What Is Security Automation?

Why is security automation important?

Cyberattacks are now happening every 39 seconds, according to a University of Maryland study, and organizations often receive thousands or even millions of alerts each month. Security staff today are tasked with monitoring a much larger attack surface than in prior years, including mobile devices, cloud infrastructure and IoT devices. In short, alerts are literally coming at them from everywhere.

^{Cyberattacks happen every 39 seconds.}

Without security automation, analysts must resolve threats manually. This often entails investigating the issue and comparing it against the organization’s threat intelligence to determine its legitimacy, deciding on a course of action, then manually resolving the issue — all on potentially millions of alerts and often with incomplete data.

What’s more, many of these alerts are redundant, so analysts spend valuable time on repetitive tasks that keep them from more critical issues. Security automation, on the other hand, does much of this work for your security team. When an alert comes in, it immediately determines whether an action is required — based on previous responses to similar incidents — and if so, can automatically remediate the issue.

Meanwhile, security analysts have more time to focus on strategic planning, threat hunting and conducting deeper investigations — bringing more value to the business.

What are signs that an organization needs security automation?

There are several signs indicating that your organization needs security automation, including a breach, lagging response times, overwhelming false positives and a need for more efficient and cost-effective operations.

While it’s safe to say that most organizations could benefit from security automation, they’re more likely to require or adopt it if:

• A breach has occurred. Billions of people and countless businesses have been affected by data breaches. In 2018, breaches cost roughly $148 per lost or stolen record — nearly $4 million overall per incident. Organizations can’t afford to be lax when it comes to security measures.
• Incident response times are lagging. Security analysts can only investigate a fraction of the alerts that come in, so responding in real time is rarely possible. Organizations need solutions and practices that allow them to resolve incidents faster, reducing overall time spent per incident.
• False positives are overwhelming the security team. False positives are only revealed as false after each is investigated as a real threat. These incidents steal security analysts’ focus and prevent them from addressing genuine threats.
• Security teams want to operate more effectively, efficiently and cheaply. If security analysts are wasting time on repetitive tasks and false positives, they aren’t maximizing their value to the organization.

What is a security automation platform?

A security automation platform is software that will execute a series of security actions across your entire infrastructure in a matter of seconds. The security automation platform is engaged when an incident is detected (via the network, a file scan, an email scan, and so on), and then responds accordingly. Security automation platforms offer:

1. Playbook creation and customization: Security automation platforms allow you to construct and customize playbooks, or choose from prebuilt ones, enabling you to filter data, make a decision using encoded logic, prompt a user for input or confirmation, or call another playbook.
2. Standardized incident response processes: The playbooks tell the security automation tool how to respond to incidents based on internal rules, ensuring a repeatable, streamlined and auditable security operations process aimed at helping security teams speed incident response and mitigate risk. For example, actions could include:
   • Deleting or quarantining suspected malware-infected files
   • Performing a geolocation lookup on a given IP address
   • Searching for files on a particular endpoint
   • Blocking a URL on perimeter devices
   • Quarantining a device from the network
3. Seamless integration with other security systems: Security automation products integrate seamlessly with your security assets, including firewalls, endpoint products, reputation management services, sandboxes, directory services and SIEMs. They also offer a way to monitor your entire infrastructure within one interface.

^{Security automation integrates with firewalls, endpoint solutions and other IT products in your environment.}

Security automation evolved as a hot topic for organizations and security teams thanks in large part to the exponential rise of cyberattacks. Prior to automation, security analysts were required to comb through, analyze and act on every alert — a feat that ultimately proved impossible to accomplish. The overwhelming number of threats demanded automated incident response to more rapidly identify and respond to a cyberattack or security breach.

While automated incident response helped with security issues, a more proactive approach was ultimately needed. From there came security automation, which offered a systematic, machine-based approach. That in turn grew into security automation and orchestration, the latter enabling connectivity between security tools and workflows.

Today, providers offer security orchestration, automation and response (SOAR) systems, which automate both responses and corrections. (Note that vendors use varying and inconsistent terminology to describe their tools, so make sure you’re clear on what features you require from a security automation platform before you begin researching vendors.)

^{Security automation tools provide a dashboard view of incidents, response metrics and more.}

What is the difference between automation and orchestration?

Security automation is all about simplifying and making your security operations run more efficiently. By contrast, security orchestration connects all of your different security tools, so that they feed into one another, share information, and respond to incidents, even when the data is spread across a large network and multiple systems or devices.

Security automation and security orchestration are terms that are often used interchangeably, but the two platforms actually serve very different functions. Specifically, security automation reduces the time it takes to detect and respond to repetitive incidents and false positives, so alerts don’t linger unaddressed. It also frees security analysts’ time to focus on strategic tasks, like investigative research. However, security automation is limited in that each playbook addresses a known scenario with a prescribed course of action.

The two work in concert: Security automation deals with an array of single tasks, while security orchestration connects and speeds up the process from beginning to end — and security groups can maximize their efficiency and productivity when they adopt both.

There are numerous ways to generate value from security automation, which include establishing priorities for its use, developing playbooks and training staff. Follow these best practices to gain the most value from your security automation platform investment:

1. Don’t assume it can replace people. The technology works well for executing simple actions, but for more complex issues that require decision making, brainstorming and complex problem solving, you will still need experienced IT staff, especially security analysts. Automation will free those analysts to concentrate on the problems that matter.
2. Establish priorities. To determine the top priorities for automation, you will need to take a look at the big picture and figure out which incidents occur most often, and which take the most time to investigate and resolve. Then define your use cases based on your industry and organizational goals, and create a list of how you will use security automation. Involve stakeholders across your security operations team as you identify use cases, even if you don’t think you will implement them right away. Having these priorities in mind as you research vendors will help to ensure the platform can serve you well in the long term.
3. Ease into automation. Most organizations can’t automate everything at once, nor should they. Start where security automation makes the most sense or can bring immediate value. Adopting automation bit by bit allows you to monitor your progress, consider the results, adjust as needed, and use that knowledge as you roll out automation in other areas.
4. Develop your playbooks. It’s important to document the steps, instructions and best practices for resolving incidents effectively, ensuring that your security team follows a consistent and repeatable process every time an incident arises. As you establish a priority list for developing playbooks, start with those that will eliminate the repetitive tasks upon which the team wastes the most time.
5. Train staff. Not only do you need to train staff to effectively use your security automation software, you need to train them to address complex incidents the software can’t resolve. When alerts are flagged as needing human invention, your staff must have the expertise and confidence to tackle those issues.
6. Make use of newly available time. Automation makes security teams more productive and creates opportunities for them to do more for the organization. Plan how your analysts will focus on value-added tasks that benefit the organization — for example, conducting a deep investigation as to why you are constantly fighting off phishing attacks. What’s more, automation will also create new roles within the organization — so use the newly available time to develop a continuous improvement model and train staff to design, implement and improve upon automation logic.
7. Bring your security tools and workflows together. Adopting security orchestration in addition to security automation offers you greater visibility across your entire organization, improves communication and collaboration, boosts efficiency, eliminates confusion and errors and reduces response times.

Getting started with security automation requires you to establish your needs, define use cases, and thoroughly research providers based on a myriad of criteria. And if you’re ready, here are a few ways how you can move forward with the big decision about which security automation platform to adopt.

1. Establish your needs first. How security automation can help you is highly dependent on your industry and business. The tools you adopt and the processes you establish will rely heavily on whether your organization is in retail, healthcare, manufacturing, financial services, the public sector or another industry.

   For example, retailers are dealing with ransomware and phishing attacks at unprecedented levels. Automation can help to clear the deck of repetitive attacks and false positives so security analysts can investigate those cases more deeply and establish a long-term fix.

   Before you consider vendors, work with your IT team and other leaders in the organization to pinpoint the problems you need to solve. Here are a few questions that can drive the conversation:

   • Is the security team dealing with alert fatigue? How many alerts do they receive per day, and how many they are able to respond to? How many are repetitive or false positives?
   • What are your dwell times (the length of time that an active threat goes undetected) and response rates?
   • Which tasks are repeatable and well-defined? How could automation speed up the completion of those tasks?
   • What are the top three goals of the organization (e.g., growth, operating leanly, reducing inefficiencies)? What security priorities must you establish to help the organization meet those goals?
2. Define use cases. Based on your industry and organizational goals, establish a list of ways you will use security automation. For example, if you are in manufacturing, the second-most-attacked industry behind healthcare, security automation and orchestration could offer visibility into what’s happening within the network, while also targeting — and blocking — many of the attacks. Spend some time on this step, because it will be critical for researching vendors that can meet your business needs and eventually for creating playbooks.
3. Research providers
   Armed with your goals, priorities, and use cases, you can begin looking for a vendor. Some things to keep in mind to help you whittle down your options:
   • Ease into coding. Writing code to deploy a new tool takes a lot of time. Ideally, you want a platform that allows you to build your playbooks with no manual coding required.
   • Third-party integration and plugin support. Evaluate all your apps and tools to ensure that any vendor you choose has you covered when it comes to third-party integrations and plugins.
   • Ease of use and flexibility. Choose a platform that requires little to no maintenance. Find out how much customization you can do to meet your immediate and long-term needs.
   • Length and type of deployment. If you want to start seeing immediate value, speak to vendors frankly about how long it will take to get you up and running, from infrastructure updates to installation to staff training.
   • Technical support. Find out what kind of support you can expect starting from day one (e.g., 24/7 support; phone, email, or web chat).

The bottom line: Adopt security automation now

Security automation is no longer a “nice to have.” It’s a must in today’s complex IT environment. Amid rising number and severity of cyber attacks, there’s a shortage of top-flight security talent. Automation maximizes the value (and engagement) of your best security analysts by automating mundane, tedious tasks.

Security automation allows you to drastically reduce your incident response and dwell times and stay ahead of threats. Incident response that could take hours — or even days — can be reduced to mere seconds. That means you’ll expose your business to fewer threats and better protect your customers, while protecting your business’s reputation and bottom line.

• The Essential Guide to Security
• The SOAR Buyer’s Guide
• Using Automation to Defend Against the Emotet APT at McGraw-Hill Education
• Advancing Security Operations at Penn State University with Phantom Automation
• Getting Started With Security Automation and Orchestration
• Five Security Automation Playbooks that Pack a Powerful Punch
• Detecting the Unknowns with Phantom and Splunk
• Brewing up Security Automation on Use Cases With Phantom and Starbucks