Cybersecurity Automation: Overcoming Obstacles
“Automation” has become a buzzword in cybersecurity circles. This is not surprising in an environment where security specialists are scarce and under intense pressure to defend the business against a wide variety of threats from countless different sources. Using technology to do at least some of the work seems like a no-brainer. Still, it seems like organizations are struggling to take the right approach to cybersecurity automation.
Last year, Threat Quotient conducted research that found that resources, time, and lack of confidence in results are holding companies back from realizing the benefits of automation. During a recent webinar, myself, Nabil Adouani, CEO of Strange Bee and co-founder of The Hive Project, and our Global Vice President of Threat Intelligence Engineering, Chris Jacobs, discussed the current state of the automation, expectations about what automation can actually achieve, and what that means for real-world implementation.
From automation to orchestration and XDR, two sides of the same coin?
One of the challenges with automation is defining what we mean by the term and how it differs from orchestration. In reality, automation is anything that replaces a human-driven manual activity with a computer-driven alternative. It has applications in the technology sector anywhere there is a repetitive manual task that would be best done by a machine that never gets bored or makes mistakes.
In cybersecurity incident response, automation can be used at any stage of the process. Examples include ingesting alert data, enriching alerts, and even automating response items. Often, automation and orchestration seem to be used interchangeably, but a distinction should be made. Automation is the conversion/adaptation of a single manual process to be completed by a machine, while Orchestration is applied to a multi-step workflow involving several different tools, which are automated and brought together to perform a process .
When it comes to XDR, there is additional uncertainty as to what that means. Analytics firm Gartner suggests that XDR should have a minimum of three elements, such as endpoint detection and response, security incident and event management, and incident response capabilities on your platform. This would constitute XDR and the orchestration could also be part of coordinating a series of automated actions based on the technological capabilities of the platform.
However, despite all the buzz around automation, orchestration, and XDR, the road to implementation hasn’t been easy.
Orchestration is not a silver bullet
At first glance, orchestration is a no-brainer, easing the burden of repetitive tasks and allowing cybersecurity teams to focus on higher value activities. Yet adoption remains limited. Industry watchers have even seen examples where companies have gone from no orchestration to full orchestration and then to no orchestration because they found they were spending all their time and their resources to fix automated workflows to work properly. They came to the conclusion that a simple script could work just as well for their use case.
Chris Jacobs advises teams not to assume that by buying and installing a rig, they’ll suddenly “magically” be able to do things they couldn’t do before. First, they need to look at the processes they currently undertake manually and identify how these will benefit from orchestration into an automated workflow on the platform.
Nabil Adouani suggests that another reason for low adoption has to do with the number of existing tools already in use. When there are already a lot of tools in play, adding an orchestration platform that needs to be maintained actually increases the pressure on teams – the exact opposite of the intended effect. If security professionals who want to focus on security have to frequently add new use cases, update workflows, and work on integrations, this can lead to task avoidance and low adoption. tool.
Decide where to start
Organizations can feel overwhelmed when confronted with the potential scale at which they could automate cybersecurity detection, management and response, so where to start?
First, decide what types of incidents you want to handle with the tool. Then look at what you are already doing and where you are doing it when an incident occurs. So, for example, you can use spreadsheets, note, and email to record and manage incidents, following a manual playbook. Examine this process and determine which elements could be automated and then orchestrated into a multi-step process in the platform. This approach has the added benefit of overcoming lack of confidence in the outcomes of orchestrated processes. If you know what the results of your process generally look like before you orchestrate them, it will be easier for you to rationally accept a similar result from the orchestration tool.
Vulnerability detection and management are important use cases for automation, and we recommend companies focus on that first. Network detection, email security and endpoint detection are all areas where, once problems are identified, several automated actions can be initiated, such as informing relevant stakeholders, enriching alert data and prioritization of actions needed to mitigate the problem. In the case of vulnerability management, the scan identifies weaknesses and an automated workflow can share them with the people who need action to fix them.
It’s also important to understand that the appropriate level of automation and orchestration will depend on the use case. Very few organizations will want to remove human oversight from a process entirely. For example, in patch management, it is not advisable to automatically patch all your servers because the tool has identified a vulnerability and an available patch; there must be a human input. Instead, you can use automation to find the right combination of compensating controls. So when the tool identifies a vulnerability, it automatically sends alerts to affected stakeholders so that compensating controls can be put in place before the patch is implemented.
One of the main advantages of using a centralized platform is that all teams use the same data and start from the same point. This helps get cross-functional IT and security teams working together and begins to break down the silos that often exist between departments.
In summary, when getting started with automation, first identify the repetitive and time-consuming workflows you are already undertaking that can be orchestrated. Then design the workflow with the appropriate balance of automation and human input for the use case, initially focusing on the detection phase before determining what aspects of the response can or should be automated. Finally, explore how access to the tool can go further to break down silos between departments and get all teams working effectively on a unified security mission.
This approach should reduce some of the pain points of implementing automation and ensure that organizations are realistic in their expectations of what they can achieve.
image credit: iqconcept/depositphotos.com
Yann Le Borgne is International Vice President of Threat Intelligence Engineering, Threat Quotient