Security automation is the process of automatically detecting, investigating and remediating cyberthreats — with or without human intervention — using a programmatic solution specifically designed for this purpose. Security automation works by identifying threats to an organization’s security posture, sorting and performing triage on them and setting a priority level, then responding to them in turn. Security automation is instrumental in helping streamline the multitude of alerts that security teams deal with on a daily basis.
In a modern security operations center (SOC), automation does a majority of the basic work assigned to security analysts, not only improving the speed and efficiency of threat detection, investigation and response, but also freeing the human operators from the responsibility to manually address alerts and giving them more time to focus on higher-level security tasks.
Some of the capabilities of security automation include:
- Detecting threats to an organization’s environment
- Enriching, correlating, grouping and prioritizing alerts to accelerate investigations
- Applying predefined actions to contain and remediate issues
Current security automation software can perform all of these actions in seconds, often without requiring the intervention of the security team and removing them from repetitive, manual and time-consuming activities.
Automated systems also accelerate threat detection. Human operators are bombarded with security alerts, which can lead to what is known as “alert fatigue.” A recent study by IDC Research indicates that companies of all sizes are ignoring up to one-third of security alerts and are spending just as much time investigating false positives.
It’s easy to see why a solution that automatically removes false positives, enriches alerts with threat intelligence, groups numerous related alerts into a few incidents and prioritizes them according to the risk they pose to the organization can make a significant difference in identifying issues before they escalate. Automation can also help analysts avoid making errors by eliminating alert fatigue and helping security teams feel less overwhelmed — radically reducing manual processes.
In this article, we’ll talk about the basics of security automation, discuss its value for organizations of all types and sizes and explore how you can get started using a security automation platform.
Security teams ignore 74% of security alerts
Benefits of Security Automation
According to the Splunk State of Security 2022 Report, it takes a median of 14 hours to recover business-critical apps from downtime tied to a cybersecurity incident. With the cost of downtime averaging $200,000 per hour, the average annual cost of downtime is $33.6 million per organization. Meanwhile, according to Accenture’s report "State of Cybersecurity Resilience 2021" data breach costs are expected to increase from $3 trillion per year to more than $5 trillion in 2024.
Clearly, the longer it takes to detect, investigate and respond to a cyber attack, the higher its potential, including its ability to cause downtime. So, in today’s threat landscape, rapid identification and remediation of cyber threats is critical to minimizing the impact of an attack.
Cyberattacks happen every 39 seconds.
Before automated security processes came to the security operations center, it was the responsibility of human analysts to address all threats manually. This required thorough investigation of a multitude of alerts, enriching them with threat intelligence, and then determining what if any action should be taken to contain and remediate the threat. With the high volume of alerts that modern organizations receive, this degree of manual intervention is no longer possible.
Need a reminder on the difference between a SOC and a NOC? Read the article here.
To compound the issue, many alerts turn out to be unrelated to a cyber threat or malicious activity, although they don’t necessarily appear that way upon initial examination. As a result, analysts spend precious time investigating false positives, increasing alert fatigue and keeping analysts from more important tasks.
Security automation performs these activities automatically and instantaneously — faster than even the most experienced human analyst would be able to do so.
With more time available, security analysts are able to pursue more rewarding and valuable strategic activities, including planning for growth, proactive threat hunting, and conducting more security analysis in greater depth. This is one of the ultimate benefits of security automation, both to the organization and to the security team.
What are signs that an organization needs security automation?
Any number of circumstances can suggest that an organization needs to adopt, expand or improve its security automation.
- Unfortunately for many organizations, the key indicator that their security preparations aren’t up to the job comes in the form of a security breach. Research conducted by Splunk and the Enterprise Strategy Group found that 49% of survey respondents had experienced a data breach over the past two years, compared to 39% in the previous year. While some breaches are minor and easily fixed, some can be costly and even catastrophic. According to the IBM Cost of a Data Breach Report, the total cost of a data breach averaged $4.35 million in 2022. Depending on the size and financial health of an organization, one cyberattack could be enough to put them out of business entirely.
- Keeping track of incident response times is an effective way to understand if your cybersecurity is keeping up with the challenge. If the mean-time-to-detect and mean-time-to-remediate incidents are slowing down, then your current security apparatus needs to be improved.
- If your security team is overwhelmed by false positives, that’s another clear indication that your organization can benefit from security automation. Alerts only reveal themselves to be false positives following investigation. If your security analysts are spending their time chasing down false positives, then they’re not making the most of their time and abilities.
- The most effective measure of whether or not you need security automation may well come from your security team itself. They will know if they’re experiencing alert fatigue, if they’re spending too much time chasing false positives and whether or not they feel they have the time and resources to get ahead of the challenges they’re facing.
Security Automation Solutions
A security automation solution is a unified software solution that can handle the security needs across your entire organization in a holistic manner. Some of the capabilities of a security automation platform include:
Standardized workflows: Based on a playbook, the security automation solution will know what actions to take in a particular scenario and will do so consistently every time, ensuring a repeatable and auditable process. Standardized actions might include:
- Deleting or quarantining suspected malware-infected files
- Performing a geolocation lookup on a given IP address
- Searching for files on a particular endpoint
- Blocking a URL on perimeter devices
- Quarantining a device from the network
Seamless integration with other security systems: Security automation products integrate with your other security assets — including firewalls, endpoint products, reputation management services, sandboxes, directory services, ticketing systems and security incident and event management (SIEM) — to orchestrate actions that span multiple attack vectors and require the involvement of numerous security tools.
Security automation integrates with firewalls, endpoint solutions and other IT products in your environment.
The Evolution of Security Automation
Security automation evolved as a hot topic for organizations and security teams thanks in large part to the exponential rise of cyberattacks. The overwhelming number of threats demanded automated incident response to more rapidly identify and respond to a cyberattack or security breach.
While automated incident response helped with security issues, a more proactive approach was ultimately needed. That in turn grew into security automation and orchestration, the latter enabling connectivity between security tools and workflows.
Today, providers offer security orchestration, automation and response (SOAR) systems, which automate both responses and their coordination across a complex infrastructure — reducing, or even in some cases eliminating, the potential for human error. (Note that vendors use varying and inconsistent terminology to describe their tools, so make sure you’re clear on what features you require from a security automation platform before you begin researching vendors.)
Security automation tools provide a dashboard view of incidents, response metrics and more.
Automation vs Orchestration
The primary purpose of security automation is to make security operations more efficient and effective. Security orchestration is designed to connect all of your security tools and make sure they work together, share information and respond to security alerts and incidents in concert, even if the data necessary to power that cooperation is spread across your environment in multiple systems and tools.
The terms security automation and security orchestration are often used interchangeably, and while they have much in common, they are significantly different. Security automation, as we have explored in this article, is designed to automate specific security tasks. Security orchestration is designed to unite the various automated processes and tools and make them work effectively together.
Best Practices for Security Automation
There are numerous ways to generate value from security automation, which include establishing priorities for its use, developing playbooks and training staff. Follow these best practices to gain the most value from your security automation investment:
- Don’t assume automation can replace people: The technology works well for executing actions, but for more complex issues that require decision making and complex problem solving, you will still need experienced security analysts. Automation will free those analysts to concentrate on the problems that matter.
- Establish priorities: To get the most out of security automation, it’s essential that you take a high-level look at your overall cybersecurity posture and determine the issues you most need to address. When you have clear priorities, you can define your use cases and identify opportunities for security-workflow automation, accordingly. Make sure to include everyone in your organization who has a stake in your organization’s security. While it may seem that creating a larger working group will slow down your efforts, it will help ensure buy-in that will save time later. Plus, the work you do now in establishing priorities will be extremely useful later when you are building playbooks.
- Ease into automation: Most organizations can’t automate everything at once, nor should they. As with any pilot project, it behooves you to start automating where it will bring the most value the fastest and help you prove corresponding use cases internally. Adopting automation in a measured way also helps you to evaluate its impact and monitor its effectiveness, allowing for necessary adjustments along the way.
- Build your playbooks: Document the steps you currently take to address issues and make sure your workflows are as solid as possible before you begin the process of automating them. It’s vitally important that you transfer the entirety of your organizational knowledge to the practice of automating your security response.
- Train your team: The transition from manual to automated response will require a great deal of training, coaching and familiarization for your security team from junior analysts all the way to leadership. It will also be necessary to establish a clear understanding of what the security automation solution can and cannot do, so that everyone knows where automated response capabilities end and humans responsibilities begin.
- Make use of newly available time: Automation makes security teams more productive and creates opportunities for them to do more for the organization. Plan how your analysts will focus on value-added tasks that benefit the organization — for example, conducting a deep investigation as to why you are constantly fighting off phishing attacks. Your team can also use the newly available time to develop a continuous improvement model to design, implement and enhance automation logic.
- Bring your security tools and workflows together: Adopting security orchestration in addition to security automation offers you the ability to orchestrate complex security workflows across multicloud environments, improves communication and collaboration, boosts efficiency, eliminates errors and reduces response times.
Getting Started with Security Automation
Getting started with security automation requires you to establish your requirements, define use cases, and thoroughly research providers. And if you’re ready, here are a few ways how you can move forward with the big decision about which security automation solution to adopt.
Establish your needs first. How security automation can help you, what tools you will adopt and processes you establish would be dependent on the cyber risk profile of not only your organization, but also the industry it operates in, whether it is retail, healthcare, manufacturing, financial services, the public sector or another industry.
For example, retailers are dealing with ransomware and phishing attacks at unprecedented levels. Automation can help clear the deck of repetitive attacks and false positives, so security analysts can investigate those cases more deeply and establish long-term safeguards.
Before you consider vendors, work with your IT team and other leaders in the organization to pinpoint the problems you need to solve. Here are a few questions that can drive the conversation:
- Is the security team dealing with alert fatigue? How many alerts do they receive per day, and how many are they able to respond to? How many are repetitive or false positives?
- What are your dwell times (the length of time that an active threat goes undetected) and response rates?
- Which tasks are repeatable and well-defined? How could automation speed up the completion of those tasks?
- What are the top three goals of the organization (e.g., growth, operating leanly, reducing inefficiencies)? What security priorities must you establish to help the organization meet those goals?
Define use cases. Based on your industry and organizational goals, establish a list of ways you will use security automation. Spend some time on this step, because it will be critical for researching vendors that can meet your business needs and eventually for creating playbooks.
Research providers. Armed with your goals, priorities, and use cases, you can begin looking for a vendor. Some things to keep in mind to help you whittle down your options:
- Ease into coding: Writing code to deploy a new tool takes a lot of time. Ideally, you want a solution that allows you to build your playbooks with little to no coding required.
- Third-party integrations and plugin support: Evaluate all your apps and tools to ensure that any vendor you choose has you covered when it comes to supporting your existing tool stack.
- Ease of use and flexibility: Choose a cloud solution to eliminate maintenance. Find out how much customization you can do to meet your immediate and long-term needs.
- Length of deployment: If you want to start seeing immediate value, speak to vendors frankly about how long it will take to get you up and running, from configuration to integration to staff training.
- Technical support: Find out what kind of support you can expect starting from day one (e.g., 24/7 support; phone, email, or web chat).
The Bottom Line: Security automation is essential to keep up with rapidly growing cyber threats
Security automation is no longer a “nice to have.” It’s a must in today’s complex environments. Amid the rising number and severity of potential threats and cyber attacks, there’s a shortage of top-flight security talent. Automation maximizes the job satisfaction and engagement of your best security analysts by automating mundane, repetitive tasks.
Security automation allows you to drastically reduce your incident investigation and response times and stay ahead of threats. Tasks that could take hours — or even days — can be reduced to mere seconds. That means you’ll be able to faster address threats and better protect your customers, while safeguarding your business’s reputation and bottom line.
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.