CMMC Requirement RA.L3-3.11.3E – Advanced Risk Identification: Employ advanced automation and analytics capabilities in support of analysts to predict and identify risks to organizations, systems, and system components.
Links to Publicly Available Resources – Coming Soon
This NIST Special Publication provides guidance for conducting risk assessments.
A properly resourced Security Operations Center (SOC) or Computer Incident Response Team (CIRT) may be overwhelmed by the volume of information generated by the proliferation of security tools and appliances unless it employs advanced automation and analytics to analyze the data. Advanced automation and predictive analytics capabilities are typically supported by artificial intelligence concepts and machine learning. Examples include Automated Workflow Operations, Automated Threat Discovery and Response (which includes broad-based collection, context-based analysis, and adaptive response capabilities), and machine-assisted decision tools.
[NIST SP 800-30] provides guidance on risk assessments and risk analyses.
Further Discussion
Advanced automation includes tools to correlate and reduce the cyber data overload created by defensive tools, making the data understandable to the analyst. Automation also allows the defensive mechanisms to respond rapidly when adversary events are identified. Examples of such capabilities are SIEM; Security Orchestration, Automation, and Response (SOAR); and Extended Detection and Response (XDR) tools. An example of an automated rapid response action is a security alert being pushed to the SIEM while the organization’s SOAR solution communicates to the network firewall to block communications to the remote system identified in the security alert.
SIEM is primarily a log collection tool intended to support data storage and analysis. It collects and sends alerts to security personnel for further investigation. SOAR is a software stack that enables an organization to collect data about security threats and respond to security events without human assistance in order to improve security operations. Orchestration connects and integrates disparate internal and external tools. Automation, fed by the data and alerts collected from security orchestration, ingests and analyzes data and creates repeated, automated responses. SOAR incorporates these capabilities based on the SIEM data and enables disparate security tools to coordinate with one another. SOAR can use artificial intelligence to predict and respond to similar future threats, if such tools are employed.
XDR streamlines security data ingestion, analysis, prevention, and remediation workflows across an organization’s entire security stack, providing a single console to view and act on threat data. However, the presence of these tools by themselves does not necessarily provide an advanced capability. It is essential that the security team employ critical thinking in support of the intrusion detection and threat hunting processes.