The last few years have been filled with examples of the “Pendulum Effect”, where trends swing from one extreme to another before settling at an equilibrium, somewhere in the middle. Think about it from an IT and security perspective.
We’ve gone from everything done on-premises, to the mantra of everything in the cloud, to a state of equilibrium where 67% of IT professionals now say hybrid cloud is where they are settling. At the beginning of 2020, employees rarely worked from home. Then, seemingly overnight nearly everyone worked from home, and now today 53% of employees expect a hybrid work model. We are seeing a similar pattern with respect to security automation. Let’s take Security Orchestration, Automation and Response (SOAR) as an example.
Early SOAR platforms were powerful solutions that required scripting languages like Python, plus engineering work and heavy coding. There was a price to pay for the fully customizable playbooks being demanded: they were difficult and expensive to implement, maintain and manage. Now there is a swing towards no-code platforms, like drag and drop. However, that will not work for everyone either. The ability to fine tune is necessary for certain situations and users. The market wants choice and there are different personas. Solutions that provide choice of no code or ability to code (sometimes referred to as low-code) present that state of equilibrium, offering a simplistic playbook builder with the ability to support more advanced requirements as well.
So today that’s the model we see playing out for security automation, and just like hybrid cloud and hybrid work, the model is likely here to stay. What does it look like and why does it have staying power?
Previously, I wrote about how automation is evolving from a process-driven approach to a data-driven approach for greater focus, accuracy and agility. A simple data-driven playbook builder strikes the balance between human interaction and actions that are set to run automatically. Here’s how:
In the first stage of playbook building, users identify the inputs based on data to determine the right criteria and triggers for the action that should be taken or process that should be initiated. This starts by automatically aggregating the right internal data into a central repository so analysts can gain a comprehensive understanding of the threat they are facing and what they must defend. Analysts can augment and enrich this data automatically with threat data from the multiple sources they subscribe to – commercial, open source, government, industry, existing security vendors – as well as with frameworks like MITRE ATT&CK. Combining and correlating internal and external data, and applying an automated scoring framework, allows you to prioritize action or processes based on what is relevant for your organization.
Next, you can simplify actions taken and run the right process based on triggers and thresholds you set within the playbook builder framework. This allows you to run playbooks only on items that really matter to your organization versus running playbooks on all new events or emails. And then you can define what actions need to be taken by which tools. This can be done with a simple playbook builder where you can select the tool and what you want done via an intuitive UI where you select items via checkboxes. For example, you can deploy the right intelligence to the right tools, immediately and automatically updating your sensor grid and alleviating much of the manual and fragmented effort. This data-driven process that you control enables efficient and effective response.
Finally, you are able to define your desired outcomes and what should be learned from the action taken to improve future response and help strengthen protections against future similar threats. As new data, feedback and learnings are added to the platform, intelligence is automatically reevaluated and reprioritized, which in turn makes the input stage of automation more efficient.
But what if you need to tweak the playbook in ways the UI does not allow? If the tool supports a standard format like JSON or YAML, a more advanced user can tweak the resulting files to support their use case needs.
With an approach that is data-driven and flexible, you can get as simple or as advanced as the detection and response demands. You can create and update straightforward playbooks within a few minutes, or dig deeper to customize the playbooks to meet more advanced needs. It’s another example of the Pendulum Effect and the natural evolution to a more balanced approach.