How the Evolution of Email Incident Response Mirrors Progression of Vehicle Transmissions

Noa Kroll |
Apr 11, 2019
Spear-phishing, email incident response

In the days of Henry Ford, automobiles were all 5-speed manual transmissions that required drivers to push clutches and switch gears by band. Automatic transmissions then automated that part of driving. In recent years, lane departure warnings, collision avoidance and self-parking capabilities have enhanced autonomy. And sometime soon we’ll be driving autonomous vehicles that require little or no human involvement.

The evolution of email incident response has been strikingly similar. While the early years were comprised of burdensome manual actions, present-day solutions are trending towards machine-driven autonomy (some more so than others).

Here’s a quick history of how email incident response has evolved:

Manual Investigation & Response

This slow option typically takes 30 mins or more to respond to a suspicious message depending on the size of the company and number of affected mailboxes. In a truly manual system, analysts must physically look at every single email, its messaging and its metadata before determining the proper remediation course of action.

Rules-Based Investigation & Response

This defense usually involves tools with some investigative capabilities but requires skilled security analysts to oversee. These tools also rely on playbooks and YARA rules that require constant tweaking. As such, rules-based investigation and response cannot adapt to attackers' changes, creating a false sense of protection for businesses. What’s worse: such technology does not reduce the time from detection to response significantly.

ML + AI-Driven Investigation & Response

Technology driven by artificial intelligence and machine learning can automatically streamline investigation and response in real-time or at the click of one button by an analyst. This is because AI and ML can predict the legitimacy of any suspicious email, significantly reducing the decision-making processes of busy analysts. AI and ML is not only more effective, but the technology continually learns from itself. With the right self-learning models in place, machines can take a more proactive role in automating decisions of analysts with very high accuracy.

As cyberthreats have grown more sophisticated and complex in recent years, many email security companies have attempted to respond by introducing greater levels of automation. In fact, one might argue that the security industry is moving towards an era of autonomous threat detection and remediation in which machines may soon be able to address the majority of email security issues on their own. But just how far away we are from reaching email security autonomy is a debate for another day.

Security companies all-in on the automation highway, or are they?

 “Automation” has become a catchall marketing term for many email security companies touting fast threat detection, yet in reality, most solutions lack automation for what’s equally, if not most important, incident response.

As we’ve written about before, the majority of self-proclaimed “automated” solutions are misrepresenting YARA rules, scripts and playbooks as capable of facilitating an automated response. When in truth, most pseudo-automated email security and anti-phishing solutions all require various degrees of time-consuming human involvement to prompt remediation.

Truly automated email security aids productivity and eliminates resource constraints by:

  • Incident investigation/email forensics (content, meta data and sender reputation analysis) to streamline and triage the most imminent reported or detected threats
  • Remediating malicious emails from all affected mailboxes company-wide automatically or with1-click

Not to mention - in a truly-automated solution - the more data that is fed into the decision-making matrix, the smarter the solution becomes. As such, an automated solution can remediate most threats without human involvement, removing the threat across the entire organization.

Driving towards the future of full email security automation

As machines grow smarter and make AI decision making more precise than rules-based approaches, we are clearly on a path to fully-autonomous SOC operations with minimal oversight from security analysts. In fact, the future is so clear that the only question about autonomy is which industry is will impact at scale first - vehicle or security.

Themis, IRONSCALES virtual security analyst, uses AI as a tool to predict the legitimacy of any suspicious email with a high degree of confidence. This reduces the decision-making process of security analysts, expedites remediation and decreases risk while minimizing human intervention.

Themis is built on our community of top security teams (Federation) which continually learns from the tens of millions of emails it is exposed to on a weekly basis. It is powered by unique machine learning algorithms and is constantly fed input from hundreds of thousands of verdicts conducted by human security experts from around the world using IRONSCALES. Themis logs attack details then checks it against Federations’ previous verdicts, taking dozens of decisions and criteria into consideration. It then applies its own verdict, based on what it believes other human analysts would do with such an incident.

Themis can also be operated in both suggestive and response modes with built-in confidence levels and company policy. If that confidence level is high enough, Themis can automatically make and implement its decisions without human intervention.

Want to begin your journey to a fully or mostly autonomous SOC? Talk to us today.

SUBSCRIBE TO OUR BLOG

X
Free Trial