Every company should have a general incident response plan that establishes an incident response team, designates the members, and outlines their strategy for reacting to any cybersecurity incident.
To consistently act on that strategy companies need playbooks - tactical guides that walk responders through investigation, analysis, containment, eradication, and recovery for attacks such as ransomware, a malware outbreak, or business email compromise.
Organizations that do not follow a playbook for security will frequently suffer more serious incidents, says John Hollenberger, senior security consultant with Fortinet's Proactive Services group.
In nearly 40% of the global incidents Fortinet handles, the lack of adequate playbooks was a contributing factor that led to the intrusion in the first place.
Even with playbooks, he says, analysts still have complex decisions to make based on the details of the compromise.
Unsurprisingly, companies and researchers are increasingly trying to apply machine learning and artificial intelligence to playbooks - such as getting recommendations on what steps to take while investigating and responding to an incident.
A deep neural network can be trained to outperform current heuristic-based schemes, recommending next steps automatically based on the features of an incident and playbooks represented as a series of steps in a graph, according to a paper published in early November by a group of researchers from Ben-Gurion University of the Negev and technology giant NEC. The BGU and NEC researchers argue that manually managing playbooks can be untenable in the long run.
Automating the detection, investigation, and response to events are the domains of security orchestration, automation, and response systems, which - among other roles - have become the repositories of playbooks to use in the variety of circumstances firms face during a cybersecurity event.
SOAR systems are becoming increasingly automated, as their name suggests, and adopting AI/ML models to add intelligence to the systems is a natural next step, according to experts.
Managed detection and response firm Red Canary, for example, currently uses AI to identify patterns and trends that are useful in detecting and responding to threats and reducing the cognitive load on analysts to make them more efficient and effective.
Generative AI systems can make it easier to communication both a summary and the technical details of incidents to customers, says Keith McCammon, chief security officer and co-founder of Red Canary.
Eventually, playbooks may be fully automated through deep learning neural networks, the BGU and NEC researchers wrote.
Giving AI/ML models the ability to manage and update playbooks should be done with care, especially in sensitive or regulated industries, says Andrea Fumagalli, senior director of orchestration and automation for Sumo Logic.
The cloud-based security management company uses AI/ML-driven models in its platform and for finding and highlighting threat signals in the data.
Automation needs to be fully transparent, and one way to do that is by showing all the queries and data to the security analysts.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 05 Dec 2023 01:20:04 +0000