Security Experts:

How Automation Helps Security Managers

It’s the nature of security operations: the worse the situation, the more you need everything to be working perfectly. Any issues with your program need to be figured out ahead of time, because in the heat of the moment, there isn’t any time to solve problems.

Implementing security automation and orchestration is often seen as a win for security analysts, because automating menial tasks frees them up for more interesting “human work”. But security managers and SOC leaders might have even more to gain. That’s because the right automation and orchestration tool offers more than just task automation—it facilitates process improvements and enables security operations that are more business-aligned and quantifiable in their results.

In this article, I’ll look at how automation and orchestration can replace chaos with order, and how security folks in management positions can benefit from this needed change.

Replacing Manual Steps with Automated Workflows

As a manager, you want a SOC that runs smoothly, requires little oversight, but also doesn’t let any dangerous alerts slip through. For this to happen, you need consistent workflows in place for handling alerts and incidents. With manual processes, there is a great deal of room for human error and inconsistency, which can result in threats going unnoticed.

Automation can codify your best practices and the accumulated knowledge of your best analysts into a consistent, organization-owned process. Automated tools can assess the threat posed by every alert and take the appropriate action, such as assigning it to the appropriate analyst’s queue, or even taking automatic security actions. These automated workflows create efficiency by reducing duplicated work, enabling better tracking, and keeping the SOC running smoothly, even in the chaos of a major security incident.

There is also a secondary way that automating workflows can help your SOC run smoothly. The cybersecurity skills gap makes it hard for companies to hire and retain cybersecurity talent, and frustration with the unrelenting volume of security alerts is usually near the top of the list of reasons for high turnover. Training new employees, having to work short-staffed, and the loss of institutional memory all reduce the effectiveness of your SOC. Automating workflows helps solve this problem by keeping analysts focused on what they want to work on—resolving real threats, not chasing false positives.

Prioritizing Threats Based on their Business Impact

For any security manager seeking to augment their security operations with automation, a common first step is to identify the assets they are protecting, including crown jewels such as valuable IP, the corporate website, operational IT, executives’ email accounts, admin user privileges, etc.

Automation tools can use risk scoring to help you ensure that your time and effort are focused on defending these high-priority targets. Risk scoring can be complex, such as calculating from myriad weighted criteria, or fairly basic, operating off of simple rules such as elevating any threat that targets an executive. Threat intelligence and open source integrations are valuable for accurate risk scoring, but equally important are configuring unique rules that align with your organization’s priorities. By accurately prioritizing threats against your IT infrastructure, intellectual property, and other key assets, automation ensures that teams are always focused on the incidents that can do the most damage to the business.

Using Trend Reporting to Show Progress 

As a manager, even though you might not be on the front lines dealing with security incidents day-to-day, you need to be able to see everything that’s going on in your SOC. You also need to be able to communicate information to your supervisors in order to demonstrate benefits and advocate for budget—and also provide context to external auditors and regulators when necessary. Strong trend reporting capabilities meet both of these needs. 

Automation can generate and capture a great deal of valuable data that can be used for a number of purposes, both inside the SOC and with other groups, such as: 

• Benchmarks for dwell and response times, which can be further broken down by incident type, location, and more. Trend reports can compare against benchmarks to show where things are getting better, and where things are getting worse.

• Trends in recurring incident types.

• Estimated money or time saved by implementing automation.

• A “CISO Report” of weekly open and closed tickets.

• “Growing Concern” reports that can be shared with risk, legal, or executive teams, to call attention to risk trends, such as a growing number of phishing attempts against employees.

Conclusion

Whether you’re a security manager, team leader, or CISO, you want your SOC to be efficient, effective, and dependable in a crisis. You need to be able to effectively prioritize threats and shut them down quickly using consistent workflows. You might not always be in the trenches working on incidents, so you need to find visibility through other means, such as trend reports, metrics, and analytics. 

Security automation and orchestration tools can help solve these problems, making your security operations more cost-effective, and helping you rest easy, knowing that consistent workflows are in place for even the most severe cybersecurity incident.

view counter
Stan Engelbrecht is the Director of Cybersecurity Practice at D3 Security and an accredited CISSP. Stan is involved throughout the product delivery and customer success lifecycle, and takes particular interest in working with customers to configure solutions. You can find Stan speaking about cybersecurity issues at conferences, in the media, and as the chapter president for a security special interest group.