sb-as logo
Story image

The five key steps to security automation

Last month, Volvo, the Swedish automaker, announced plans for a Level 4 self-driving car by 2021. In the progression of automation levels for cars, Level 4 cars are labelled “high automation.” This means that the vehicle can perform all driving functions under certain conditions, and the driver has the option to control the vehicle. Just think, in three years and in some environments, Volvo drivers could safely nap, eat, talk on the phone, read or even watch a movie. At lower automation levels, the driver must remain engaged to varying degrees. And at Level 5 – the holy grail – the driver becomes unnecessary.

Reading more about comments made by Volvo’s CEO, I found it interesting that Volvo skipped Level 3 entirely, deeming it unsafe. With lower levels of autonomy, confusion about responsibility and control can arise, putting reliability at risk. That struck a chord with me and I believe has been part of the concern when applying automation to other areas in our lives. When thinking about our world of security operations this holds very true. What level is the right level, and what’s required for us to comfortably apply automation? 

Let’s face it, we’ve talked about security automation for years. We’ve grappled with what, when and how to automate. We’ve debated the human vs machine topic. And at certain points, when we’ve been “burned” (automatically shutting down systems in error), we’ve wondered if there’s any place at all for automation. But in our heart of hearts, we know that automation is the future and the future is here. Plus, given the cybersecurity talent shortage, we simply must automate certain time-sensitive, manual tasks if we want to retain and make better use of the security professionals we have. 

So how do we move forward with automation and gain the value that comes when we apply it confidently at the right level? It is a simple five-step process and it all starts with context.

1. Context allows us to understand and prioritize. In security operations, context comes from aggregating and augmenting internal threat and event data with external threat feeds. By correlating events and associated indicators from inside your environment (for example from sources including your security information and event management (SIEM) system, log management repository and case management systems) with external data on indicators, adversaries and their methods, you gain the context to understand the who, what, where, when, why and how of an attack.

2. Prioritization gives focus. Now you can prioritize based on relevance to your environment. But what is relevant to one company may not be for another. It is important to be able to assess and change risk scores based on the parameters you set. Filtering out what’s noise for you allows you to understand what to work on first. You can focus on what really matters to your organization rather than wasting time and resources chasing ghosts.

3. Greater focus leads to better decisions. Without the distraction of noise and false positives, you can focus and spend more time analyzing and understanding what’s important. Whether you’re working in your SIEM and evaluating alerts, or in your incident response platform looking at a case, you have the context, focus and breathing room to make better decisions. 

4. Better decisions lead to more confidence. Now you can work more efficiently and effectively. You know what needs to get done and you start to understand how to do it better. Over time, with multiple successes under your belt, you gain confidence and realize you don’t have to continue to do processes manually that you’ve recognized to be repetitive and low-risk.  

5. Confidence leads to automation. Success breeds confidence and the comfort level you need to move forward with automation. You know these tasks inside and out and have little fear of breaking something or having a negative impact on the business. You may decide to automate an entire process or just select aspects, for example prioritizing alerts, scoring and re-scoring threat feeds, hardening your sensor grid, etc. 

The debate continues about Level 5 and the promise of completely autonomous cars. That’s not my area of expertise, but I’m curious to see how that plays out. What I do know is that the human element will always remain vital in security operations. Automation will allow us to move through processes faster for better decisions and accelerated action. But we can only make the transition successfully when context, and the humans behind it, drive automation

Article by ThreatQuotient APAC regional director Anthony Stitt

Story image
Digital payments fuelling fraud surge during COVID crisis
Digital payments are fuelling a multibillion-dollar fraud surge worldwide.More
Story image
Radware launches DDoS protection for online gaming
“Online games are a massive, multi-billion-dollar industry, but they frequently fall victim to powerful and targeted DDoS attacks,"More
Link image
How to head off a rise in DDoS attacks
Many businesses invest in costly DDoS mitigation and protection solutions, but few test them. NCC Group tests all environments and is one of only two AWS DDoS Test Partners. Claim 10% off your next DDoS service today.More
Story image
Video: 10 Minute IT Jams - protecting data with user behaviour analytics
In this video, Forcepoint senior sales engineer and solutions architect Matthew Bant discusses the company's DLP solution, the importance of integrating compliance into security solutions, and why cybersecurity strategies should take a more people-based approach.More
Story image
New project development inhibited by cybersecurity, Kaspersky research states
"There are still some practical steps that can be taken to make sure that an emerging technology or a product reaches its launch. Cybersecurity doesn’t have to be another corporate barrier, but it should be on an integral part of the project all long."More
Story image
Palo Alto Networks extends cloud native security platform with new modules
Palo Alto Networks has announced the availability of Prisma Cloud 2.0, including four new cloud security modules, thus extending its Cloud Native Security Platform (CNSP). More