As any seasoned security professional will likely tell you, detecting a threat is only part of the battle. The steps you take after a threat has been identified are just as important as discovering the threat in the first place. This process of investigation and remediation, known as “response,” is oftentimes the difference between a serious breach and a minor security incident. Many organizations seek to improve their response times and lower their mean time to remediate (MTTR). Naturally, organizations are beginning to look towards automation to accomplish this task.
In an attempt to improve response times for defenders, many Network Detection and Response (NDR) vendors have started improving their response capabilities. One would think organizations would eagerly adopt these new automated response features, however the reality outlined in the “2024 Gartner® Market Guide for Network Detection and Response” tells a different story.
In this series, we have been unpacking the “2024 Gartner® Market Guide for Network Detection and Response”. Today we will be exploring why it is that while many organizations recognize the growing importance of automated response capabilities, widespread adoption remains limited. We will seek to understand and address the challenges associated with automated response and demonstrate how we believe the Stamus Security Platform (SSP) supports Gartner recommendations for deploying automated response using a phased approach.
Please visit the Stamus Networks Blog to read the first entry to this series, “Unpacking the 2024 Gartner® NDR Market Guide: The Return of IDS.”
Gartner Insights on Automated Response and NDR:
We believe the “2024 Gartner® Market Guide for Network Detection and Response” emphasizes the growing importance of automated response capabilities within NDR solutions. As the report states,
"Most organizations value the response capabilities during their NDR provider evaluations, but only deploy very narrowly automated responses past the pilot phase."
We feel this highlights an opportunity for NDR vendors to deliver solutions that more-effectively bridge the gap between detection and response. This observation also begs the question why organizations are not deploying automated response capabilities beyond an initial evaluation or “pilot phase.”
Gartner provides some recommendations to safely adopt automated response. They emphasize the importance of a phased approach, stating,
"Roll out automated response progressively, based on your existing incident response SLA for the type of incident and on the false positive rate of the detection engines."
By focusing on high impact use cases, being mindful of their service level agreement (SLA), and minimizing false positives, organizations can build confidence in automated response capabilities.
Gartner goes on to share some of these high-impact use cases where automated response can be progressively deployed, writing,
"In many cases, the acceptable use cases for network-based automated response are related north-south traffic patterns (C2 communication, data exfiltration) or ransomware lateral movement. More noticeable improvements are visible through integration with other security controls, on the monitoring dashboards and on incident response workflow automation."
Based on our own observations of how our customers use the Stamus Security Platform (SSP), we agree with Gartner both in their observations and recommendations. We believe that many organizations are underutilizing automated response capabilities due to the inherent risk often associated with automation, particularly the fear of unintended consequences. When using unmediated automation, there is always a risk that an automated system could take a network or critical device offline or otherwise harm business continuity. However, automated response doesn’t necessarily mean full autonomy. We believe Gartner highlights the importance of a phased approach, which could begin with limited, trusted automated actions like triggering workflows with an incident response (IR) system or sending notifications to the security team via email or a messaging platform.
The successful implementation of automated actions requires careful planning, testing, and integration with existing security infrastructure and processes. This is why the automated response capabilities available in SSP were designed with a phased approach in mind. For example, the recent release of Stamus Security Platform U40 includes conditional response functionality, allowing the user to customize their response based on fully custom conditional webhooks. We believe that with the inclusion of several options for automated response, SSP addresses many of these challenges and empowers organizations to safely and effectively use automated response to its best potential.
The Stamus Security Platform and Automated Response
One of the simplest uses of automated response is integration with an IR system. The Stamus Security Platform integrates with IR systems to enable incident response workflow automation by automatically opening and populating an incident response ticket. This initial automation gives the security team more control, allowing them to manage the response without the concern of an inadvertent disruption..
Security Orchestration, Automation, and Response (SOAR) platforms are another way many organizations are using automated response. SSP seamlessly integrates with leading SOAR platforms, allowing organizations to build complex workflows using SSP’s detections and network-based evidence. For example, upon identifying a high-risk threat, SSP can automatically initiate an investigation and response playbook in the SOAR platform, including tasks like threat enrichment, endpoint quarantine, and user account lockout. This orchestration of responses across different security systems ensures a comprehensive and coordinated incident response.
The Stamus Security Platform’s most powerful automated response capabilities are based on its Declaration of Compromise™ (DoC) and Declaration of Policy Violation™ (DoPV) features. DoCs are the highest-confidence security events generated by SSP to signal a serious and imminent threat on an asset. Similarly, DoPVs assert the same level of confidence to signal an internal violation of set policies, such as clear text passwords, outdated TLS version, insecure cypher suites, and TOR browser usage. SSP includes hundreds of known threats covered by DoCs and many common policy violations covered by DoPVs. Additionally, users can create their own custom DoCs or DoPVs based on their own threat intelligence or internal policies.
When SSP generates a DoC or DoPV, it goes beyond a simple alert or notification. It creates a comprehensive data record containing detailed information about the detected threat or violation, including an attack timeline showing all activity associated with the asset under attack and information about the attacker activity. In addition, the DoC record includes associated detection methods, protocol transaction and flow records, associated files, and even a packet capture (PCAP) file.
This rich context from DoCs and DoPVs empowers organizations to configure automated responses based on the severity and nature of the threat or violation. For example, upon detecting a DoC indicative of a ransomware attack, SSP can automatically use a webhook to trigger a predefined workflow in the SOAR platform or call the APIs of other security products to perform actions like network segmentation, file encryption halt commands, and notification of security teams.
Furthermore, SSP's commitment to minimizing false positives plays a crucial role in promoting confidence in automation. By leveraging threat intelligence and curating the most effective detection methods with the lowest rate of false positives, SSP significantly reduces the occurrence of false alarms. This helps ensure automated actions, when enabled, are triggered only on legitimate threats, minimizing the risk of disruption and wasted security resources.
Ultimately, the power is in the hands of the user. It is up to each organization to decide how they want to integrate automated response and to what degree they feel comfortable letting automations run without direct human intervention.
Potential Benefits for Security Teams
By leveraging the Stamus Security Platform’s automated response capabilities, we believe that security teams can significantly enhance their efficiency and effectiveness in responding to threats. This leads to four main benefits:
- Accelerated Incident Response: Automated actions triggered by SSP can drastically reduce the time it takes to contain and mitigate threats. This allows security teams to focus on higher-value, more resource-intensive tasks, such as threat hunting and incident investigation.
- Reduced Mean Time to Remediate (MTTR): SSP's ability to automate routine tasks with DoC and DoPV integrations, such as isolating compromised systems or blocking malicious IP addresses, directly contributes to a reduced MTTR.
- Improved Incident Handling: By automating repetitive actions, security teams can handle a larger volume of incidents without compromising response quality. This ensures consistent and effective incident management.
- Enhanced Security Posture: Through the proactive implementation of automated response measures, organizations can strengthen their overall security posture and reduce the risk of successful attacks.
The Stamus Security Platform empowers security teams to shift from reactive to proactive threat management, enabling them to focus on strategic initiatives that drive long-term security improvements.
Download the 2024 Market Guide for Network Detection and Response
We believe the “2024 Gartner® Market Guide for Network Detection and Response” makes it clear that automated response holds a critical role in enhancing both the efficiency and effectiveness of NDR systems. The benefits of automated response make it a worthy goal for any organization, but we cannot change the hesitancy those same organizations have about trusting automated response capabilities. However, we do hope that the automated features available in SSP at least enable our customers to begin experiencing some of the potential benefits. In time, we believe that a progressive approach to deploying these functionalities will ultimately build trust in the efficacy of automated response, ultimately leading our customers to getting maximum value out of the Stamus Security Platform.
Normally, Gartner reports are only available to Gartner clients. However, this year Stamus Networks is offering a complimentary copy of the “2024 Gartner® Market Guide for Network Detection and Response” to equip defenders with strategic insights on the NDR market. To download your copy, please visit our website here >>.
To stay updated with new blog posts from Stamus Networks, also make sure to subscribe to the Stamus Networks blog, follow us on Twitter, LinkedIn, and Facebook, or join our Discord.
To stay updated with new blog posts from Stamus Networks, also make sure to subscribe to the Stamus Networks blog, follow us on Twitter, LinkedIn, and Facebook, or join our Discord.
Attributions and Disclaimers
Gartner, Market Guide for Network Detection and Response, Jeremy D'Hoinne, Thomas Lintemuth, Nahim Fazal, Charanpal Bhogal, 29 March 2024
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the
U.S. and internationally and is used herein with permission. All rights reserved.
