Cobot Uprising: Smart Automation for Blue Teams with Mark Orlando - SANS Blue Team Summit 2020
12Despite using more automation than ever before in detection and response operations, organizations continue to be challenged by relatively unsophisticated attacks. Reliable detection requires time-consuming analysis and a level of data aggregation and correlation that is at best an art, and at worst cost-prohibitive. Meanwhile, attackers remain agile and inventive, continually (and rapidly) changing their infrastructure and approach with minimal costs and maximum benefit.
While there are some tasks that computers do far better than humans – such as rote and repetitive tasks and complex calculations – we will always be masters of analysis given our ability for complex thought, decision-making, and visual learning. With the introduction of security automation and orchestration to the defensive tool set, blue teams can now automate some of their investigative playbooks and save precious time. Unfortunately, this capability often drives automation for its own sake and expands tool sets that are already monolithic, rather than actually empowering our humans. Simply doing analysis faster is only a small part of the solution, and not all "improvements" are created equal!
How can we reframe this challenge to alter the calculus of attack and defense? Automation for the sake of doing so is a common trap that can actually degrade our capabilities and waste defensive cycles. However, applying automation in a controlled, strategic manner can be a game-changer for defenders. With proper planning and an incremental, product-neutral approach to automation, we can measurably improve our defenses and start leveling the playing field.
Mark Orlando @markaorlando, Co-Founder & CEO @bionic_sec; Instructor, @SANSInstitute