Methods for Security Automation and Improving MTTR

As companies shift and expand their operations, the risk of malware and advanced threats expands too. To keep up with demand, security teams must adapt operational processes to detect and respond to threats. But how do security companies expand their reach and scope without over-expanding that all-important budget?

By shifting certain aspects of their operations to automated systems, security teams can grossly improve their mean time to respond (MTTR). If your security team is stretched thin, automation may be the key to keeping your team happy and effective. There are a number of options to consider when looking into automation, and we will explore the pros and cons of several, beginning with device containment.

Device Containment Approaches

Over the last decade, different solutions have explored a wide variety of asset containment approaches. Below is an assessment of common asset containment approaches and their pros and cons:

EDR-based containment:

EDR-based containment works by installing a network filter driver controlled by the EDR agent. The driver blocks all network communication to and from the device with specific exceptions for the EDR agent and SecOps toolkits traffic.

Pros:

• Containment is built into EDR as an industry-standard technology
• Minimal configuration and overhead as the agents are centrally managed from the EDR console
• Allows for real-time surgical responses to threats
• Automatic containment rules work regardless of user location

Cons:

• EDR agents cannot instrument every asset in an environment (IoT, BYOD, VoIP, printers, etc.)
• Coverage gaps from uninventoried and unsupported assets leave areas for attackers to hide.

Port isolation:

Port isolation works by isolating an endpoint in a private VLAN, ensuring that devices are unable to communicate with peer devices or servers. This allows intranet-based traffic to be routed through additional detection layers, and is often combined with validating assets (using posture assessment) before allowing them access to sensitive subnets.

Pros:

• Potential for improved forensics of traffic and malware behavior
• Flexible response options allow users access to resources based on posture or threat detections
• Responses can be as granular as necessary

Cons:

• Limited to physical network infrastructure
• Expensive, requires compatible hardware and software stack
• Management and maintenance of the various ACLs (Access Control Lists) is time-consuming and error-prone

TCP reset flooding:

TCP reset flooding is basically a denial of service (DOS) attack. This is accomplished by flooding a device's network connection with TCP reset packets, preventing the target device from communicating with other devices.

Pros:

• A network-based approach can target all network assets (Endpoints, IoT, BYOD, etc.)
• No agent deployments

Cons:

• Flooding endpoints with TCP reset packets may block TCP-based traffic but won't prevent malicious UDP-based communication
• TCP reset floods may saturate switches, slowing or blocking access to network resources (DOS)
• Network segment hosting business-critical systems can become saturated, resulting in disruptions to normal business operations
• This technique is typically associated with malicious actors, so it's difficult to assess the validity of the actions
• May trigger alerts or other automated responses, resulting in difficulty assessing the scope and scale of the actual threat

Coordinating Automation:

Modern network security doctrine emphasizes a layered defensive approach. As organizations mature their security capabilities, the overlap in many security products necessitates the coordination of distinct security layers. Vendors have addressed this need by creating robust APIs to allow various tools to integrate both response coordination and data sharing.

For example, when Reveal(x) detects command-and-control traffic originating from a specific endpoint it can leverage the CrowdStrike Falcon agent to isolate the endpoint from the network. Reveal(x) and CrowdStrike then bundle relevant forensic data, helping to accelerate the investigative process. Similarly, when the CrowdStrike Falcon agent detects malware active on an endpoint, the EDR agent can reach out to a policy management system, such as Cisco ISE, trigger a port isolation for that specific endpoint, and disable the associated user account.

This type of automation ensures a rapid response while also limiting the scope of impact to the device and associated user account. Additionally, security teams have the control to define which actions are permitted for a given device in a specific scenario, ensuring that even if a problem is detected in critical infrastructure, no action taken will impact core business functionality.

Automated Response Comes With Tradeoffs, But Grows More Viable in Mature Security Programs

As organizations grow and networks become more distributed, the need for security automation and cross-product integrations becomes essential to addressing the rapid changes in the threat landscape. Stopping advanced threats requires swift response and coordinated action. Maturing security operations requires organizations to understand the automation options available; identifying the tools and capabilities that address current needs and future expansion is central to any organization's ability to mature its security posture without compromising its budget. It's best to start small by developing strong processes and procedures that ensure trust in the security teams capabilities, and the identification of mature products and automated response technologies will ensure that security teams have the tools they need to address current and future threats.