New threats are increasing at an alarming rate… The need for extensive automation in cybersecurity initiatives is undisputable, the implementation details in how best to reach that goal are often a point of contention inside of an organization. But you have to start somewhere, and you have to plan where and how to add automation once you get past the basics.
This article breaks down the benefits of cybersecurity tasks automation and a general checklist for which tasks to automate first as a priority.
- The general checklist.
- Four areas MSSPs should look first at automating.
- Next steps in automation planning.
- And more!
Table of contents
According to a Ponemon 2018 Cost of a Data Breach Study, “organizations that fully deployed security automation saved $1.5 million on the total cost of a data breach.” But cybersecurity automation is also “a missed opportunity,” according to another Ponemon study conducted on behalf of IBM, which found only 23% of respondents were significant users, while 77% reported using automation only moderately, insignificantly or not at all.
“Organizations with the extensive use of automation rate their ability to prevent (69% vs. 53%), detect (76% vs. 53%), respond (68% vs. 53%) and contain (74% vs. 49%) a cyberattack as higher than the overall sample of respondents.” — According to latter study
The prevailing advice is that it is vital to automate as much of cybersecurity as possible, given the scale of data and assets that must be protected from a growing tsunami of threats.
Older threats are on the upswing, such as phishing attacks which Microsoft reports is up by a whopping 250 percent. But so are zombie threats, which are those that were once thought neutralized but now are revived by current events. Forrester cites economic espionage reawakened by the US-China trade war as a prime example.
“2015-2018 were quieter on the hacking front. But tariffs, trade wars, and other geopolitical tensions in Europe and Asia have strained relations between the two countries. Thus, Western firms should expect renewed hacking in 2019.” – According to a Forrester report,
To make matters worse, new threats are emerging at an alarming pace. The University of San Diego includes several emerging threats on its list of top cybersecurity threats for 2019. Chief on that list is cyber-physical attacks, state-sponsored attacks, crypto-jacking, third-party attacks, IoT attacks, and electronic medical records (EMR) attacks.
While the need for extensive automation in cybersecurity initiatives is undisputable, the implementation details in how best to reach that goal are often a point of contention inside of an organization. But you have to start somewhere, and you have to plan where and how to add automation once you get past the basics.
To assist with mapping out your automation plans, below are the key areas where automation makes the most sense in cybersecurity and the things you should consider in the next steps on your automation journey.
The General Checklist
Start by adopting a unified perspective in your automation planning, rather than taking the approach of inventorying assets and software and trying to automate security processes for each in a vacuum.
“Today’s IT assets should be thought of as an interconnected group instead of individual devices because they may be located in the on-premise infrastructure or somewhere in the cloud. Depending on the vendor these may be referenced as managed instances, network security groups or other terms but they are essentially a group of related IT resources bound together with common security rulesets” — Tulane University professor Dr. Bill Rials
Also, plan on automation taking more time than you expect. It usually takes a good while to convert processes from manual to automated and then to implement the changeover. That’s doubly true if your staff has limited experience in programming and/or implementing automation. It’s smart to leverage vendor relationships in building out automation, but don’t expect or rely on them to do all the work for you.
“Given that even if the vendor provides you with dozens of process automation playbooks, implementation takes time, as does education about the new process–it is all about planning and prioritizing,” — Edy Lamer, Vice President of products at Cyberbit.
On that note, below is a checklist for which security tasks to automate as a priority first:
- Tasks that will save the most time.
- Tasks with the greatest impact. For example, “if you have a process that is done manually at 2 a.m., it would make a few persons very happy when it is automated, even if it only takes 5 minutes of their time,” said Lamer.
- Tasks that help unstop your worst bottlenecks. “If you have a tier 3 analyst whose help is required by many people in the organization, and it is very hard for you to hire or train an additional one – automate some processes that would save her time to make more of it available,” explained Lamer.
- Tasks that remain the same in automated form as in its original manual form. These are easy for staff to understand and work with since the process remains familiar.
- Tasks that force a process change to improve value. “Yes, I know this is the exact opposite of #4 above – but you can have a few of both. It may not be a quick win, but maybe worth it,” says Lamer. That’s especially true if the manual process is overly limited by its manual nature or legacy technologies or is outdated by its reason for existing at all.
You can also build and narrow your starting list to those tasks that are simply the easiest to do.
“To achieve quick wins with cybersecurity automation, start with new deployments. This will allow the least amount of resistance as the automation components will be seen as part of the new technology deployment. Since most new IT deployments are at least somewhat involved with cloud and XaaS, I recommend deploying cybersecurity automation with cloud deployments,” said Dr. Rials.
Rails warn that starting automation efforts with legacy deployments is almost a sure fail. It’s better to tackle those processed further down the path of your automation journey.
“It is often difficult to deploy automation procedures to legacy IT deployments. Often there are years of procedures invested in legacy infrastructure and most of it requires manual processing. Along with any obvious technical challenges with the legacy infrastructure, there will also be many cultures and inter-organizational politics tied to the legacy infrastructure and any procedures that have been in place for a while,” Rails said.
Four Areas MSSPs Should Look First at Automating
“There are four areas of automation that come to mind, are relevant to MSSPs, and are useful in cyber today and will grow rapidly shortly,” said Christina Richmond, principal analyst at ESG, a global and independent analyst firm. Those four areas are:
Threat Intelligence Stack
Automation of the curation and contextualization of data from security system alerts to reduce the alert funnel and create actionable intelligence.
Endpoint detection and response (EDR) and managed detection and response (MDR) enables the discovery of threats through the use of algorithms and automation of response. This is evolving and will continue to broaden into xDR or “anything with DR,” for such as network travel analysis (NTA), sandboxing, EDR, threat intelligence, and security analytics combined. xDR can also include email, cloud, etc. Many MSSPs are partnering, acquiring, or developing MDR capabilities and this will continue to grow. One can argue that MDR and xDR will become critical to MSSP success.
Automation of Workflows (Response and Service Management)
Tools like Resilient Systems which automates response and vulnerability workflows into a ticketing system, ServiceNow’s SecOps module for IT service mgmt. (ITSM) integration. These assist the human analyst to reduce time to detect, respond, and manage the caseload.
Based on policies set and correlated with specific combined triggers like industry, company size, known malware code or URL products like Akamai’s Web Application Protector allows customers to set up automated responses to DDoS and web application attacks.
“At the end of the day security does need automation to reduce human effort and fatigue, but the industry will also need humans for a long time to investigate and respond to situations where AI/ML cannot yet because it’s still learning or doesn’t have the uniquely human ability to recognize something not seen before,” Richmond added.
Next Steps in Automation Planning
Once the bases are covered, you’ll need to keep moving and automate more processes. This will not eliminate human jobs, but rather help secure them as productivity, efficiency, and success rates improve.
“Although there’s traditionally hesitation from IT to minimize or remove the human element from a given task, automation ultimately empowers security teams to be more strategic and focus on larger enterprise security problems,” said Laurence Pitt, global security strategy director at Juniper Networks.
Once that truth is embraced, the task of identifying the next steps move more easily to the forefront.
“Once IT departments grow more comfortable with automation tools and technologies, take the next step with more complex tasks like threat hunting, event-driven automation, and other proactive security measures. Moving beyond forensics and log data correlation maximizes the value of investments in automation,” explained Pitt.
Another strong next step is integrating security automation with application development work.
“With the recent shift toward DevSecOps and businesses developing and rolling out applications at a rapid pace, automation has become a key component to build secure applications. Organizations are now integrating automation early into their DevSecOps processes and adopting products that unify and speed up the entire DevOps lifecycle,” said Kasha Hafeez, senior director of product marketing at WhiteHatSecurity.
Hafeez pointed out that many DevSecOps practices are still emerging, “but it is evident that in a world of continuous integrations, enhancements, and rapid release cycles, you cannot ignore the importance of automation and the need to move super-fast to be successful.”
Indeed, a good way to identify the next steps is to look for the processes that are both repetitive and too slow to provide real protection against attackers. The obvious need for more speed is a true indicator that automation should be applied. Another good indicator is the boredom factor.
“The best way to decide where automation makes sense is to ask your analysts what tasks they’re spending the most time on. While these tasks tend not to be particularly complex, they have several things in common – they’re frequent, they’re time-consuming and they’re not interesting cases for analysts and engineers to work on,” explained by Thomas Kinsella, COO at Tines.
Above all, keep expectations realistic and work out problems accordingly.
“Any cybersecurity automation tool should not be seen as a magic cybersecurity bullet. Unfortunately, many of these do not get properly installed and end up being more of a security hindrance rather than a protection. The deployment of any cybersecurity tool is not quick and easy,” — Warned Dr. Rials.