In order to keep pace with the growing number of cyberattacks, government can’t rely upon its cyber workforce to do all the leg work. Automation is a critical component to effective monitoring and incident response.
“When you look at the latest attacks and the sophistication that the adversaries are using, you can't be successful without implementing some sort of automation,” said Rob Thorne, CISO for U.S. Immigration and Customs Enforcement (ICE), at GovCIO Media & Research’s CyberScape: Data & Automation Security event Thursday. “There's such a large amount of event log data that we're collecting, and to have to go through that without automation — you're just not going to be able to stay ahead of the adversary.”
From patch management to routine scanning, ICE looks at its cybersecurity tasks for processes that are simple, time-consuming and repetitive to find what might be a good candidate for automation. Automating these processes can help cyber teams identify threats more accurately, understand relative risks and ultimately respond faster.
“The goal is to reduce the load that we have on our already burdened staff,” Thorne said. “We want to make certain that they can focus on those risky events that we really want them to focus on.”
Thorne said ICE benefited from implementing a Security, Orchestration, Automation and Response (SOAR) capability. SOAR is a collection of software solutions and tools that allows organizations to streamline three key areas: threat and vulnerability management, security incident response and security operations automation.
In particular, Thorne found SOAR to be instrumental in reducing fatigue. There are massive amounts of data for analysts to parse through, but automation can help pinpoint the highest risk alerts.
“Fatigue is a reality, and we have to deal with that going forward,” Thorne said.
Most critically, SOAR has helped ICE integrate its security capabilities; including scanning results, EDR activity and SIEM. This integration initially prompted ICE to adopt SOAR. Automation can drive powerful tools, but those tools ultimately have to enable the people operating them.
“About five years ago, I went out to the west coast and I sat down with an analyst,” Thorne said. "He was walking me through a potential incident that he was working, and he had to cut and paste and log into different systems and move things around and pull data to create a story. And I said, 'Oh my goodness, I can't believe you guys are doing that.' So that's when we started our journey to implement a soar product. And it paid off in dividends.”