The five key steps to security automation
Last month, Volvo, the Swedish automaker, announced plans for a Level 4 self-driving car by 2021. In the progression of automation levels for cars, Level 4 cars are labelled “high automation.” This means that the vehicle can perform all driving functions under certain conditions, and the driver has the option to control the vehicle. Just think, in three years and in some environments, Volvo drivers could safely nap, eat, talk on the phone, read or even watch a movie. At lower automation levels, the driver must remain engaged to varying degrees. And at Level 5 – the holy grail – the driver becomes unnecessary.
Reading more about comments made by Volvo’s CEO, I found it interesting that Volvo skipped Level 3 entirely, deeming it unsafe. With lower levels of autonomy, confusion about responsibility and control can arise, putting reliability at risk. That struck a chord with me and I believe has been part of the concern when applying automation to other areas in our lives. When thinking about our world of security operations this holds very true. What level is the right level, and what’s required for us to comfortably apply automation?
Let’s face it, we’ve talked about security automation for years. We’ve grappled with what, when and how to automate. We’ve debated the human vs machine topic. And at certain points, when we’ve been “burned” (automatically shutting down systems in error), we’ve wondered if there’s any place at all for automation. But in our heart of hearts, we know that automation is the future and the future is here. Plus, given the cybersecurity talent shortage, we simply must automate certain time-sensitive, manual tasks if we want to retain and make better use of the security professionals we have.
So how do we move forward with automation and gain the value that comes when we apply it confidently at the right level? It is a simple five-step process and it all starts with context.
1. Context allows us to understand and prioritize. In security operations, context comes from aggregating and augmenting internal threat and event data with external threat feeds. By correlating events and associated indicators from inside your environment (for example from sources including your security information and event management (SIEM) system, log management repository and case management systems) with external data on indicators, adversaries and their methods, you gain the context to understand the who, what, where, when, why and how of an attack.
2. Prioritization gives focus. Now you can prioritize based on relevance to your environment. But what is relevant to one company may not be for another. It is important to be able to assess and change risk scores based on the parameters you set. Filtering out what’s noise for you allows you to understand what to work on first. You can focus on what really matters to your organization rather than wasting time and resources chasing ghosts.
3. Greater focus leads to better decisions. Without the distraction of noise and false positives, you can focus and spend more time analyzing and understanding what’s important. Whether you’re working in your SIEM and evaluating alerts, or in your incident response platform looking at a case, you have the context, focus and breathing room to make better decisions.
4. Better decisions lead to more confidence. Now you can work more efficiently and effectively. You know what needs to get done and you start to understand how to do it better. Over time, with multiple successes under your belt, you gain confidence and realize you don’t have to continue to do processes manually that you’ve recognized to be repetitive and low-risk.
5. Confidence leads to automation. Success breeds confidence and the comfort level you need to move forward with automation. You know these tasks inside and out and have little fear of breaking something or having a negative impact on the business. You may decide to automate an entire process or just select aspects, for example prioritizing alerts, scoring and re-scoring threat feeds, hardening your sensor grid, etc.
The debate continues about Level 5 and the promise of completely autonomous cars. That’s not my area of expertise, but I’m curious to see how that plays out. What I do know is that the human element will always remain vital in security operations. Automation will allow us to move through processes faster for better decisions and accelerated action. But we can only make the transition successfully when context, and the humans behind it, drive automation
Article by ThreatQuotient APAC regional director Anthony Stitt