Incident Response Automation Challenges (and How USM Anywhere Can Help)

July 10, 2017  |  Julia Kisielius

According to the SANS 2017 Incident Response Capabilities Survey, 47% of organizations reported taking more than 24 hours to move from detecting an incident to containing it. Given that every minute between compromise and containment represents potential data exposure and damage, these results reveal a serious need to shorten incident response times.

At the same time, security teams face significant obstacles to swift incident response. The threat landscape changes constantly, bombarding analysts with new threats to contend with every day. Detecting and responding to these threats often requires a wide variety of different security products, adding the workload of buying, maintaining, and managing a set of tools that aren’t typically designed to interact or work together. With disconnected tools, incident response activities can include a lot of time-consuming, manual tasks that take away from more strategic response efforts and slow down the incident response process.

To cut down the time between detection and response, organizations should consider how orchestration and automation can help. With a solution like USM Anywhere, security teams can eliminate their biggest incident response challenges and dramatically reduce their time to response.

This is Part Three of a three-part blog series that examines how incident response automation and orchestration can make life easier for security teams. The blog series covers the following topics:

In Part One, we covered what security orchestration is and how it can help you speed up your incident response (IR) processes. In Part Two, we looked at examples of incident response automation in action to give you a taste of what’s possible for your organization.

In this installment, we’ll examine how USM Anywhere addresses the most pressing IR automation challenges facing security teams.

Unlike solutions built to solve one security problem at a time, USM Anywhere provides a unified platform for security monitoring and compliance on-premises and in the cloud. The platform integrates asset discovery, vulnerability assessment, intrusion detection (IDS), behavioral monitoring, SIEM, and log management—all within a single pane of glass.

With advanced security orchestration capabilities built directly into this unified platform, USM Anywhere is uniquely equipped to help resource-constrained teams save time and money by easing and automating these common IR challenges.

Problem: With Siloed Security Products, Emerging Threats May Go Unnoticed

Solution: Accelerate Time to Detection with Unified Security Essentials

Rapid detection is key to effective incident response. The longer it takes to detect an intrusion, the more time a malicious actor has to steal data and cause damage. However, when your security plan involves managing information from a variety of point solutions that weren’t built to work together, it’s challenging to form a complete picture of what’s happening in your environments. Threats can easily slip through the cracks.

AlienVault’s unified approach to security monitoring helps you detect threats swiftly by giving you complete visibility of your security posture from a single pane of glass. With the essential security and compliance monitoring capabilities you need integrated into a single solution, it’s easy to identify the critical assets within your environments, whether they have vulnerabilities and if those vulnerabilities are being exploited, and other intrusions affecting your on-premises and cloud infrastructure.

By layering incident response automation capabilities on top of this foundation, security teams can ensure that they have all the contextual threat information they need at their fingertips to investigate incidents in their environments.

Continuous threat intelligence updates from the AlienVault Labs Security Research Team ensure your USM deployment is prepared to detect the latest attacks, prioritize alarms, and provide remediation guidance. After you have orchestrated your response to an alarm to mitigate the threat, you’ll also want to investigate whether anything else in your environments has been affected or is at risk. With an asset inventory already in place, along with powerful vulnerability assessment to identify systems at risk of attack, you can be assured that you have the tools and information on hand ready to defend your organization against a continuously evolving threat landscape.

Problem: Manual IR Tasks Slow Down Response Times, Putting Your Organization at Risk

Solution: Integrate Automation into Your IR Plan for Faster, More Effective Response

USM Anywhere helps you shorten your incident response time through a suite of incident response automation and orchestration capabilities that include prioritized alarms, email or Amazon SNS notifications, automated response actions (in-product and within other applications), and remediation guidance. Because these capabilities are integrated into a unified solution, you can respond swiftly and effectively to new threats.

For example, imagine newly-released malware has affected one of your assets. USM Anywhere detects the malware, provides a prioritized alert, and enables you to take automated incident response actions to speed up investigation and remediation. If you think a server has been compromised, you can quickly gather more information by orchestrating the collection of additional data from that server to see what connections have been set up, who has logged on recently, or what processes and services are running.

For more hands-on examples of USM Anywhere’s response capabilities, see Part Two of this blog series.

Problem: Working Across Disparate Security Products Slows Down Incident Response

Solution: Orchestrate IR Activities from a Single Console while Avoiding the Complexity of Integrating Multiple Security Products

For resource-strapped IT security teams, having to manage a slew of security point solutions that weren’t designed to seamlessly work together can be expensive, cumbersome, and ultimately slow down your incident response time.

USM Anywhere responds to this challenge with AlienApps—modular components that extend the threat detection and security orchestration capabilities of the USM Anywhere platform to other security tools that your IT team uses, including security tools from leading third-party vendors like Cisco, Palo Alto Networks, Carbon Black, and more.

AlienApps are available out-of-the-box within USM Anywhere to help you consolidate more of your IT and security activities within one console. Instead of using expensive integrations or consultants to stitch together different products, AlienApps can help you start orchestrating IR activities from a central location starting on Day One. They also reduce the need for siloed point solutions to monitor applications like Office 365 and G Suite.

AlienApps build on the incident response automation and orchestration capabilities within USM Anywhere with features like bidirectional defense. For example, the AlienApp for Cisco Umbrella analyzes log data from Cisco Umbrella to detect threats based on the internet activity at your organization. When USM Anywhere detects a malicious domain—say, a ‘Command & Control’ server communicating with malware on one of your systems—it sends the malicious IP addresses to Cisco Umbrella so that access to that malicious IP or domain is blocked by both employees and corporate assets. (Learn more about how our ever-growing suite of AlienApps can serve your organization’s goals.)

Problem: New Threats Emerge Daily, Making Security Research a Constant Need

Solution: AlienVault Labs Security Researchers Do the Heavy Lifting for You

Malicious actors spin out new threats daily, often changing existing threats just enough to slip past security software with as little effort investment as possible. With low barriers to entry and plenty of potential reward for causing damage, attackers can evolve their TTPs faster than most organizations can defend against them.

Most IT security teams have limited time, budget, and resources available to research and respond to a constantly evolving threat landscape. Without a dedicated team of in-house security researchers and analysts, most organizations just can’t keep up, leaving them vulnerable to emerging threats. Even when a threat does get detected, it takes more research to assess the threat, prioritize the alarm, and decide how best to respond. All of this adds to the time it takes to contain a threat.

That’s why the AlienVault Labs Security Research Team works on your behalf to scour the global threat landscape for emerging threats, delivering continuous threat intelligence updates directly to your USM deployment. These actionable updates come in the form of correlation rules, IDS signatures, vulnerability signatures, remediation guides, and more. In addition to helping you detect and prioritize new threats as they emerge, threat context built into in-product alarms helps kick-start your IR efforts immediately.

Because the Security Research Team draws insights from the AlienVault Open Threat Exchange (OTX), your security plan reflects lessons learned from in-the-wild attacks from all over the world. The OTX community includes 53,000 global participants from a broad range of countries, company sizes, and industries who contribute more than 10 million indicators of compromise each day. With the Security Research Team’s help, you stay prepared to detect and respond to the latest threats as they emerge without needing to spend time or resources researching global threat trends on your own.

Interested in learning more about USM Anywhere? Check it out now in our online demo environment, with prepopulated data to help you explore the product immediately with no download.

Share this with others

Get price Free trial