Responsive automation makes it possible to shorten time to detection and accelerate response by automating processes that typically require a skilled security analyst. For my money, there are few better examples of the value of responsive automation than the threat of cryptojacking malware.
Cryptojacking malware infects a system with the goal of generating Bitcoins using the victim’s machines. Once the infection takes hold, the malware saps compute resources and bogs down critical servers, using an average of 25% of an endpoint’s processing power. What’s more, generating a single Bitcoin can cost the victim nearly $10,000 in energy costs alone. While an increased power bill and slowed machines might set off alarm bells, many organizations would struggle to identify and remediate the threat on that information alone.
In fact, it takes an average of 206 days1 for a business to detect a breach, a credit to the skilled nature of attackers able to hide their attack in plain sight. This means a successful infection that occurred on January 1st, wouldn’t be discovered until mid-July! For smaller organizations, the problem is even worse, with average time to detection taking nearly 800 days.2 It should come as no surprise that only 39% of businesses feel they are highly effective at detecting threats. Sadly, in the case of midsize businesses most infections aren’t detected by the victim at all, but by a 3rd party who discovers the fallout through other means.
Even once detected, responding and recovering from the threat poses another challenge. The average attack takes 73 days to be fully repaired.1 Responding to threats in a timely fashion can be the difference between a quick fix and a major security incident.
Without the right security expertise, many midsize businesses will be powerless to effectively manage the threat. Responsive automation makes it possible for these organizations to respond faster and stay up to date with the latest threat intelligence with minimal effort on the part of their IT teams.
How Responsive Automation can detect and kill cryptojacking malware:
- Advanced detection techniques. Behavioral and statistical modeling makes it possible to detect ongoing attacks by correlating security event information from different parts of your environment. Automation makes it possible to keep the models behind these approaches up to date on the latest threats, without IT teams needing to act.
- Correlated threat scoring. Correlated threat scoring to take the guesswork out of the process. Assigning each indicator a score based on severity, and aggregating related indicators into a global incident score makes it possible to uncover threats that would be nearly impossible to detect in isolation. In the case of cryptojacking malware, the first signs of CPU usage spikes could be cross referenced with attempts to connect to malicious servers outside of the network. In tandem, these indicators would provide strong evidence of a threat.
- AI-Powered triage. Even with the guidance a threat score provides, IT teams can be left dealing with a host of threats labeled as suspicious. The process of investigating each can claim a disproportionate amount of your team’s time, with the average business spending over 286 hours a week on indicators that turn out to be false positives.3 Artificial intelligence trained to identify patterns humans may miss can provide tremendous value here and allow you to automate the process of triaging suspicious threats.
- Automated response. With an effective threat scoring model in place, responding to threats can be highly automated, allowing you to dictate the actions the system takes when a threat receives a certain score. Machine infected? Automation makes it possible to immediately isolate infected endpoints from the broader network until they can be returned to good order. From there malicious files can be quarantined, processes killed, and malicious registry keys destroyed without you needing to lift a finger.
Want to learn more about how WatchGuard can help accelerate breach detection? Download our eBook The WatchGuard Automation Core: Building an Intelligent, Autonomous, and Extensible Perimeter or try our Security Automation ROI Calculator
1 https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf
3 https://www.exabeam.com/wp-content/uploads/2019/07/Exabeam-SIEM-Productivity-Study.pdf
Leave a Reply