Story image

The five key steps to security automation

Last month, Volvo, the Swedish automaker, announced plans for a Level 4 self-driving car by 2021. In the progression of automation levels for cars, Level 4 cars are labelled “high automation.” This means that the vehicle can perform all driving functions under certain conditions, and the driver has the option to control the vehicle. Just think, in three years and in some environments, Volvo drivers could safely nap, eat, talk on the phone, read or even watch a movie. At lower automation levels, the driver must remain engaged to varying degrees. And at Level 5 – the holy grail – the driver becomes unnecessary.

Reading more about comments made by Volvo’s CEO, I found it interesting that Volvo skipped Level 3 entirely, deeming it unsafe. With lower levels of autonomy, confusion about responsibility and control can arise, putting reliability at risk. That struck a chord with me and I believe has been part of the concern when applying automation to other areas in our lives. When thinking about our world of security operations this holds very true. What level is the right level, and what’s required for us to comfortably apply automation? 

Let’s face it, we’ve talked about security automation for years. We’ve grappled with what, when and how to automate. We’ve debated the human vs machine topic. And at certain points, when we’ve been “burned” (automatically shutting down systems in error), we’ve wondered if there’s any place at all for automation. But in our heart of hearts, we know that automation is the future and the future is here. Plus, given the cybersecurity talent shortage, we simply must automate certain time-sensitive, manual tasks if we want to retain and make better use of the security professionals we have. 

So how do we move forward with automation and gain the value that comes when we apply it confidently at the right level? It is a simple five-step process and it all starts with context.

1. Context allows us to understand and prioritize. In security operations, context comes from aggregating and augmenting internal threat and event data with external threat feeds. By correlating events and associated indicators from inside your environment (for example from sources including your security information and event management (SIEM) system, log management repository and case management systems) with external data on indicators, adversaries and their methods, you gain the context to understand the who, what, where, when, why and how of an attack.

2. Prioritization gives focus. Now you can prioritize based on relevance to your environment. But what is relevant to one company may not be for another. It is important to be able to assess and change risk scores based on the parameters you set. Filtering out what’s noise for you allows you to understand what to work on first. You can focus on what really matters to your organization rather than wasting time and resources chasing ghosts.

3. Greater focus leads to better decisions. Without the distraction of noise and false positives, you can focus and spend more time analyzing and understanding what’s important. Whether you’re working in your SIEM and evaluating alerts, or in your incident response platform looking at a case, you have the context, focus and breathing room to make better decisions. 

4. Better decisions lead to more confidence. Now you can work more efficiently and effectively. You know what needs to get done and you start to understand how to do it better. Over time, with multiple successes under your belt, you gain confidence and realize you don’t have to continue to do processes manually that you’ve recognized to be repetitive and low-risk.  

5. Confidence leads to automation. Success breeds confidence and the comfort level you need to move forward with automation. You know these tasks inside and out and have little fear of breaking something or having a negative impact on the business. You may decide to automate an entire process or just select aspects, for example prioritizing alerts, scoring and re-scoring threat feeds, hardening your sensor grid, etc. 

The debate continues about Level 5 and the promise of completely autonomous cars. That’s not my area of expertise, but I’m curious to see how that plays out. What I do know is that the human element will always remain vital in security operations. Automation will allow us to move through processes faster for better decisions and accelerated action. But we can only make the transition successfully when context, and the humans behind it, drive automation

Article by ThreatQuotient APAC regional director Anthony Stitt

Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Verifi takes spot in Deloitte Asia Pacific Fast 500
"An increasing amount of companies captured by New Zealand’s Anti-Money laundering legislation are realising that an electronic identity verification solution can streamline their customer onboarding."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
What disaster recovery will look like in 2019
“With nearly half of all businesses experiencing an unrecoverable data event in the last three years, current backup solutions are no longer fit for purpose."
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.