Story image

The five key steps to security automation

Last month, Volvo, the Swedish automaker, announced plans for a Level 4 self-driving car by 2021. In the progression of automation levels for cars, Level 4 cars are labelled “high automation.” This means that the vehicle can perform all driving functions under certain conditions, and the driver has the option to control the vehicle. Just think, in three years and in some environments, Volvo drivers could safely nap, eat, talk on the phone, read or even watch a movie. At lower automation levels, the driver must remain engaged to varying degrees. And at Level 5 – the holy grail – the driver becomes unnecessary.

Reading more about comments made by Volvo’s CEO, I found it interesting that Volvo skipped Level 3 entirely, deeming it unsafe. With lower levels of autonomy, confusion about responsibility and control can arise, putting reliability at risk. That struck a chord with me and I believe has been part of the concern when applying automation to other areas in our lives. When thinking about our world of security operations this holds very true. What level is the right level, and what’s required for us to comfortably apply automation? 

Let’s face it, we’ve talked about security automation for years. We’ve grappled with what, when and how to automate. We’ve debated the human vs machine topic. And at certain points, when we’ve been “burned” (automatically shutting down systems in error), we’ve wondered if there’s any place at all for automation. But in our heart of hearts, we know that automation is the future and the future is here. Plus, given the cybersecurity talent shortage, we simply must automate certain time-sensitive, manual tasks if we want to retain and make better use of the security professionals we have. 

So how do we move forward with automation and gain the value that comes when we apply it confidently at the right level? It is a simple five-step process and it all starts with context.

1. Context allows us to understand and prioritize. In security operations, context comes from aggregating and augmenting internal threat and event data with external threat feeds. By correlating events and associated indicators from inside your environment (for example from sources including your security information and event management (SIEM) system, log management repository and case management systems) with external data on indicators, adversaries and their methods, you gain the context to understand the who, what, where, when, why and how of an attack.

2. Prioritization gives focus. Now you can prioritize based on relevance to your environment. But what is relevant to one company may not be for another. It is important to be able to assess and change risk scores based on the parameters you set. Filtering out what’s noise for you allows you to understand what to work on first. You can focus on what really matters to your organization rather than wasting time and resources chasing ghosts.

3. Greater focus leads to better decisions. Without the distraction of noise and false positives, you can focus and spend more time analyzing and understanding what’s important. Whether you’re working in your SIEM and evaluating alerts, or in your incident response platform looking at a case, you have the context, focus and breathing room to make better decisions. 

4. Better decisions lead to more confidence. Now you can work more efficiently and effectively. You know what needs to get done and you start to understand how to do it better. Over time, with multiple successes under your belt, you gain confidence and realize you don’t have to continue to do processes manually that you’ve recognized to be repetitive and low-risk.  

5. Confidence leads to automation. Success breeds confidence and the comfort level you need to move forward with automation. You know these tasks inside and out and have little fear of breaking something or having a negative impact on the business. You may decide to automate an entire process or just select aspects, for example prioritizing alerts, scoring and re-scoring threat feeds, hardening your sensor grid, etc. 

The debate continues about Level 5 and the promise of completely autonomous cars. That’s not my area of expertise, but I’m curious to see how that plays out. What I do know is that the human element will always remain vital in security operations. Automation will allow us to move through processes faster for better decisions and accelerated action. But we can only make the transition successfully when context, and the humans behind it, drive automation

Article by ThreatQuotient APAC regional director Anthony Stitt

Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Myth-busting assumptions about identity governance - SailPoint
The identity governance space has evolved and matured over the past 10 years, changing with the world around it.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.
Ensign and IronNet partner to create cyber analytics capabilities
The Singapore-based joint venture will form a Cyber Analytics Center for Excellence focused on securing regional enterprises from sophisticated cyber threats.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.