A Match Made in Technology Heaven: When Machine Meets Human
May 27, 2019How SOAR Platforms Empower SOC and IR Teams
May 30, 2019Taking Things to the Next
Level with Security Automation
Automation is getting a lot of attention in the security industry right now.
And that’s hardly surprising. What security team wouldn’t want to have their most time consuming manual processes completed automatically?
But is automation really all it’s cracked up to be? Let’s take a closer look.
What is Security Automation?
Quite simply, security automation is the use of technology (usually via a SOAR or IR platform) to complete security processes without input from a human analyst.
In the past, only very simple processes like performing lookups or extracting data could be performed automatically. Now, however, it’s common for security teams to automate much more complex tasks. More on this later.
The Benefits of Security Automation
Automation has one of the highest value propositions of any security technology: Get more done in less time.
But the true value of security automation go way beyond this. Here are the top five benefits security teams see from automation:
1) Alleviates pressure caused by the cyber security skills gap
Many security teams are understaffed purely due to the severe shortage of skilled cyber security professionals. Automating security processes helps limit the stress placed on security teams by reducing the burden of time consuming and repetitive processes.
2) Helps reduce alert fatigue
Many alerts are simple to process, but waste a lot of time — for example, adding new rules to a firewall, or blocking malicious IP addresses. Such processes are simple to automate, which means these incidents can be processed without any input from human analysts.
3) Improves median time to resolution (MTTR)
Automation can drastically reduce the time needed to remediate common security incidents, often by as much as 50-90%. This is a huge advantage in a world where an attacker’s time to compromise (TTC) can be measured in minutes.
4) Reduces operational inefficiencies
Again, time consuming processes are a major issue for SOC and IR teams. Not only do they waste a huge amount of time, they also drastically reduce analysts’ potential to add value in other areas. Reducing operational inefficiencies through automation can dramatically improve security outcomes by freeing up analysts to focus on higher value security tasks.
5) Limits potential for human error
One of the biggest issues with repetitive, manual processes is the increased potential for human error. When implemented properly, automation removes the risk of human error from common security processes.
Not bad, right?
Of course, these benefits assume that automation is implemented properly. When security automation is implemented badly, it’s a different story altogether.
When Security Automation Goes Wrong
Here’s the problem. When a security analyst is forced to complete a manual process over and over, there is always the potential for human error. Occasionally they’ll miss something or make a mistake, and serious consequences may arise.
But when the same process is automated, there are two possible outcomes:
- The automated process is good, so outcomes are also consistently good.
- The automated process is not good — i.e., it contains errors — so mistakes are made every single time the process is completed.
This is the dark side of security automation. When things are working well everything is great. But when things aren’t working well the results can be catastrophic. Worst of all, because automated processes happen “in the background” they are quickly forgotten, and receive minimal oversight. As a result, errors often go unchecked. Over time, bad automated processes can add up to a huge security risk.
In the last post, we explained why security orchestration always comes before automation. In short, you need to make sure your processes are watertight before you even consider automating them.
What do we mean by watertight? Your processes — which should be clearly documented — must represent the knowledge and practices of your most experienced security professionals on their very best day. Processes should be checked, tested, and agreed by multiple analysts before they are automated.
Even once a process has been automated, it should regularly audited to ensure it remains an accurate, efficient, and (above all) safe way to process a security incident.
Bringing Everything Together
Over the last few posts we’ve looked at three important topics:
- The top challenges faced by security teams
- How security orchestration helps alleviate those challenges
- How automation can act as a force multiplier for security teams
In the next post, we’ll take things a stage further. We’ll look at how security teams can combine the value of security orchestration and automation to tackle their top challenges, and drastically improve security outcomes.
How? By using SOAR — Security orchestration, automation, and response.
See you there.
