Automated incident response is a rising trend as security teams battle with Big Data sets.
Speaking at 44CON in London, Phil Huggins, vice president at Stroz Friedberg, said that there is a rising trend with data enabled investigations, particularly when it does not take three weeks to process data and tools allow the opportunity to manipulate the data, and this reduces the time to investigate.
“This is a Hunter type investigation and it is driving investment, but it is not just about downloading Hadoop or getting someone to understand analytics, there are a whole set of capabilities and whole challenges with tools,” he said.
Huggins said that the challenges are mainly around: tools; people; process; data sources; intelligence; and knowledge, and getting to know where change is happening, which takes effort and starts with firing into the SIEM technology.
He said: “Intelligence is about understanding both external sources and internal, how it is changing and who is changing it and what is happening. We need to be prepared for it in analytics with internal and external intelligence.”
Looking at situational awareness, Huggins said that there is an understanding of what it is and where it is going, but the “problem is only going to get worse and we can train more but demand is moving ahead”.
He said that automation is the answer, but users need to make decisions and make things happen with human in just a small part of the loop.
Looking at beyond cyber, Huggins said it is about “data driven security management” and about actually making decisions based on what has happened. Also it was about understanding how metrics work, and rather than trying to find secure metrics for the world, using it for the need for your business.
He said: “I am seeing automated security response more and more, and if 80 per cent is checked and 95 per cent is assumed to be safe and if it is and above that, take action. This is coming in new products and that is a Big Data security opportunity on the horizon. You can have a whole team managing it and mitigating it. It is about experimenting, automating and changing it.
“Some skills you need – you need to understand how to form hypothesis and convince senior people to be more risky to be more effective and make a change happen by making it work in the first place. There is a benefit if we do it and change security, and not measuring by the percentage of the IT budget, but the effectiveness of what we perform.
“There are no silver bullets and this will not solve problems, we have problems and should deal with them. A good place to be a better place to be, a good place to invest in. Security is changing from a subjective art to a data and automation discipline.”