3 Things You Can do Now to Accelerate Your Security Automation Program

Every cybersecurity team is familiar with the never-ending stream of events to triage, controls to implement, processes to optimize, and metrics to report. At the same time, there are more than 2.5 million unfilled cyber jobs around the globe. How can cyber teams square this circle?

Returning from the latest conference with the promise of Security Orchestration, Automation and Response (SOAR) might seem like a silver bullet. However, heading down this path without a thoughtful approach to automation strategy, design, and implementation has led many to invest in a tool that only causes further frustration and burden on an overloaded security engineering team.

At TalonX, we have identified three key actions that organizations can quickly implement to mobilize and accelerate security automation.

1. Invest in cyber engineering and automation resources up-front

You’d like your team to focus analyst time on higher value activity (e.g., threat hunting), drive operational excellence, and reduce the likelihood of a breach, so you’ve decided that SOAR is right for your organization. Unfortunately, a tool alone will not suffice.

Our recent automation research found that 50% of organizations struggle with their automation programs due to a lack of security engineering talent or a lack of automation design knowledge. Aligning engineering talent to match the team’s automation objectives can avoid an outcome which simply accelerates poorly designed process and technology.

50% of organizations struggle with automation programs due to a lack of security engineering talent or a lack of automation design knowledge

Security engineers should be familiar with process design, or, even better, automation workflow design. Simply automating a process as it is currently performed by a human rarely results in the desired gains. Instead, engineers need to be able to identify efficiencies in the existing process and translate them to a design.

Recruiting security engineers who are familiar with the tools that will be used as part of automated workflows. A deep understanding of the usage and capabilities of these tools, along with the functionality that they offer via API, is key to employing them in a workflow.

Engineers need to have programming skills. Python is the lingua franca for cybersecurity automation, and automating usually requires some custom code development, even when workflows are built within a SOAR tool.

2. Attack your inefficiencies and broken processes

You have made a successful business case for automation and want to mobilize the program. Now, the attention shifts to deciding what to automate. We find a deliberate discovery and planning process, guided by your overall objectives in adopting automation, is the best approach.

Start your automation design with a discovery activity to identify the data sources and automatable tools that can be leveraged for automation. Analyzing the status quo won’t suffice as the tools that the team uses in a process may not be the best ones for the job. There may also be non-security-owned data sources that enable significantly improved decision-making for automated workflows in security. Be sure to investigate tools and data owned by the broader IT team and even other parts of the business (e.g., marketing, sales) where it makes sense. The output of this discovery process should be a list of potential automation use cases according to the tools that are available.

Potential use cases should be prioritized with the insight derived from discovery. Your desired outcomes for automation should be the primary drivers of prioritization. In our research, we’ve identified more than a dozen distinctive reasons why organizations decide to automate, and each one comprises a different lens through which to view use case prioritization. For example, organizations that are looking to reduce the complexity of their technology stack might prioritize automation use cases which reduce duplication of functionality or controls and may allow the removal of those tools from the environment.

After you decide what should be prioritized for automation, you need to design each use case with optimization and efficiency in mind. In most organizations, early automation use cases are typically focused on data enrichment and status communication (e.g., automation of status emails). However, real productivity gains from automation are realized when the team empowers the tools to actually do something rather than just giving information to a human analyst.

To identify potential efficiency gains, engineers should analyze tool and API documentation to uncover underutilized features and capabilities in individual tools. Then, workflows should be designed to include response actions where appropriate. For example, most intrusion detection systems including blocking functionality that is woefully underutilized in many environments. This feature could be leveraged in a range of automation workflows in security operations for cases when high-confidence malicious activity has been discovered.

3. Look beyond your security operations center (SOC)

Security Operations is an ideal place to begin your automation journey, as there are a number of quick wins that can deliver significant value for the organization. These include:

  • Event Enrichment

  • Malware Analysis

  • Workflow Management

  • Proactive Control Remediation

Our research indicates that organizations that look beyond the SOC are driving the greatest value from their automation program. Establishing a cross-functional team of security experts across network security, application security, security operations, engineering, and identity and access management can help identify high-impact & low cost beyond-the-SOC automation opportunities.

Organizations that look beyond the SOC are driving the greatest value from their automation program

While 44% of organizations reported using automation to automate at least one process in security operations (i.e. security monitoring, incident response, or cyber threat intelligence), 52% reported using automation to augment at least one function outside the SOC (e.g., identity and access management, application security, cloud security, vulnerability management, etc.).

In addition, the function that respondents most wanted to see automated in whole or in part was vulnerability management with 40% of respondents identifying this as their top automation priority.

Incoming event data contrasted against application security scans can help determine the difference between requiring an updated firewall ruleset and a full-blown incident. Shortening the time between detection and future prevention will help your organization evolve against fast-moving threats like ransomware.