Security Automation for Account Misuse - PowerPoint PPT Presentation

About This Presentation
Title:

Security Automation for Account Misuse

Description:

Our fourth and final installment of this blog series on use cases that can benefit most from security automation. In case you’ve missed the prior posts, we have already covered automating the investigation of and response to phishing, malware and DLP alerts. – PowerPoint PPT presentation

Number of Views:27

less

Transcript and Presenter's Notes

Title: Security Automation for Account Misuse


1
Security Automation for Account Misuse
2
Introduction
  • Our fourth and final installment of this blog
    series on use cases that can benefit most from
    security automation. In case youve missed the
    prior posts, we have already covered automating
    the investigation of and response to phishing,
    malware and DLP alerts.

3
Automating the triage and incident response for
account misuse alerts
4
Security Automation
  • Today we wrap up this series by talking about how
    security automation can be applied to account
    misuse alerts. These are the types of alerts that
    usually come in the form of failed logins,
    account logouts, domain groups added, and so on.

5
Why Account Misuse
  • Alerts related to account misuse are ripe for
    automation because they meet three of our four
    criteria
  • Account misuse alerts require fast response
    particularly when they are actually caused by a
    malicious act and involve privileged accounts.
    Without quick action, youre at risk of
    unauthorized access and in turn, fraudulent
    activities or a real data breach.

6
Account Misuse Alerts
  • Its important to note that account misuse
    alerts can often be false positives. Yes, a
    failed login alert could be an indicator of a
    brute force attack, but it could also just be the
    result of a user forgetting or fat-fingering
    their password. Thus, its important to reach a
    conclusive diagnosis as soon as possible.
    Security automation can be a big help in that
    regard.
  • So, without further ado, lets go over a typical
    account misuse alert process flow or playbook and
    see which areas can be improved through security
    automation.

7
Data Gathering / Enrichment
  • As in any type of investigation, this stage
    entails gathering data from various sources to
    get better context of the situation. For account
    misuse alerts, you would typically gather
    information about the user account and
    host/endpoint involved in the alert. It would
    also help to gather historical data of those
    entities for even greater context. All this can
    be quickly gathered through automation.

8
Automated Analysis and First-Level Determination
  • In the previous use case examples, the security
    analyst would typically retrieve information such
    as hashes, URLs, IPs, etc., from different
    security solutions as well as threat intelligence
    sources, and then make decisions off of the
    collected information. With account misuse
    alerts, the process usually entails a greater
    degree of user involvement.

9
Deeper Investigation
  • When security analysts conduct a deeper
    investigation on potential account misuse alerts,
    their usual tasks involve looking into the
    activities of the user as well as the activities
    of the host and network. What theyll be looking
    for are signs indicating either normal or
    irregular user/host/network behavior. If they
    find anomalies indicative of malicious activity,
    they could proceed to escalation and response.

10
Escalation/Response Path
  • The analyst would then move on and carry out the
    appropriate response activities.
  • Notifying the user of the impending
    restrictions/suspensions
  • Notifying the users manager as well as the
    user himself/herself of any impending
    investigation
  • If the account misuse is deemed to be already in
    an advanced/high-risk stage, escalating the case
    to an incident response process.

11
Remediation/Policy Updates
  • To minimize the risk of such incidents from
    happening again, the analyst would then update
    any relevant security policies.
  • Weve said it before and it cant be stated
    enough security automation doesnt replace the
    need for critical thinking by security analysts.
    What it offers is faster, better decision making
    by ensuring the right information is readily
    available in its most logical, usable form.

12
Conclusion
  • The increasing sophistication and frequency of
    cyber attacks, paired with the shortage of
    skilled security talent, makes it imperative for
    you to maximize your existing threat
    investigation and response capabilities. Security
    automation can be a powerful tool in your
    security operations arsenal to drive greater
    process efficiency and effectiveness so your
    organization stays a step ahead of cyberthreats.
Write a Comment
User Comments (0)
About PowerShow.com