Cybersecurity Automation: A Closer Look At The Use Cases

Share and earn Cybytes
Facebook Twitter Google+ LinkedIn Email

CISOs I talk to tell me that when it comes to cost-cutting cybersecurity automation is all about tightening the corners rather than cutting them, but that doesn’t mean that automation can’t show you some real gains in your CSOC. In this article, we will take a closer look at the low hanging fruit automation use cases in order to illustrate how this can be the case.


Some CISOs out there are leveraging sophisticated cybersecurity automation, which includes well thought out playbooks, human prompts and decision making logic to execute automated actions that help a CSOC analyst investigate an event before going on to remediate it.


When it comes to handling complex automation use cases SOAR (Security Automation & Orchestration) platforms are your friend, a good SOAR platform will help you compile your automation playbooks to alleviate some of those important, but time-consuming, manual tasks.


Correlating Data 

Any CSOC worth its salt collects extraordinary amounts of data, but none of it has any value if it cannot be converted into actionable next steps. Data is a great source of learning, but if it’s not organized, processed and made available in the right format for decision making, it’s useless and becomes a burden rather than a benefit.


A good automation playbook helps you correlate data by pulling in all the threat data from across your infrastructure and validating it against threat intelligence data from outside sources. Sharp analysts leverage the output of this kind of automation by using it to identify known threats that behave similarly. Doing this manually is just not an option for most CSOCs, they have too much data that needs to be sequenced quickly and accurately and too high a threat volume to deal with, but automation helps you quickly convert that data into next steps.


Communicating Across The Organization 

Updating other teams within your organization takes much more time than anyone would think and is an often neglected task because of that. Sometimes it’s because the case management GUIs are clumsy when copying information between them, other times it’s because your team is just too busy. Automating the process of intra-organizational communication around threats frees up your team to focus on more important tasks. It can also help you develop better metrics to share with the rest of your organization and increase your audibility across with company executives.


Detecting Infections Already In Your Network

Dwell time is the duration of time an unauthorized intruder has undetected access to your network until the threat has been completely removed, it’s the metric we use to describe how quickly we can detect and remove threats. The average dwell time for most organizations is somewhere between 50-150 days, which is just crazy when you think about it. To stop an attack before your data has been exfiltrated outside of your network, your team has to be moving faster than the attack is, identifying suspicious behaviors and identifying infected hosts to get ahead of attacks.


In the same way that the analysis of unknown threats attempting to penetrate your network is a laborious and manual task, the manual correlation and analysis of data from across your endpoints, mobile devices, servers, and networks can be much more difficult to scale. By automating this workflow, if something on your network becomes comprised, the subsequent analysis, investigation, and remediation become much faster, driving down dwell time.


Vulnerability Reporting & Alerting 

One of the most unpopular tasks in a CSOC is vulnerability report review, looking into a systems previous history and working out who the system owner is, or in many cases the business owner.  This is some of the lowest hanging fruit in the cybersecurity automation playbook and automating this workflow will make your analysts much more productive as they have time to focus on more important tasks. When vulnerability reporting and alerting is automated and combined in a SOAR platform with dynamic threat analysis, your ability to detect sophisticated threats is dramatically increased.


Generating/Implementing Protections Faster Than Threats Can Spread 

Once your team identifies a threat on the network, protections need to be prepared and deployed faster than the threat can propagate, moving laterally through your endpoints and networks. Creating sets of protections from different technologies manually, ones that are capable of mitigating against am attackers future behavior is a difficult and time-consuming task that is complicated by the number of different security vendors that you have in your CSOCs technology stack.


Once your team has built their mitigating protections, these then must be implemented in order to stop the attack from gaining a deeper foothold on your network.  Deploying these protections across the enterprise to endpoints and servers in order to mitigate against the attacks current and future behaviors is a time-consuming manual task.


Automating every aspect of this response can dramatically speed up your team’s response times, enabling them to create protections on the fly, without straining your CSOC. The only way to stay ahead of a well-coordinated attack is by using automation to deploy your protections. Your adversaries leverage automation in order to attack you and the only way to stay in front and ahead of adversaries is by leveraging automation in your security efforts in order to counter them effectively.


The use cases that I have outlined above are just a few of the cybersecurity workflows that you can automate in order to make your CSOC more effective, but other CSOC workflow use cases can equally be as effective in delivering improvements in your efficiency and consistency.

A good SOAR platform can help you automate a wide range of different CSOC functions and workflows, such as penetration testing, intelligence sharing, and user management in order to deliver those services in a more effective way.  

Post provided to you by @InfosecScribe

Share this post and earn Cybytes
Facebook Twitter Google+ LinkedIn Email
About CyberSponse, Inc.
CyberSponse Incorporated, a global leader in cyber security automation & orchestration, helps accelerate an organization’s processes, security operations teams and incident responders. The CyberSponse platform enables organizations to seamlessly integrate, automate and playbook their security tool stack, enabling better, faster and more effective security operations. With a global presence, offering an enterprise platform, Cybersponse enables organizations to secure their security operations teams and environments.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?