The “Dirty” Secret Everyone Should Know About Automation

Automating Steps in the Security Process is Critical to Defeat Today’s Relentless and Complex Attacks

I often talk about automation in my articles and it’s a hot topic in general – a quick Google search reveals more than 100 million results for security automation. Given the global shortage of cybersecurity professionals, and the volume and velocity of increasingly sophisticated threats we all have to deal with, humans can’t go it alone. Automation helps get more from the people you have – handling time-intensive manual tasks so they can focus on high-value, analytical activities. But the catch with automation is that it has to be applied at the right time in the security lifecycle in order to be effective. 

You’ve likely heard the phrase: “dirty data in, dirty data out.” Jumping to the end of the security lifecycle and using automation to take action – like automating playbooks and automatically sending the latest intelligence to your sensor grid (firewalls, IPS/IDS, routers, web and email security, endpoint, etc.) – can backfire. Without first aggregating, scoring and prioritizing intelligence you can actually exacerbate the dirty data problem.

However, devising an approach that’s workable can be tough – the time and effort required to sift through the data so you can focus only on what is important to your organization can outstrip your resources. This is because most organizations are bombarded with millions of threat-focused data points from commercial sources, open source, industry and existing security vendors. Not to mention the massive amount of log and event data from each point product within your layers of defense and/or your SIEM. 

Because all threat data is not created equal, you also need to be able to score and prioritize it. This helps cut down on the noise. Intelligence feed vendors may provide “global” scores but, in fact, these can contribute to the noise since the score is not within the context of your company’s specific environment. Worse yet, when uploaded to your SIEM or sensor grid they can generate more noise in the form of false positives and security operators end up chasing ghosts. Dirty data in, dirty data out. This is why automation also needs to occur at the early stages of the security lifecycle process. Not only will you reduce the dirty data problem, you’ll also save valuable time and resources.

As an example, let’s say your organization brings in one million indicators of compromise (IOCs) across several feeds over a four-month period. Using automation, you can aggregate the data in one location and augment and enrich it with context. Then, you can apply an automated scoring framework based on your risk levels to filter the intelligence into a manageable subset – reducing the actionable dataset by 95% or more. You can redefine how the scores are calculated using multiple parameters you set, including: indicator source, type, attributes and context, as well as adversary attribution. You can automatically recalculate scores when needed, before you bring the threat data into your environment. And because additional intelligence gained over time could raise or lower threat scores, you can also constantly reevaluate scores. In this example of one million IOCs, automation has allowed you to optimize the process of aggregating, scoring and prioritizing threat intelligence that would have taken two to three additional full-time security analysts to do manually. 

Now you’re in a position to deploy the right intelligence to the right tools. Because you’ve laid the proper groundwork, you can use automation with greater confidence and reliability. And, while you’re at it, you can free-up the equivalent of one or two full-time employees by immediately and automatically updating your sensor grid and alleviating much of the manual and fragmented effort required. In this case, the savings isn’t based as much on the volume of intelligence but, rather, the hourly disruption of the employee’s workflow. This includes each hour network engineers need to stop what they are doing, log into each sensor technology (i.e., firewall, router, email, web-proxy, DNS, endpoint, etc.), upload and test the latest intelligence, and, finally, return to where they originally left off. Automating the application of intelligence to the sensor stack strengthens defenses by orders of magnitude and also unburdens your team, freeing them up to stay focused on their priorities.

Automating steps in the security process is critical to defeat today’s relentless and complex attacks. But with the sheer volume of threat data continuing to climb at a staggering rate, we need to start with the threat – automating how we gather, score and prioritize threat intelligence. Otherwise we’re just amplifying the noise, wasting precious resources and hampering security – and that’s the dirty secret.