Let’s face it, we’ve talked about security automation for years. We’ve grappled with what, when and how to automate. We’ve debated the human vs machine topic. And at certain points, when we’ve been “burned” (automatically shutting down systems in error), we’ve wondered if there’s any place at all for automation. But in our heart of hearts, we’ve known for years that automation is the future. Now the future is here.
Most organisations have deployed, at least, the minimal automation of key security and incident response (IR) processes. However, the events of 2020 have served as a tipping point for doing more.
The new SANS report discusses how the global pandemic forced many organisations to accelerate their automation plans, where they prioritise their investments and the plans they have for the future. The survey spanned companies of all sizes, representing a diverse blend of industries with operations in North American, Europe, Asia Pacific and Africa.
What do we learn from the findings?
- Nearly one-third of organisations indicated that their plans for automation accelerated because of the COVID-19 pandemic.
- More than 80% of organisations have, at least, partially automated key security and IR processes, up from 47% in 2020.
- Drilling deeper, IR processes saw the most significant growth in automation. Those deploying with extensive automation jumped nearly 18%, from 10.5% in 2020 to 28.3% in 2021.
- Security operations and event or alert processing remain the top automation area, with 35.5% reporting extensive automation.
- The future looks bright for security automation. 85% of respondents plan to automate key security and IR processes in the next 12 months alone.
As you look to the future and use these survey results to help better understand how to expand your use of automation within your security operations, it’s important to consider when to apply automation within the security lifecycle to maximise business value.
At ThreatQuotient, we have long believed that data is the lifeblood of detection and response automation. We know the key to effective automation starts with data. Let’s take the two primary use cases in the report, Alert Triage and Incident Response, as examples.
Alert Triage
Analysts are inundated by the number of alerts that require human attention, often generated by noisy SIEM rules and default defense infrastructure. In an attempt to reduce the volume and velocity of security alerts they must tackle daily, analysts apply external threat data and threat intelligence feeds directly to the SIEM, but challenges continue for two main reasons.
First, the amount of external threat data is staggering. Sending all of this data directly to the SIEM for correlation results in tons of non-contextual alerts. Each of these requires significant work by an analyst to research. Second, there is a lack of decision support capabilities in current tools to provide additional context and understanding to determine relevance before applying threat intelligence feeds directly to the SIEM. Prioritisation is imperative to focus and determine the appropriate next actions to take during the alert triage process.
With the ThreatQ Platform, you can address the alert triage challenge. It enables you to stop the useless alerts before they happen by ONLY feeding threat intelligence relevant to the organisation. By automatically applying context, relevance and prioritisation to threat data before applying it to the SIEM, the SIEM becomes more efficient and effective.
Customised threat intelligence scores are based on parameters you set. Coupled with context, it allows for prioritisation based on what’s relevant to your specific environment. Now, using a subset of threat data that has been curated into threat intelligence, the additional overlay allows the SIEM to generate fewer false positives and encounter fewer scalability issues.
Incident Response
The current approach to Security Orchestration, Automation and Response (SOAR) has focused on automating processes. The challenge is that when applied to detection and response, process-focused playbooks are inherently inefficient and complex. The decision-making criteria and logic are built into the playbooks, and updates need to be made in each playbook. This complexity grows exponentially as you increase the number of playbooks. Automating and orchestrating noisy data just amplifies the noise.
With ThreatQ TDR Orchestrator, you can take a simplified, data-driven approach to SOAR. The data, or information, drives playbook initiation and data learned by actions taken is used for analytics and to improve future response. It puts the “smarts in the platform” and not individual playbooks. It also provides for simpler configuration and maintenance and more efficient and effective automation outcomes. Users can curate and prioritise data upfront, automate what’s relevant and simplify actions taken.
ThreatQuotient’s mission is to improve the efficiency and effectiveness of security operations through a threat-centric platform. By integrating an organization’s existing processes and technologies into a single security architecture, ThreatQuotient accelerates and simplifies investigations and collaboration within and across teams and tools. Through automation, prioritization and visualization, ThreatQuotient’s solutions reduce noise and highlight top priority threats to provide greater focus and decision support for limited resources.
