Story image

The five key steps to security automation

Last month, Volvo, the Swedish automaker, announced plans for a Level 4 self-driving car by 2021. In the progression of automation levels for cars, Level 4 cars are labelled “high automation.” This means that the vehicle can perform all driving functions under certain conditions, and the driver has the option to control the vehicle. Just think, in three years and in some environments, Volvo drivers could safely nap, eat, talk on the phone, read or even watch a movie. At lower automation levels, the driver must remain engaged to varying degrees. And at Level 5 – the holy grail – the driver becomes unnecessary.

Reading more about comments made by Volvo’s CEO, I found it interesting that Volvo skipped Level 3 entirely, deeming it unsafe. With lower levels of autonomy, confusion about responsibility and control can arise, putting reliability at risk. That struck a chord with me and I believe has been part of the concern when applying automation to other areas in our lives. When thinking about our world of security operations this holds very true. What level is the right level, and what’s required for us to comfortably apply automation? 

Let’s face it, we’ve talked about security automation for years. We’ve grappled with what, when and how to automate. We’ve debated the human vs machine topic. And at certain points, when we’ve been “burned” (automatically shutting down systems in error), we’ve wondered if there’s any place at all for automation. But in our heart of hearts, we know that automation is the future and the future is here. Plus, given the cybersecurity talent shortage, we simply must automate certain time-sensitive, manual tasks if we want to retain and make better use of the security professionals we have. 

So how do we move forward with automation and gain the value that comes when we apply it confidently at the right level? It is a simple five-step process and it all starts with context.

1. Context allows us to understand and prioritize. In security operations, context comes from aggregating and augmenting internal threat and event data with external threat feeds. By correlating events and associated indicators from inside your environment (for example from sources including your security information and event management (SIEM) system, log management repository and case management systems) with external data on indicators, adversaries and their methods, you gain the context to understand the who, what, where, when, why and how of an attack.

2. Prioritization gives focus. Now you can prioritize based on relevance to your environment. But what is relevant to one company may not be for another. It is important to be able to assess and change risk scores based on the parameters you set. Filtering out what’s noise for you allows you to understand what to work on first. You can focus on what really matters to your organization rather than wasting time and resources chasing ghosts.

3. Greater focus leads to better decisions. Without the distraction of noise and false positives, you can focus and spend more time analyzing and understanding what’s important. Whether you’re working in your SIEM and evaluating alerts, or in your incident response platform looking at a case, you have the context, focus and breathing room to make better decisions. 

4. Better decisions lead to more confidence. Now you can work more efficiently and effectively. You know what needs to get done and you start to understand how to do it better. Over time, with multiple successes under your belt, you gain confidence and realize you don’t have to continue to do processes manually that you’ve recognized to be repetitive and low-risk.  

5. Confidence leads to automation. Success breeds confidence and the comfort level you need to move forward with automation. You know these tasks inside and out and have little fear of breaking something or having a negative impact on the business. You may decide to automate an entire process or just select aspects, for example prioritizing alerts, scoring and re-scoring threat feeds, hardening your sensor grid, etc. 

The debate continues about Level 5 and the promise of completely autonomous cars. That’s not my area of expertise, but I’m curious to see how that plays out. What I do know is that the human element will always remain vital in security operations. Automation will allow us to move through processes faster for better decisions and accelerated action. But we can only make the transition successfully when context, and the humans behind it, drive automation

Article by ThreatQuotient APAC regional director Anthony Stitt

Safety solutions startup wins ‘radical generosity’ funding
Guardian Angel Security was one of five New Zealand businesses selected by 500 women (SheEO Activators) who contributed $1100 each.
Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.
McAfee announces Google Cloud Platform support
McAfee MVISION Cloud now integrates with GCP Cloud SCC to help security professionals gain visibility and control over their cloud resources.
Why AI and behaviour analytics should be essential to enterprises
Cyber threats continue to increase in number and severity, prompting cybersecurity experts to seek new ways to stop malicious actors.
Scammers targeting more countries in sextortion scam - ESET
The attacker in the email claims they have hacked the intended victim's device, and have recorded the person while watching pornographic content.
Cryptojacking and failure to patch still major threats - Ixia
Compromised enterprise networks from unpatched vulnerabilities and bad security hygiene continued to be fertile ground for hackers in 2018.
Princeton study wants to know if you have a smart home - or a spy home
The IoT research team at Princeton University wants to know how your IoT devices send and receive data not only to each other, but also to any other third parties that may be involved.
Organisations not testing incident response plans – IBM Security
Failure to test can leave organisations less prepared to effectively manage the complex processes and coordination that must take place in the wake of an attack.