Connect with us

Hi, what are you looking for?


Network Security

How to Get Started With Security Automation: Consider the Top Use Cases Within Your Industry

Organizations in different industries may approach security automation from a different entry point, but the requirements for an automation platform are consistent across use cases.

As the cybersecurity industry has matured, so has the approach security teams take to making decisions about investing in security tools. Instead of focusing on the latest product or technology, security professionals are focused on use cases such as incident response, alert triage, vulnerability management, spear phishing, threat intelligence management and threat hunting, to name a few. Starting with the problem they are trying to solve, they prioritize technology investments by how well that product or technology addresses that specific challenge.

One area within cybersecurity that has steadily gained traction in recent years is automation and we see a use case-based approach to investing in automation initiatives playing out here as well. However, there’s a difference in how organizations determine their top use cases. Understanding that selection process provides insights that can benefit organizations that are earlier in their automation journey.

Top use cases vary by industry
A recent survey on the state of cybersecurity automation adoption (PDF) found that security teams are increasingly looking to adopt security automation primarily to drive efficiency. It makes sense to focus automation initiatives on tasks that provide the most potential for efficiency gains. But where teams spend the bulk of their time doing tedious, repetitive work varies by industry, so top use cases vary as well. Here are just a few examples:

  • Defense: Incident response and threat intelligence management are the top two use cases for defense agencies and organizations that support them. This isn’t surprising given that historically this sector has been more forward-leaning when it comes to understanding what’s happening in the world and trying to predict what nation states will try to infiltrate and how. The amount of data and threat intelligence security analysts in defense agencies must gather, analyze and operationalize is massive and automation can significantly ease the burden.
  • Critical infrastructure: Vulnerability management/prioritization tops the list for critical infrastructure security teams and, here too, it is easy to understand why. The attack surface has expanded exponentially as operational technology (OT) environments are increasingly connected to IT networks and out to the internet. It’s also common for OT assets to remain in use for a decade or even two. Designed for another time, they often lack security mechanisms needed for better protection in today’s interconnected world and continuously evolving threat landscape. Understanding vulnerabilities and applying automation to prioritize which actions to take first based on internal and external data and other factors helps drive tremendous efficiency gains.
  • Financial services: Alert triage is the most common application for cybersecurity automation in the financial services sector. This industry has been recognized for years as being at the forefront of cybersecurity, but the flipside is that it has also long been at the forefront for attacks which continue to increase with digital transformation. Today, the sector is such a prominent target that the volume of alerts and events is becoming untenable and compounds security challenges. Instead of relying on people, automation can be applied to sift through alerts efficiently and accurately in order to determine the severity of the threat and whether or not the alert should be escalated to incident response.

Automation requirements
Organizations in each of these industries may approach automation from a different entry point, but the requirements for an automation platform are consistent across use cases. Security automation success is driven by the ability to make sense of data in different formats and languages from different vendors and systems, and the ability to operationalize data across your security ecosystem for action.

The first phase of security automation implementation begins with aggregating and translating disparate data into a uniform format for analysis. This includes events and associated indicators from inside your environment, for example from your SIEM system, log management repository, case management system and security infrastructure. You can augment and enrich this data automatically with threat data from the multiple sources you subscribe to – commercial, open source, government, industry, existing security vendors – as well as frameworks like MITRE ATT&CK. By correlating events and associated indicators from inside the environment with external data on indicators, adversaries and their methods, you gain context to understand the who, what, where, when, why and how of an attack. With an understanding of relevance to your organization, prioritization of where to focus action first can happen automatically based on parameters you set.

The next phase is to get the right data to the right tools and teams at the right time automatically for action. An extensible platform that easily integrates with different tools and enables interoperability allows you to leverage your existing security technologies and teams more efficiently and effectively. For example, you can take immediate action like proactively patching vulnerabilities that are truly a priority for your organization or updating firewall policies immediately based on a real threat.

Security teams are increasingly looking to adopt security automation to improve efficiency. A strategic approach that includes selecting use cases that present the greatest opportunity to maximize efficiency, and standardizing on a data-driven, extensible platform helps to make a compelling case for the initial investment, clears a path to expand into other use cases, and continues to drive measurable ROI for the organization.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.