Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

The Secret to Automation? Eat the Elephant in Chunks.

The goal of security automation is to accelerate detection and response, but you’ll waste a lot of time if you try to eat the elephant all at once

The goal of security automation is to accelerate detection and response, but you’ll waste a lot of time if you try to eat the elephant all at once

One of my favorite phrases when strategizing how to approach a daunting challenge is “eat the elephant in chunks.” Whether you’re talking about running a marathon, going after that big promotion or saving for the future, the most effective and efficient way to achieve a larger goal is by breaking it down into smaller, discrete pieces. The approach is also highly applicable when talking about security automation. 

Security orchestration, automation and response (SOAR) platforms that focus on automating processes are a great example. Organizations were drawn to the promise of SOAR to improve the throughput of analyst work by automatically running a playbook in reaction to an incident or issue without the need for human intervention. SOAR was an important step forward and off to a great start. But over time, organizations started to see the pitfalls of trying to eat the entire elephant all at once instead of in chunks. Here’s what I mean.

To run SOAR playbooks, you need to define and document a complex decision tree and then manage and maintain long, unwieldy processes. Engineering work is required to customize playbooks and standardize implementation. Playbooks are executed the same way over and over again, with no regard to the relevance or priority of data being processed. Decision-making criteria and logic are built into the playbooks, so it isn’t possible to adapt with agility to changes in the threat landscape and the environment. Playbooks need to be updated manually—pulling results and new learnings from reports and other sources—which becomes even more difficult and time consuming if the person who created the playbook is no longer with the organization.

Clearly, approaching security automation by trying to eat the entire elephant all at once isn’t effective or efficient. But what happens if, instead, you tackle automation from the standpoint of atomic-level actions (or chunks) that are data-driven and executed directly or from a simple playbook? Let’s look at a couple of use cases.

Spear phishing: An email is received that is targeted to the C-level. With a platform that enables atomic automation, you start with data which allows for contextualization. If the email has indicators that have a high threat score, you can take immediate action like sending these indicators to your endpoint detection and response (EDR) solution for blocking. Or you can look-up the indicators in your SIEM to see if there are other events around it. Each atomic action is self-contained and, therefore, simple and quick to define, execute and maintain. You can even put these atomic actions into a straightforward playbook within a few minutes. And because the playbook is data-driven this ensures the actions remain relevant. Bi-directional data flow allows for outputs from detection and response to be used as inputs for learning and improvement. If data changes and certain thresholds are hit, additional actions can be set to run automatically.

Event triage: Atomic automation also supports SOC teams that want to streamline how they triage events that are questionable. Of course, there are cut and dry cases where it makes sense to just run a full playbook. But many events aren’t obviously bad, and an analyst may want to review event details before deciding what to do. In this case, once they’ve determined the event is something to address, they can quickly launch atomic actions to the right the tools in the SOC. There’s no need to pivot between each separate tool and user interface to execute actions. For example, in a couple of clicks they can block all outbound requests to this bad URL that is hosting malware and launch a scan of all systems that have visited it.  

The goal of security automation is to accelerate detection and response, but you’ll waste a lot of time if you try to eat the elephant all at once. With a data-driven approach to automation you can trigger atomic-level actions directly or through simple playbooks to reach that goal faster with greater focus, accuracy and agility. And that’s why you should eat the elephant in chunks.

Advertisement. Scroll to continue reading.
Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cloud Security

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.