Proper Uses for Automation in your Security Operations Environment

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Proper Uses for Automation in your Security Operations Environment

This entry marks the beginning of a bigger, better and more comprehensive blog series, designed to offer innovative and experience-based best practices for adopting Security Operations Automation.

“The first rule of any technology used in a business is that automation applied to an efficient operation will magnify the efficiency. The second is that automation applied to an inefficient operation will magnify the inefficiency.” ―Bill Gates

The Foundation of Automation

If you are ready to change your operational needs, removing yourself from the same repetitive workload, you deal with each day and ready to consider automation to make your work life easier and more effective, then read on. One of the first keys to success with automation is identifying the right processes that you would like to automation, complete with a prioritized strategy of implementation and qualification of success. This blog series starts you on the exciting and new adventure of automation, offering your team best practices for engineering playbooks where automation will help your operations and incident response processes.

Organizations today are now looking at security automation and orchestration platforms to solve the overwhelming issues they face today with the increasing numbers of alerts and console hoping that your security analysts experience every day. The reality of removing the manual repeated and taxing effort of reviewing (triage), calculating risk (escalation) and response (remediation) on events in a smarter, efficient, and productive manner can be achieved today. This with the core tenants of good operational discipline and delivering repeatable, predictable, and reliable responses.

Before we get into the good stuff, every project has to start off with the right approach with the right mindset before expecting to measure or achieve success. Over and over security projects have turned to stone because of failures to follow best practices or procedures to include:

Project Team—Who*Project Plan—What, How, When*Beyond The Kickoff Meeting*

*Source: “3 Keys To A Successful Project Kickoff” by Robert B. Sowby

It’s a pretty standard assumption that the SOC team has a bunch of smart people within it (you know, the wizards within the security operations, infrastructure and technology teams) and it’s really important if not critical that you have executive buy-in before you get too far down the road. If not, start circling the wagons so that you are not hitting anyone with surprises last minute, we both know how executives don’t like surprises. 

Playbook Development

Secondly, we are going to discuss the need for automation justification and playbook development. Playbooks in reality are use cases, consider them the type of automation you dreamed you had after you kept doing the same task over and over when you first started in your organization. We call this the basis or foundation of the security orchestration and automated response pilot position. Just like dog fighting in aviation, there is plenty of different types of maneuvers that pilots need to master to stay in the fight. Let’s cover a few of these moves next;

Incident Enrichment & Data Collection

The foundation of your journey is that out of the box automated security operations platforms easily support. This is where the rubber hits the road and where all security teams kick things off; the collection of information. SOC team members all look at a large number of alerts being created and with that generate research, organize and sort the data hoping to find a few clues to the next steps. What they all realize after review SOC automation is that they could be doing all the same research and investigative steps for pre-processing an alert before it escalates itself into an incident or even a false positive (we all know how many of those we see each day). 

When we are outside of our comfort zone and start to become naturally curious about automation, we start to imagine a day of consuming the data inside the triggering security tool alert and expanding upon it or enriching it without having to do the work manually. We now can skip all those steps of looking up an IP address against multiple threat feeds, searching our CMDB, looking at SIEM log files all while copying and pasting it all in a normalized console or excel spreadsheet. Automation could do all this data enrichment for you without having to deal with the hassle of copy, paste, look up, query or log.

Cyber Threat Assessment and Incident Response

Now to the good stuff with dealing with IR and threat assessments. This is where the avalanche of alerts are injested into the platform and is automatically correlated, organized, and the correct playbook of IR or assessment actions take place. When we say “correct playbook of IR or assessment actions take place”, understand that we’re not talking about turning on the floodgates with automating your job as a smart analyst. The last thing you want is to have automatic responses to take place, and then it blocks your DNS server and takes down the entire organization’s Internet connection. Uh Oh.  Those are pipe dreams, and it’s going to cause the CEO to blow his top if the crawl, walk, run approach is not taken. With our playbook engine and case management modules, we value the human in the middle approach, unlike any other technology in the market. There will never be a 100% automated response without assuming some risk in your decision to deploy such playbooks. We all laughed when we heard many others say they could stop an attack with their technology and unfortunately customers had to learn the hard way between BS marketing and well…Reality (even if some folks believe their own stories…ha).

Security Threat Tracking & Adversary Hunting

The last scenario to support your SOC team with automation is to give them more time to actually engage with hunting threats within their network. While a SOC incident responder can spend their days blocking IPs, finding file hashes within their network, stopping their DNS from resolving to dangerous domains, it’s also something automation can help with. Where the SOC team does not spend enough time is hunting when adversaries are moving horizontally in your network. We’ve all seen teams use Python or Perl Scripts to try to free up time; it’s hard to maintain these scripts when their authors move onto their next chapter of their careers. 

Imagine your day if you could run all the typical hunt efforts with playbooks, track down adversaries faster by processing hashes, IP’s and other artifacts in real time that ultimately closes the gap from detection to actual prevention of data exfiltration.

Check out other concepts on how to build better incident response playbooks at for more ideas and for more exciting announcements on our technology.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About CyberSponse, Inc.
CyberSponse Incorporated, a global leader in cyber security automation & orchestration, helps accelerate an organization’s processes, security operations teams and incident responders. The CyberSponse platform enables organizations to seamlessly integrate, automate and playbook their security tool stack, enabling better, faster and more effective security operations. With a global presence, offering an enterprise platform, Cybersponse enables organizations to secure their security operations teams and environments.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?