Skip to main content


What Is Security Automation?

Security automation is the machine-based execution of security actions with the power to programmatically detect, investigate and remediate cyberthreats with or without human intervention by identifying incoming threats, triaging and prioritizing alerts as they emerge, then responding to them in a timely fashion.

Security automation does most of the work for your security team, so they no longer have to weed through and manually address every alert as it comes in. Among other things, security automation can:

  • Detect threats in your environment.
  • Triage potential threats by following the steps, instructions and decision-making workflow taken by security analysts to investigate the event and determine whether it’s a legitimate issue.
  • Determine whether to take action in response.
  • Contain and resolve the issue.

All of this can happen in seconds, without requiring any action from staff. With security automation, repetitive, time-consuming actions are taken out of the hands of security analysts so they can focus on more important, value-adding work. In addition, security automation can also provide rapid threat detection. According to research by ESG, IT teams ignore 74 percent of security events/alerts — even when they have security solutions in place — due to sheer volume. Not only can security automation detect and resolve these common issues, it also eliminates human error that comes with inexperience, work overload and negligence.

This article will cover the basics of security automation, including why it’s important for businesses, how security automation platforms and tools can create value and how to get started on implementation.

security automation pie chart security automation pie chart

74 percent of security events/alerts are ignored by trained staff.

What is Security Automation: Contents

Security Automation Overview

Why is security automation important?

Cyberattacks are now happening every 39 seconds, according to a University of Maryland study, and organizations often receive thousands or even millions of alerts each month. Security staff today are tasked with monitoring a much larger attack surface than in prior years, including mobile devices, cloud infrastructure and IoT devices. In short, alerts are literally coming at them from everywhere.

cyberattack happens every 39 seconds graphic cyberattack happens every 39 seconds graphic

Cyberattacks happen every 39 seconds.

Without security automation, analysts must resolve threats manually. This often entails investigating the issue and comparing it against the organization’s threat intelligence to determine its legitimacy, deciding on a course of action, then manually resolving the issue — all on potentially millions of alerts and often with incomplete data.

What’s more, many of these alerts are redundant, so analysts spend valuable time on repetitive tasks that keep them from more critical issues. Security automation, on the other hand, does much of this work for your security team. When an alert comes in, it immediately determines whether an action is required — based on previous responses to similar incidents — and if so, can automatically remediate the issue.

Meanwhile, security analysts have more time to focus on strategic planning, threat hunting and conducting deeper investigations — bringing more value to the business.

What are signs that an organization needs security automation?

There are several signs indicating that your organization needs security automation, including a breach, lagging response times, overwhelming false positives and a need for more efficient and cost-effective operations.

While it’s safe to say that most organizations could benefit from security automation, they’re more likely to require or adopt it if:

  • A breach has occurred. Billions of people and countless businesses have been affected by data breaches. In 2018, breaches cost roughly $148 per lost or stolen record — nearly $4 million overall per incident. Organizations can’t afford to be lax when it comes to security measures.
  • Incident response times are lagging. Security analysts can only investigate a fraction of the alerts that come in, so responding in real time is rarely possible. Organizations need solutions and practices that allow them to resolve incidents faster, reducing overall time spent per incident.
  • False positives are overwhelming the security team. False positives are only revealed as false after each is investigated as a real threat. These incidents steal security analysts’ focus and prevent them from addressing genuine threats.
  • Security teams want to operate more effectively, efficiently and cheaply. If security analysts are wasting time on repetitive tasks and false positives, they aren’t maximizing their value to the organization.


What is a security automation platform?

A security automation platform is software that will execute a series of security actions across your entire infrastructure in a matter of seconds. The security automation platform is engaged when an incident is detected (via the network, a file scan, an email scan, and so on), and then responds accordingly. Security automation platforms offer:

  1. Playbook creation and customization: Security automation platforms allow you to construct and customize playbooks, or choose from prebuilt ones, enabling you to filter data, make a decision using encoded logic, prompt a user for input or confirmation, or call another playbook.
  2. Standardized incident response processes: The playbooks tell the security automation tool how to respond to incidents based on internal rules, ensuring a repeatable, streamlined and auditable security operations process aimed at helping security teams speed incident response and mitigate risk. For example, actions could include:
    • Deleting or quarantining suspected malware-infected files
    • Performing a geolocation lookup on a given IP address
    • Searching for files on a particular endpoint
    • Blocking a URL on perimeter devices
    • Quarantining a device from the network
  3. Seamless integration with other security systems: Security automation products integrate seamlessly with your security assets, including firewalls, endpoint products, reputation management services, sandboxes, directory services and SIEMs. They also offer a way to monitor your entire infrastructure within one interface.
security automation platform web graphic security automation platform web graphic

Security automation integrates with firewalls, endpoint solutions and other IT products in your environment.

How did security automation evolve?

Security automation evolved as a hot topic for organizations and security teams thanks in large part to the exponential rise of cyberattacks. Prior to automation, security analysts were required to comb through, analyze and act on every alert — a feat that ultimately proved impossible to accomplish. The overwhelming number of threats demanded automated incident response to more rapidly identify and respond to a cyberattack or security breach.

While automated incident response helped with security issues, a more proactive approach was ultimately needed. From there came security automation, which offered a systematic, machine-based approach. That in turn grew into security automation and orchestration, the latter enabling connectivity between security tools and workflows.

Today, providers offer security orchestration, automation and response (SOAR) systems, which automate both responses and corrections. (Note that vendors use varying and inconsistent terminology to describe their tools, so make sure you’re clear on what features you require from a security automation platform before you begin researching vendors.)

security automation phantom dash image security automation phantom dash image

Security automation tools provide a dashboard view of incidents, response metrics and more.

What is the difference between automation and orchestration?

Security automation is all about simplifying and making your security operations run more efficiently. By contrast, security orchestration connects all of your different security tools, so that they feed into one another, share information, and respond to incidents, even when the data is spread across a large network and multiple systems or devices.

Security automation and security orchestration are terms that are often used interchangeably, but the two platforms actually serve very different functions. Specifically, security automation reduces the time it takes to detect and respond to repetitive incidents and false positives, so alerts don’t linger unaddressed. It also frees security analysts’ time to focus on strategic tasks, like investigative research. However, security automation is limited in that each playbook addresses a known scenario with a prescribed course of action.

The two work in concert: Security automation deals with an array of single tasks, while security orchestration connects and speeds up the process from beginning to end — and security groups can maximize their efficiency and productivity when they adopt both.

How do you get the most value out of security automation?

There are numerous ways to generate value from security automation, which include establishing priorities for its use, developing playbooks and training staff. Follow these best practices to gain the most value from your security automation platform investment:

  1. Don’t assume it can replace people. The technology works well for executing simple actions, but for more complex issues that require decision making, brainstorming and complex problem solving, you will still need experienced IT staff, especially security analysts. Automation will free those analysts to concentrate on the problems that matter.
  2. Establish priorities. To determine the top priorities for automation, you will need to take a look at the big picture and figure out which incidents occur most often, and which take the most time to investigate and resolve. Then define your use cases based on your industry and organizational goals, and create a list of how you will use security automation. Involve stakeholders across your security operations team as you identify use cases, even if you don’t think you will implement them right away. Having these priorities in mind as you research vendors will help to ensure the platform can serve you well in the long term.
  3. Ease into automation. Most organizations can’t automate everything at once, nor should they. Start where security automation makes the most sense or can bring immediate value. Adopting automation bit by bit allows you to monitor your progress, consider the results, adjust as needed, and use that knowledge as you roll out automation in other areas.
  4. Develop your playbooks. It’s important to document the steps, instructions and best practices for resolving incidents effectively, ensuring that your security team follows a consistent and repeatable process every time an incident arises. As you establish a priority list for developing playbooks, start with those that will eliminate the repetitive tasks upon which the team wastes the most time.
  5. Train staff. Not only do you need to train staff to effectively use your security automation software, you need to train them to address complex incidents the software can’t resolve. When alerts are flagged as needing human invention, your staff must have the expertise and confidence to tackle those issues.
  6. Make use of newly available time. Automation makes security teams more productive and creates opportunities for them to do more for the organization. Plan how your analysts will focus on value-added tasks that benefit the organization — for example, conducting a deep investigation as to why you are constantly fighting off phishing attacks. What’s more, automation will also create new roles within the organization — so use the newly available time to develop a continuous improvement model and train staff to design, implement and improve upon automation logic.
  7. Bring your security tools and workflows together. Adopting security orchestration in addition to security automation offers you greater visibility across your entire organization, improves communication and collaboration, boosts efficiency, eliminates confusion and errors and reduces response times.

Getting Started

How do you get started with security automation?

Getting started with security automation requires you to establish your needs, define use cases, and thoroughly research providers based on a myriad of criteria. And if you’re ready, here are a few ways how you can move forward with the big decision about which security automation platform to adopt.

  1. Establish your needs first. How security automation can help you is highly dependent on your industry and business. The tools you adopt and the processes you establish will rely heavily on whether your organization is in retail, healthcare, manufacturing, financial services, the public sector or another industry.

    For example, retailers are dealing with ransomware and phishing attacks at unprecedented levels. Automation can help to clear the deck of repetitive attacks and false positives so security analysts can investigate those cases more deeply and establish a long-term fix.

    Before you consider vendors, work with your IT team and other leaders in the organization to pinpoint the problems you need to solve. Here are a few questions that can drive the conversation:

    • Is the security team dealing with alert fatigue? How many alerts do they receive per day, and how many they are able to respond to? How many are repetitive or false positives?
    • What are your dwell times (the length of time that an active threat goes undetected) and response rates?
    • Which tasks are repeatable and well-defined? How could automation speed up the completion of those tasks?
    • What are the top three goals of the organization (e.g., growth, operating leanly, reducing inefficiencies)? What security priorities must you establish to help the organization meet those goals?
  2. Define use cases. Based on your industry and organizational goals, establish a list of ways you will use security automation. For example, if you are in manufacturing, the second-most-attacked industry behind healthcare, security automation and orchestration could offer visibility into what’s happening within the network, while also targeting — and blocking — many of the attacks. Spend some time on this step, because it will be critical for researching vendors that can meet your business needs and eventually for creating playbooks.
  3. Research providers
    Armed with your goals, priorities, and use cases, you can begin looking for a vendor. Some things to keep in mind to help you whittle down your options:
    • Ease into coding. Writing code to deploy a new tool takes a lot of time. Ideally, you want a platform that allows you to build your playbooks with no manual coding required.
    • Third-party integration and plugin support. Evaluate all your apps and tools to ensure that any vendor you choose has you covered when it comes to third-party integrations and plugins.
    • Ease of use and flexibility. Choose a platform that requires little to no maintenance. Find out how much customization you can do to meet your immediate and long-term needs.
    • Length and type of deployment. If you want to start seeing immediate value, speak to vendors frankly about how long it will take to get you up and running, from infrastructure updates to installation to staff training.
    • Technical support. Find out what kind of support you can expect starting from day one (e.g., 24/7 support; phone, email, or web chat).

SOARing w/ Splunk Phantom


The Bottom Line

Adopt security automation now

Security automation is no longer a “nice to have.” It’s a must in today’s complex IT environment. Amid rising number and severity of cyber attacks, there’s a shortage of top-flight security talent. Automation maximizes the value (and engagement) of your best security analysts by automating mundane, tedious tasks.

Security automation allows you to drastically reduce your incident response and dwell times and stay ahead of threats. Incident response that could take hours — or even days — can be reduced to mere seconds. That means you’ll expose your business to fewer threats and better protect your customers, while protecting your business’s reputation and bottom line.