Security Experts:

The Secret to Automation? Eat the Elephant in Chunks.

The goal of security automation is to accelerate detection and response, but you’ll waste a lot of time if you try to eat the elephant all at once

One of my favorite phrases when strategizing how to approach a daunting challenge is “eat the elephant in chunks.” Whether you’re talking about running a marathon, going after that big promotion or saving for the future, the most effective and efficient way to achieve a larger goal is by breaking it down into smaller, discrete pieces. The approach is also highly applicable when talking about security automation. 

Security orchestration, automation and response (SOAR) platforms that focus on automating processes are a great example. Organizations were drawn to the promise of SOAR to improve the throughput of analyst work by automatically running a playbook in reaction to an incident or issue without the need for human intervention. SOAR was an important step forward and off to a great start. But over time, organizations started to see the pitfalls of trying to eat the entire elephant all at once instead of in chunks. Here's what I mean.

To run SOAR playbooks, you need to define and document a complex decision tree and then manage and maintain long, unwieldy processes. Engineering work is required to customize playbooks and standardize implementation. Playbooks are executed the same way over and over again, with no regard to the relevance or priority of data being processed. Decision-making criteria and logic are built into the playbooks, so it isn’t possible to adapt with agility to changes in the threat landscape and the environment. Playbooks need to be updated manually—pulling results and new learnings from reports and other sources—which becomes even more difficult and time consuming if the person who created the playbook is no longer with the organization.

Clearly, approaching security automation by trying to eat the entire elephant all at once isn’t effective or efficient. But what happens if, instead, you tackle automation from the standpoint of atomic-level actions (or chunks) that are data-driven and executed directly or from a simple playbook? Let’s look at a couple of use cases.

Spear phishing: An email is received that is targeted to the C-level. With a platform that enables atomic automation, you start with data which allows for contextualization. If the email has indicators that have a high threat score, you can take immediate action like sending these indicators to your endpoint detection and response (EDR) solution for blocking. Or you can look-up the indicators in your SIEM to see if there are other events around it. Each atomic action is self-contained and, therefore, simple and quick to define, execute and maintain. You can even put these atomic actions into a straightforward playbook within a few minutes. And because the playbook is data-driven this ensures the actions remain relevant. Bi-directional data flow allows for outputs from detection and response to be used as inputs for learning and improvement. If data changes and certain thresholds are hit, additional actions can be set to run automatically.

Event triage: Atomic automation also supports SOC teams that want to streamline how they triage events that are questionable. Of course, there are cut and dry cases where it makes sense to just run a full playbook. But many events aren’t obviously bad, and an analyst may want to review event details before deciding what to do. In this case, once they’ve determined the event is something to address, they can quickly launch atomic actions to the right the tools in the SOC. There’s no need to pivot between each separate tool and user interface to execute actions. For example, in a couple of clicks they can block all outbound requests to this bad URL that is hosting malware and launch a scan of all systems that have visited it.  

The goal of security automation is to accelerate detection and response, but you’ll waste a lot of time if you try to eat the elephant all at once. With a data-driven approach to automation you can trigger atomic-level actions directly or through simple playbooks to reach that goal faster with greater focus, accuracy and agility. And that’s why you should eat the elephant in chunks.

view counter
Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Valtix.