Connect with us

Hi, what are you looking for?


Incident Response

Seven Security Activities You Should Automate

Organizations across all industries are recognizing the value of automation, and the necessity of implementing it in their security infrastructure. However, beyond the simple promise of being able to act faster and save your employees’ time, the extent of automation’s usefulness is not that well understood.

Organizations across all industries are recognizing the value of automation, and the necessity of implementing it in their security infrastructure. However, beyond the simple promise of being able to act faster and save your employees’ time, the extent of automation’s usefulness is not that well understood.

Automation is about more than just turning simple human actions into machine processes. Because I spend my time working with organizations on security orchestration, automation, and response (SOAR) solutions that apply automation across many aspects of the incident response and case management lifecycle, I have a unique perspective on the variety of ways that organizations can get value from investing in automated tools.

Below, I have suggested seven processes that should be automated in order to save valuable time during incident response and security investigation procedures, and help organizations improve their overall cybersecurity posture.

1. SIEM Escalation

Security alerts come from a range of sources, but particularly in larger organizations, most incidents start in the SIEM. The funnel from SIEM to SOAR can be enhanced by automating the criteria for alert escalation. By combining well-chosen rules for escalation and automated intelligence gathering (as described in the following section on reputation lookups), analysts can focus on significant incidents and work with full context, instead of trying to pick out the genuine threats from hundreds of alerts every day.

2. Reputation Lookups

One of the biggest opportunities to save time through automation is by gathering contextual data to help analysts assess threats. For example, if an email is flagged as a possible phishing attempt, a SOAR platform can automatically look up the reputation of the URL in the email, check the geolocation of the domain owner, investigate connections to known attackers, and more. Without automation, analysts have to go to other apps and manually look up this information, sometimes over 100 times per day.

Advertisement. Scroll to continue reading.

3. Risk Scoring

Continuing with the process of escalating and enriching incidents, there is another layer of automation that SOAR platforms can add to help analysts quickly determine what incidents require their attention. By comparing threat intelligence, link analysis, and other contextual data against customized criteria to generate a risk score, automation can be used to assign an incident to the appropriate analyst with the right level of priority, such as lower in the queue when the possibility of a false positive is high.

4. Blocking Users

One of the most beneficial applications of automation is to simply act faster than a human analyst could. This can make a huge difference in limiting the damage of the incident. One example of a security action that can be accelerated by automation is disabling the privileges of users that have been implicated in an incident. If a user’s account is flagged for suspicious activity, such as logging on at unusual hours or attempting to access sensitive systems, shutting down that account immediately is the best chance you have to prevent a data breach.

5. Guided Investigations

So far, I’ve covered some of the more conventional use cases for automation, so let’s look at a less well-known idea: using automation to guide investigators through procedures. It’s common to build playbooks and automate steps within them, but automation can also be applied to deep investigations to keep investigators on track. This is especially useful for teams that comprise a wide range of experience levels, because internal lessons learned, industry best practices, and even regional compliance requirements can be built into investigative workflows. This ensures that the right steps are taken, even if the investigator is not familiar with the requirements of different jurisdictions or incident types.

6. Reporting Thresholds

It’s important for managers, executives, and other stakeholders to have visibility into security processes, but you don’t want to waste your security team’s time with filling out and sending regular reports. With automation, you can set thresholds that trigger reports, such as when there are too many open incidents, or when someone has missed an important deadline.

7. Notifications and Task Assignments

Automation isn’t just about making actions faster, it can also be used to help coordinate the people and processes that make up your security team. Similar to setting thresholds for automated reporting, automated tools can be used to set criteria for automated notifications and assignments. For example, automated notifications might remind analysts of open tasks or approaching deadlines, or a task might be assigned to the legal team when an approval is needed.


Like any tool, automation should be implemented with careful consideration. It is true that it can bring value to just about any security team, but the amount of value will depend entirely on how well you match it to your most pressing needs, existing security infrastructure, and organizational procedures. This has been merely a sampling of the processes that can be automated, and with so much innovation currently happening in the industry, it’s worth taking some time to think about what other automated processes also provide you with value. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.