Organizations across all industries are recognizing the value of automation, and the necessity of implementing it in their security infrastructure. However, beyond the simple promise of being able to act faster and save your employees’ time, the extent of automation’s usefulness is not that well understood.
Automation is about more than just turning simple human actions into machine processes. Because I spend my time working with organizations on security orchestration, automation, and response (SOAR) solutions that apply automation across many aspects of the incident response and case management lifecycle, I have a unique perspective on the variety of ways that organizations can get value from investing in automated tools.
Below, I have suggested seven processes that should be automated in order to save valuable time during incident response and security investigation procedures, and help organizations improve their overall cybersecurity posture.
1. SIEM Escalation
Security alerts come from a range of sources, but particularly in larger organizations, most incidents start in the SIEM. The funnel from SIEM to SOAR can be enhanced by automating the criteria for alert escalation. By combining well-chosen rules for escalation and automated intelligence gathering (as described in the following section on reputation lookups), analysts can focus on significant incidents and work with full context, instead of trying to pick out the genuine threats from hundreds of alerts every day.
2. Reputation Lookups
One of the biggest opportunities to save time through automation is by gathering contextual data to help analysts assess threats. For example, if an email is flagged as a possible phishing attempt, a SOAR platform can automatically look up the reputation of the URL in the email, check the geolocation of the domain owner, investigate connections to known attackers, and more. Without automation, analysts have to go to other apps and manually look up this information, sometimes over 100 times per day.
3. Risk Scoring
Continuing with the process of escalating and enriching incidents, there is another layer of automation that SOAR platforms can add to help analysts quickly determine what incidents require their attention. By comparing threat intelligence, link analysis, and other contextual data against customized criteria to generate a risk score, automation can be used to assign an incident to the appropriate analyst with the right level of priority, such as lower in the queue when the possibility of a false positive is high.
4. Blocking Users
One of the most beneficial applications of automation is to simply act faster than a human analyst could. This can make a huge difference in limiting the damage of the incident. One example of a security action that can be accelerated by automation is disabling the privileges of users that have been implicated in an incident. If a user’s account is flagged for suspicious activity, such as logging on at unusual hours or attempting to access sensitive systems, shutting down that account immediately is the best chance you have to prevent a data breach.
5. Guided Investigations
So far, I’ve covered some of the more conventional use cases for automation, so let’s look at a less well-known idea: using automation to guide investigators through procedures. It’s common to build playbooks and automate steps within them, but automation can also be applied to deep investigations to keep investigators on track. This is especially useful for teams that comprise a wide range of experience levels, because internal lessons learned, industry best practices, and even regional compliance requirements can be built into investigative workflows. This ensures that the right steps are taken, even if the investigator is not familiar with the requirements of different jurisdictions or incident types.
6. Reporting Thresholds
It’s important for managers, executives, and other stakeholders to have visibility into security processes, but you don’t want to waste your security team’s time with filling out and sending regular reports. With automation, you can set thresholds that trigger reports, such as when there are too many open incidents, or when someone has missed an important deadline.
7. Notifications and Task Assignments
Automation isn’t just about making actions faster, it can also be used to help coordinate the people and processes that make up your security team. Similar to setting thresholds for automated reporting, automated tools can be used to set criteria for automated notifications and assignments. For example, automated notifications might remind analysts of open tasks or approaching deadlines, or a task might be assigned to the legal team when an approval is needed.
Conclusion
Like any tool, automation should be implemented with careful consideration. It is true that it can bring value to just about any security team, but the amount of value will depend entirely on how well you match it to your most pressing needs, existing security infrastructure, and organizational procedures. This has been merely a sampling of the processes that can be automated, and with so much innovation currently happening in the industry, it’s worth taking some time to think about what other automated processes also provide you with value.