What Are You Willing to Automate?

While the possibilities for automation are nearly endless, many start the journey with simple enrichment use cases (e.g. pre-processing an alert before someone in security operations begins to work it).

As users become more confident in automation, the use cases become more sophisticated.  Soon automation is addressing areas like threat hunting, and ultimately even response or remediation.

SANS recently published a study shedding light on what remediation activities people are willing to automate.  The table below shares the practices that respondents have in place to remediate incidents manually, with automation, or a mix of both. The top three practices in each category are highlighted and indicate that organizations use a myriad of remediation techniques in their environments.

SANS Table 4 .png

Though the data is presented in three distinct columns, I think reality is more of a spectrum with ‘manual’ on one side, ‘automated’ on the other, and ‘both’ filling the space between.  Factors like whether an action is routine or non-routine determine position on the spectrum (e.g. non-routine tasks are ill suited for automation).

When thinking about the spectrum, Phantom’s “human prompts” come to mind.  It’s a useful capability that allows the SOC team to move across the spectrum keeping administrators in, on or out of the loop.  When functioning as an “in the loop” platform, certain actions may need to be approved by an analyst before the platform completes its automation.  For example, a playbook might ingest and enrich threat intelligence before presenting it to an analyst for review.  With the analyst’s approval the playbook continues to execute, perhaps blocking an IP address at the firewall based on the intelligence.  In an “on the loop” scenario, the playbook is fully executed automatically, though the analyst has oversight and the ability to stop or even reverse a specific action.  An “out of the loop” deployment is where the platform automatically executes actions independent of human interaction with details tracked for post-automation reporting as needed.

Interested in seeing how Phantom can help your organization navigate the automation spectrum?  Get the free Phantom Community Edition.

CP Morey
Posted by

CP Morey

CP Morey has a track record for building teams and launching new products in fast growth markets. In his last role, Mr. Morey was VP of Products & Marketing at Phantom. Previously, he was Senior Director of Product Marketing for Cisco’s industry leading security portfolio - a role he assumed after the $2.7 billion acquisition of Sourcefire.  While at Cisco, he successfully restructured the team and doubled its size to support revenue growth of more than 20% per year. Before joining Cisco, Mr. Morey was Vice President of Product Marketing at Sourcefire where he helped with its transformation into a multiproduct company with the launch of FireAMP, a product with exponential revenue growth since its release in 2012, that now thrives as Cisco's Advanced Malware Protection (AMP) business. A veteran of the security industry since 2001, Mr. Morey has also held leadership positions in product marketing and product management at ISS and PentaSafe while helping to scale the companies for successful acquisitions by IBM and NetIQ, respectively. Mr. Morey is a CPA and earned his MBA from Thunderbird, the #1 ranked school for International Business. 


What Are You Willing to Automate?

Show All Tags
Show Less Tags

Join the Discussion