Driving Security Automation The Right Way

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Is your security team becoming a little frazzled around the edges from too many security alerts and dealing with false positives? Is your team’s accurate and prompt response to those security alerts increasingly becoming a challenge?  Do you have lots of well defined and repeatable tasks that require much manual work from your team?


If you answered yes to all of those questions, then you are a prime candidate for cybersecurity automation. However, how do you go about driving automation in your CSOC and where do you begin? An excellent place to start is to first take stock of where you are.


Define Your Needs


Organizations and CSOC’s adopt automation for lots of reasons – however, before starting your automation journey, it’s essential to define and clarify your needs.  Knowing your automation needs will help you evaluate potential solutions down the line.


Its evident that the influx of too many security alerts are a growing problem. Given this, is managing too many security products and integrations getting difficult or do you think there is trouble retaining talent because there is monotony in executing repetitive workflows?


Document and discuss all of your internal needs and prioritize them. Once you tightly define your needs, you can set about defining typical use cases.  For example, you could start with automating a part of your Phishing investigation workflow, where the automation takes care of extracting indicators from headers, body, and attachments and getting reputations.


Almost every aspect of reviewing threats (triage), calculating risk (escalation) and threat response (remediation) can be automated, freeing up vast amounts of operational time.


What are your top business drivers and priorities?


What are the metrics that matter to you? Could it be an increase in the number of incidents investigated? Improved response time and MTTR? Cost management?


You may want to automate your data enrichment tasks or orchestrate and automate your threat hunting, or perhaps you want to automate malware analysis if it becomes a problem for your CSOC.  Once you have defined your needs and use cases, only then are you prepared to begin moving towards adopting automation on a larger scale.


Remember that you don’t have to apply automation to every use case or step in a process you have. In many cases, automation is leveraged to improve individual steps in a process while leaving the security operator in full control of the workflow.  


Taking The First Steps Towards Automation


Some CSOC teams adopt an agile approach to automation, meaning that they add automation incrementally in the areas where it makes the most sense, rather than trying to automate everything at once.  Those experiences and the learning process the team goes through during automation are a continuous stepping stone into other automation areas.


One thing you will learn during the process of automating elements of your CSOC is that there are key decision points in most processes that aren’t suitable for automation. While automation is fantastic at executing time-consuming or repetitive tasks, humans are brilliant at making decisions based on information they can see, and when automation accurately empowers humans, they can respond to incidents faster and with higher efficiency than they would have without automation.  I spoke to Joe Loomis at Cybersponse to ask him how granularly automation could be embedded within a human operators workflow in a way that would make the operator more efficient. He told me “our own automation platform Cybersponse has many options in its workflow design arsenal, that blend in human decisions such that the automation could continue based on what the analyst inference was”.


So, for example, if during automation an IP was found malicious, a task could be created and the analysts could be presented a question, say, “Do you want to escalate this alert or continue investigation?” – depending on the analyst’s response, the automation could go either way.


Analyzing your incidents is a great place to start looking for automation use cases.  


Take a close look at the incidents with the highest impact, the ones that take the longest to investigate and perhaps, resolve the ones that occur on a frequent basis.  Work out which are the ‘top ten’ incidents based on that criteria and analyze which vendors and systems are usually involved in those incident cases. Do these incidents need more information to be gathered and actions to be taken anywhere else?  If so, can the process be automated?


Take a multidisciplinary approach, incident response does not work in silos.  


When you have worked out which systems and teams have been affected in each use case, you will need to work with their owners and collaborate on the automation of critical steps within the process.  Teams working on automation projects need to understand the workflows and have lots of conversations about information sharing and their responses if they are to leverage automation to speed up resolutions and reduce risk in any significant way.


Focus on continuous improvement by starting small and building on proven value.


An excellent way to prove automation value is to measure response time metrics, and KPI improvements before and after automation occur, if your automation significantly reduces response times, saved costs can be calculated to work out the benefits of your team’s time to focus on more mission-critical work.


There are significant cost savings to be found in cybersecurity automation, taking a step by step approach allows you to glean value from automation in a way that lets you continuously refine your efforts over time.  


The more you learn about your incident cases and the actions that need to be taken around them, such that a workflow/pattern could be formed, the more experienced your team will become at automating elements within those processes and leveraging automation in the real day-to-day world of your CSOC.  When speaking to a SOC Manager at a reputed financial organization, he mentioned how they gained immensely by started slow and automating the bigger repetitive chunks like indicator enrichment, threat hunting, and notification pieces in most use cases before they automated the more specific workflow parts. Learn from that and take baby steps at first.

Post provided to you by @InfosecScribe

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About CyberSponse, Inc.
CyberSponse Incorporated, a global leader in cyber security automation & orchestration, helps accelerate an organization’s processes, security operations teams and incident responders. The CyberSponse platform enables organizations to seamlessly integrate, automate and playbook their security tool stack, enabling better, faster and more effective security operations. With a global presence, offering an enterprise platform, Cybersponse enables organizations to secure their security operations teams and environments.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?