“Automation” has become a buzzword in cybersecurity circles. That’s not surprising in an environment where security specialists are in short supply. They are also under intense pressure to defend the business against a huge variety of threats from numerous different sources.
Using technology to do at least some of the work seems like a no-brainer. Nevertheless, it seems that organisations are finding it hard to get the right approach to cybersecurity automation. ThreatQuotient conducted research last year. It found that resources, time and a lack of trust in outcomes prevent companies from realising the benefits of automation.
In a recent webinar, myself, Nabil Adouani, CEO of StrangeBee and co-founder of The Hive Project, and our Global VP of Threat Intelligence Engineering, Chris Jacobs, discussed the current state of automation, the expectations around what automation can actually achieve, and what this means for implementation in the real world.
From automation to orchestration and XDR – all sides of the same coin?
One of the challenges around automation is defining what we mean by the term and where it differs from orchestration. Automation is anything that replaces a manual human-driven activity with a computer-driven alternative. It has applications across the technology sector wherever there is a repetitive manual task that would be better done by a machine that never gets bored or makes mistakes.
In the incident response area of cybersecurity, automation can be used at any stage of the process. Examples include ingesting alert data, enriching alerts, and even automating elements of the response. Often automation and orchestration seem to be used interchangeably, but there should be a distinction.
Automation is the conversion/adaptation of a single manual process to be completed by machines. Orchestration, however, is applied to a multi-stage workflow involving multiple different tools, which are automated and brought together to execute a process.
When it comes to XDR, there is further uncertainty around what this means. Analyst company Gartner suggests that XDR should have a minimum of three elements. It includes your platform’s endpoint detection and response, security incident and event management, and incident response capabilities. This would constitute XDR, and orchestration could also be part of coordinating a series of automated actions based on the technology capabilities of the platform.
However, despite all the buzz around automation, orchestration, and XDR, the path to implementation has not proved easy.
Orchestration is not a silver bullet
On the face of it, orchestration is a no-brainer. It lifts the burden of repetitive tasks and saves time allowing cybersecurity teams to focus on higher-value activities. Yet adoption remains limited.
Industry observers have even seen examples where businesses shifted from having no orchestration, straight to full orchestration, and then back to no orchestration. This was because they found they spent all their time and resources fixing the automated workflows to function properly. They concluded that a simple script could work just as well for their use case.
Chris Jacobs advises that teams shouldn’t assume that by buying and installing a platform, they’ll suddenly find themselves “magically” capable of doing things they weren’t doing before. First, they need to look at what processes they currently undertake manually and identify how these will benefit from orchestration into an automated workflow on the platform.
Nabil Adouani suggests another reason for low adoption relates to the number of existing tools already in use. When there are already many tools in play, adding an orchestration platform that must be maintained actually increases the pressure on teams. It is the exact opposite of the desired effect. If security professionals who want to be focusing on security need to frequently add new use cases, update workflows and work on integrations, this may lead to task avoidance and low adoption of the tool.
Deciding where to start
Organisations can feel overwhelmed with the potential scale at which they could automate cybersecurity detection, management, and response. So, where is the best place to start?
First, decide what types of incidents you want to handle with the tool. Then look at what you are already doing and where you are doing it when an incident occurs. So, for example, you might be using spreadsheets, OneNote, and emails to record and handle incidents, following a manual playbook. Look at that process, determine which elements could be automated, and then orchestrated into a multi-stage process in the platform.
This approach has the added benefit of overcoming a lack of trust in the outcomes of orchestrated processes. Knowing what your process outcomes look like before orchestrating them makes it easier to accept a similar outcome from the orchestration tool rationally.
Detection and vulnerability management are strong use cases for automation. We recommend that businesses initially put the majority of their focus here. Network detection, email security, and endpoint detection are all areas where, once issues are identified, multiple automated actions can be launched. For example, informing the relevant stakeholders, enriching the alert data, and prioritising the actions needed to mitigate the issue.
In the case of vulnerability management, scanning identifies the weaknesses. Add an automated workflow, and you can share it with the people needing to action remediation.
Automation can be use case dependent
It is also important to understand that the level of automation and orchestration that is appropriate will depend on the use case. Very few organisations will want to remove human oversight entirely from a process. For example, in patch management, it’s not advisable to automatically patch all your servers because the tool has identified a vulnerability and an available patch. It is important to retain human input.
Instead, you can use automation to find the right combination of compensating controls. When the tool identifies a vulnerability, it automatically sends alerts to the relevant stakeholders. It allows compensating controls to be put in place before the patch is implemented.
One of the major advantages of using a centralised platform is that all teams are using the same data and starting from the same point. It helps get cross-disciplinary IT and security teams working together and starts to break down the siloes that often exist between departments.
In summary, when starting with automation, first identify the repetitive, time-consuming workflows you already undertake that can be orchestrated. Then design the workflow with the appropriate balance of automation and human input for the use case. Focus initially on the detection phase before determining what aspects of response can or should be automated.
Finally, explore how access to the tool can go further to break down siloes between departments and get all teams working effectively together on a unified security mission.
This approach should reduce some of the pain points around implementing automation and ensure organisations are realistic in their expectations of what they can achieve.
ThreatQuotient improves security operations by fusing together disparate data sources, tools and teams to accelerate threat detection and response. ThreatQuotient’s data-driven security operations platform helps teams prioritize, automate and collaborate on security incidents; enables more focused decision making; and maximizes limited resources by integrating existing processes and technologies into a unified workspace. The result is reduced noise, clear priority threats, and the ability to automate processes with high fidelity data. ThreatQuotient’s industry leading data management, orchestration and automation capabilities support multiple use cases including incident response, threat hunting, spear phishing, alert triage and vulnerability prioritization, and can also serve as a threat intelligence platform. ThreatQuotient is headquartered in Northern Virginia with international operations based out of Europe, MENA and APAC. For more information, visit www.threatquotient.com.
