By Joe Partlow, CTO at ReliaQuest
Amid an enterprise attack surface that is more complex than ever, many security teams have turned to automation to boost threat detection and response. When implemented correctly, security automation can help increase visibility and control over an ever-expanding environment and across the entire security lifecycle.
One of automation’s major benefits is that it saves time and energy by replacing manual or repetitive, low-value processes. For example, it can consistently execute operational tasks like process or service restarts or quickly automate incident response processes.
However, some enterprise leaders have unrealistic expectations for automation. They treat it as a cure-all that can replace analysts and other team members. But without the right combination of people, processes and technology to use automation effectively, enterprises could end up investing more resources than they realize in new efficiencies. There are a few strategies and guidelines security teams should keep in mind before they make such an investment.
Use Automation to Elevate, Not Replace, Human Experience
While automation can streamline workflows and help execute security tasks at scale, it cannot replace a security team. In fact, getting the full value of automation relies on having mature processes and teams in place. Every organization is different, so automation must be used uniquely by every organization. Only a seasoned security team that understands the specific environment can implement automation and continually update playbooks. There is no “set it and forget it” strategy.
Focus on Automation That Enables Business Continuity
A risk-based approach is often most effective when investing in automation. Enterprises can work with peers and stakeholders to think through how business priorities have changed over the last few months amid shifting workplace processes. Evaluate key priorities, like the rising importance of securing cloud and SaaS applications, as well as any changes to the roles or responsibilities of employees accessing sensitive data and from what location. From there, enterprises can determine the biggest risks to the business and redouble efforts where it will have the biggest impact.
Apply Automation to What You Know
Automation is best used for specific processes that a security team knows and trusts, instead of applying it to every source in the environment. Automation not only requires intimate knowledge of incident response processes, but it also requires insight and access into the integrated systems. For example, if you want to trigger a vulnerability scan on a target host, even apparently innocuous steps to gather contextual information about hosts become challenging without a deep understanding of the process you want to automate, your organization’s policies, and the system you are integrating.
Get Creative to Streamline Processes
With IT and security teams stretched increasingly thin, automation is often most effective when used to complete routine tasks to free up time for teams to focus on more important business priorities. Try looking at automation and its potential uses creatively, beyond just running scripts.
For example, automation can be used when differentiating between suspicious insider events and harmless ones. One way to do this is to use automation to continuously simulate common red team or adversary tactics that will quickly identify what risks may be present or gaps in security coverage. By automating these tasks, enterprises can identify where the greatest user risks are and address them by tuning alerts or providing employee training.
Use Automation to Add Context to Data
Data overload is a persistent problem among security teams, who often rely on disparate tools that collect and store data in many different locations. Some teams attempt to solve this problem by funneling all of their data into a single, searchable repository. But this method can involve a lot of manual, time-consuming process that defeats the goal of greater efficiency.
Instead of trying to manually sift through and parse data, security teams can deploy automation to correlate data from across multiple sources, and separate relevant alerts from irrelevant data and false positives. This can help security teams make better decisions and remove the blind spots that are barriers to decision-making. By using automation to organize data, teams gain context around workflows and gain the background for choosing which plays to run against which events.
Final Thoughts
Many automation and orchestration solutions are not intended for companies just starting out down the automation path. They require customers to develop and maintain code in order to create plays and playbooks, versus allowing them to focus on which playbooks to run, and when. Furthermore, they tend to focus on the automation of response rather than look holistically at the security lifecycle, from detection and investigation through remediation and even threat hunting.
It is important for businesses to explore any opportunities to improve efficiencies, particularly as security budgets decrease going into 2021 to account for economic uncertainty. By thinking both broadly and practically about the role of automation, enterprises can make their team’s efforts to keep their environment secure both more efficient and effective.
About the Author
Joe Partlow is the CTO of ReliaQuest, a leader in enterprise cybersecurity, where he oversees all new research and development efforts and new product initiatives. Joe has been involved with infosec in some role for over 20 years; mostly on the defensive side, but always impressed by offensive tactics. Current projects and interests include data analytics at scale, forensics, threats, security metrics & automation, red/purple teaming and artificial intelligence.
