysts (or for one person wearing a lot of hats). With threat information in one set of products and ticketing in another—or with no workflow ticketing whatsoever—keeping track of the tasks on each person’s plate poses a challenge. Without a way to track IR activities, it’s easy to lose track of key priorities or focus on the wrong tasks. For example, two team members might find out belatedly that they’ve been working on the same issue, wasting time a resource-strapped team can’t afford to lose.
Luckily, some solutions include tools to help you keep track of your team’s IR efforts. To track activity within USM Anywhere, you can apply a label directly inside an alarm to identify whether a task is open or closed, or which analyst is working on it. You can also open a ticket in ServiceNow without leaving the USM Anywhere interface or use email alerts to generate a ticket within other systems, saving you time and reducing wasted effort.
7. You detect ransomware activity on a server storing critical customer data – and the alarm occurs in the middle of the night.
Each organization has its own unique infrastructure needs and priorities, making one-size-fits-all security automation impractical and potentially disruptive. You wouldn’t want to shut down business-critical systems every time a false-positive alarm popped up in one of your environments. For certain situations, however, an immediate response can prevent you from waking up in the middle of the night to do damage control, or finding out in the morning that customer information has been corrupted or exposed for the past eight hours or more.
With the right automated incident response tools, you can tailor automated responses to protect your most critical data. For example, if evidence of ransomware appears on a particular server, USM Anywhere enables you to set up a rule to automatically disable networking to contain the intrusion and protect your data, whether or not you’re awake to trigger the action. For a business-critical server that can’t be shut down, in contrast, you could send an automated notification via email or SMS to your cell phone. You retain control of when and how to apply these rules based on your organization’s specific security needs.
Security Orchestration: Finding the Right Solution for Your Organization’s Needs
Relying on manual IR processes means repeating many of the same set of tasks every time an incident occurs. Given the kind of damage an attacker can inflict within a matter of minutes or hours, security professionals don’t have that kind of time to waste.
As you’ve seen in the examples above, the right automated incident response capabilities can accelerate your incident response processes and reduce headaches across your organization. Most importantly, it can help you limit the potential damage an incident can cause to your organization and customers.
USM Anywhere makes the entire incident response process faster and more efficient by consolidating your IR activities within the same solution as your other security monitoring and compliance management needs. Out-of-the-box, USM Anywhere delivers essential capabilities like asset discovery, vulnerability scanning, intrusion detection, behavioral monitoring, SIEM, and log management. From the same pane of glass, you can manage IR activities within the other technologies you use, including Cisco Umbrella, Palo Alto Networks next-generation firewalls, ServiceNow, Carbon Black, and more.
Get immediate access to USM Anywhere’s latest security automation and orchestration capabilities by exploring our online demo now – no setup required.
In Part Three, we’ll examine how USM Anywhere supports faster, more efficient incident response through security automation and orchestration.