Automation is getting a lot of attention in the security industry right now.
And that’s hardly surprising. What security team wouldn’t want to have their most time consuming manual processes completed automatically?
But is automation really all it’s cracked up to be? Let’s take a closer look.
Quite simply, security automation is the use of technology (usually via a SOAR or IR platform) to complete security processes without input from a human analyst.
In the past, only very simple processes like performing lookups or extracting data could be performed automatically. Now, however, it’s common for security teams to automate much more complex tasks. More on this later.
Automation has one of the highest value propositions of any security technology: Get more done in less time.
But the true value of security automation go way beyond this. Here are the top five benefits security teams see from automation:
Many security teams are understaffed purely due to the severe shortage of skilled cyber security professionals. Automating security processes helps limit the stress placed on security teams by reducing the burden of time consuming and repetitive processes.
Many alerts are simple to process, but waste a lot of time — for example, adding new rules to a firewall, or blocking malicious IP addresses. Such processes are simple to automate, which means these incidents can be processed without any input from human analysts.
Automation can drastically reduce the time needed to remediate common security incidents, often by as much as 50-90%. This is a huge advantage in a world where an attacker’s time to compromise (TTC) can be measured in minutes.
Again, time consuming processes are a major issue for SOC and IR teams. Not only do they waste a huge amount of time, they also drastically reduce analysts’ potential to add value in other areas. Reducing operational inefficiencies through automation can dramatically improve security outcomes by freeing up analysts to focus on higher value security tasks.
One of the biggest issues with repetitive, manual processes is the increased potential for human error. When implemented properly, automation removes the risk of human error from common security processes.
Not bad, right?
Of course, these benefits assume that automation is implemented properly. When security automation is implemented badly, it’s a different story altogether.
Here’s the problem. When a security analyst is forced to complete a manual process over and over, there is always the potential for human error. Occasionally they’ll miss something or make a mistake, and serious consequences may arise.
But when the same process is automated, there are two possible outcomes:
This is the dark side of security automation. When things are working well everything is great. But when things aren’t working well the results can be catastrophic. Worst of all, because automated processes happen “in the background” they are quickly forgotten, and receive minimal oversight. As a result, errors often go unchecked. Over time, bad automated processes can add up to a huge security risk.
In the last post, we explained why security orchestration always comes before automation. In short, you need to make sure your processes are watertight before you even consider automating them.
What do we mean by watertight? Your processes — which should be clearly documented — must represent the knowledge and practices of your most experienced security professionals on their very best day. Processes should be checked, tested, and agreed by multiple analysts before they are automated.
Even once a process has been automated, it should regularly audited to ensure it remains an accurate, efficient, and (above all) safe way to process a security incident.
Over the last few posts we’ve looked at three important topics:
In the next post, we’ll take things a stage further. We’ll look at how security teams can combine the value of security orchestration and automation to tackle their top challenges, and drastically improve security outcomes.
How? By using SOAR — Security orchestration, automation, and response.
See you there.