Written by Sukhbir Sandhu, Managing Director, Area VP (ASEAN), Forescout
Though the shortfall of tech skills and talent across the board has become a growing issue worldwide, the shortage within the cybersecurity sector is at a critical level. In Singapore, the digital hub of Southeast Asia, the Cyber Security Agency of Singapore (CSA) estimated a shortage of up to 3,400 cybersecurity professionals. This suggests that Southeast Asia’s security industry has its work cut out for it, especially with the region increasingly becoming a hot spot for cyber attacks, due to its rapid pace of digital transformation.
Today, with organisations hosting a combination of interconnected IoT and OT devices, attack surfaces have not only massively increased, but also present the challenge of higher risks of ransomware attacks. KPMG reports that 78% of organisations use more than 50 discrete cybersecurity tools to protect and address their security issues. However, with no end in sight to overcoming the cybersecurity skills gap, effectively managing these networks has become increasingly tough for the over-stretched and under-resourced security teams.
Automation and machine learning are well placed to help soften the blow and improve an organisation’s overall cybersecurity posture. With many Security Operations Centre (SOC) routine tasks fit to be translated into automated policies to spearhead response systems, this allows organisations to focus efforts on hiring more human talent and/or on areas in which human effort is needed. Additionally, automating cybersecurity roles not only helps free up limited cybersecurity talent, but also ensures an organisation remains protected against ransomware attacks, cybersecurity hacks, or other network threats.
Response teams are at a tipping point
Modern businesses exist in a constantly fluctuating and fast-evolving digital environment. With countless physical devices around the world connected to the internet, new devices are joining networks day by day - Internet of Things (IoT), Operational Technology (OT), cloud and, in the healthcare sector, Internet of Medical Things (IoMT). This is being seen across many different industries, some of which manage and store highly valued, confidential, and vulnerable information – further tempting and attracting both cybercrime criminals and nation-state actors alike.
In a recent research study conducted by Forescout Technologies, it was uncovered just how critical vulnerabilities are inherent in OT due to the fact that they are “insecure by design”, causing organisations to experience a lack of visibly on where devices are located on their networks. Referred to as OT:ICEFALL, this set of 56 vulnerabilities affect popular devices from 10 OT vendors that permit credential theft, remote code execution and firmware or logic manipulation. With OT traditionally designed to function in isolation from IT networks, security was viewed as a low priority. However, as the IT-OT convergence becomes increasingly commonplace, so will the ever-changing threat landscape and vulnerabilities that highlight the sheer challenges that security teams need to overcome.
Security risks are everywhere in today’s connected world, and even organisations with the most mature security postures are becoming overwhelmed by the amount of IT and security solutions that still sit on their networks, despite not having any meaningful integration. This in turn may cause a lack of lack of insight into device context, allowing conflicting data which overload incident response teams and security operations with more alerts than they can process. Many of these alerts are false positives, or risks that have been mitigated by other means, such as network segmentation.
Likewise, many alerts are unactionable. All too often, SOC managers share feedback that “we can detect threats but can’t mitigate them in time” or “our tools send alerts but don’t automatically fix the incidents.” Incident response remains a highly reactive process and battling alert fatigue only to perform rote, menial tasks can easily wear down even the most dedicated staff – even if it’s just prioritising alerts.
Accelerate response actions with automation
With sophisticated cyberthreats and challenges on the rise, businesses today need to constantly evolve, reassess, and improve by using novel strategies and technology. The cyber risks of device security complexity and manual overheads can be addressed by optimising security automation:
1. Device Context – Automation helps organisations keep track and maintain up-to-date information of their cyber assets which is essential in understanding what the device is, where the device is connected to, and from where it is connecting from. All this in turn enables organisations to recognise the difference between different types of devices such as a Windows 7 PC vs. a Windows 7 laptop that is operating a pill dispensing cart on a hospital floor. This information can easily be integrated into other tools and allow teams to utilise them more effectively.
2. Orchestrated Workflows – When security products share the same device context, their actions can be orchestrated to automate system-wide policy enforcement and accelerate response. Having automated workflows can check for devices that are potentially vulnerable, trigger a response, and then allow appropriate action to be taken. To ensure devices are kept protected – remediations is – and by automatically doing things such as running a script, fixing a missing agent, or triggering a patch, organisations can stay ahead of threats.
3. Accelerated Response – With many alerts to handle, multifactor risk scoring and advanced threat detection can help prioritise alerts to the risks and threats that matter most. In the event of a malware attack, responses should include actions at the network level, as host-based controls are often disabled. With cyberattacks becoming increasing automated, responding to incidents at machine speed is essential in preventing, mitigating, and recovering from a breach.
The power of the long game
With concerns about possible operational disruptions and facing setbacks in an already mission-critical process, some organisations may still be hesitant to introduce and implement automation into their systems. However, organisations that are willing to invest the time to do so will be able to achieve greater efficiency in the long run.
Amongst the cybersecurity skill gap, the exploding number and types of connected devices, as well as ever-evolving threat landscape, embracing security automation is essential – and the key to doing it effectively is to leverage comprehensive data from your networks to ensure all information used is accurate and aligned with how things work operationally. This can be done via tools like visibility and monitoring solutions, which provide significant information into the depth and breadth of a network and allow organisations to eliminate blind spots upon seeing everything that is happening on the network at once and thereafter, act.
Fully integrated platforms enable organisations to not only use multiple capabilities at once but pivot their focus on what cannot be automated and allow them to deploy human workers for higher skilled tasks, while trying to resolve the growing cybersecurity skills gap.