As the cybersecurity industry has matured, so has the approach security teams take to making decisions about investing in security tools. Instead of focusing on the latest product or technology, security professionals are focused on use cases such as incident response, alert triage, vulnerability management, spear phishing, threat intelligence management and threat hunting, to name a few. Starting with the problem they are trying to solve, they prioritize technology investments by how well that product or technology addresses that specific challenge.
One area within cybersecurity that has steadily gained traction in recent years is automation and we see a use case-based approach to investing in automation initiatives playing out here as well. However, there’s a difference in how organizations determine their top use cases. Understanding that selection process provides insights that can benefit organizations that are earlier in their automation journey.
Top use cases vary by industry
A recent survey on the state of cybersecurity automation adoption (PDF) found that security teams are increasingly looking to adopt security automation primarily to drive efficiency. It makes sense to focus automation initiatives on tasks that provide the most potential for efficiency gains. But where teams spend the bulk of their time doing tedious, repetitive work varies by industry, so top use cases vary as well. Here are just a few examples:
- Defense: Incident response and threat intelligence management are the top two use cases for defense agencies and organizations that support them. This isn’t surprising given that historically this sector has been more forward-leaning when it comes to understanding what’s happening in the world and trying to predict what nation states will try to infiltrate and how. The amount of data and threat intelligence security analysts in defense agencies must gather, analyze and operationalize is massive and automation can significantly ease the burden.
- Critical infrastructure: Vulnerability management/prioritization tops the list for critical infrastructure security teams and, here too, it is easy to understand why. The attack surface has expanded exponentially as operational technology (OT) environments are increasingly connected to IT networks and out to the internet. It’s also common for OT assets to remain in use for a decade or even two. Designed for another time, they often lack security mechanisms needed for better protection in today’s interconnected world and continuously evolving threat landscape. Understanding vulnerabilities and applying automation to prioritize which actions to take first based on internal and external data and other factors helps drive tremendous efficiency gains.
- Financial services: Alert triage is the most common application for cybersecurity automation in the financial services sector. This industry has been recognized for years as being at the forefront of cybersecurity, but the flipside is that it has also long been at the forefront for attacks which continue to increase with digital transformation. Today, the sector is such a prominent target that the volume of alerts and events is becoming untenable and compounds security challenges. Instead of relying on people, automation can be applied to sift through alerts efficiently and accurately in order to determine the severity of the threat and whether or not the alert should be escalated to incident response.
Automation requirements
Organizations in each of these industries may approach automation from a different entry point, but the requirements for an automation platform are consistent across use cases. Security automation success is driven by the ability to make sense of data in different formats and languages from different vendors and systems, and the ability to operationalize data across your security ecosystem for action.
The first phase of security automation implementation begins with aggregating and translating disparate data into a uniform format for analysis. This includes events and associated indicators from inside your environment, for example from your SIEM system, log management repository, case management system and security infrastructure. You can augment and enrich this data automatically with threat data from the multiple sources you subscribe to – commercial, open source, government, industry, existing security vendors – as well as frameworks like MITRE ATT&CK. By correlating events and associated indicators from inside the environment with external data on indicators, adversaries and their methods, you gain context to understand the who, what, where, when, why and how of an attack. With an understanding of relevance to your organization, prioritization of where to focus action first can happen automatically based on parameters you set.
The next phase is to get the right data to the right tools and teams at the right time automatically for action. An extensible platform that easily integrates with different tools and enables interoperability allows you to leverage your existing security technologies and teams more efficiently and effectively. For example, you can take immediate action like proactively patching vulnerabilities that are truly a priority for your organization or updating firewall policies immediately based on a real threat.
Security teams are increasingly looking to adopt security automation to improve efficiency. A strategic approach that includes selecting use cases that present the greatest opportunity to maximize efficiency, and standardizing on a data-driven, extensible platform helps to make a compelling case for the initial investment, clears a path to expand into other use cases, and continues to drive measurable ROI for the organization.
