Driving Cybersecurity Automation The Right Way
Is your security team becoming a little frazzled from too many security alerts and dealing with false positives? Is your team’s accurate and prompt response to those security alerts increasingly becoming a challenge? Do you have lots of well defined and repeatable tasks that require much manual work from your team? If you answered yes to all of those questions, then you are a prime candidate for driving cybersecurity automation. However, how do you go about driving automation in your CSOC and where do you begin? An excellent place to start is to first take stock of where you are.
Define your needs
Organizations and CSOC’s adopt automation for lots of reasons – however, before starting your automation journey, it’s essential to define and clarify your needs. This will help you evaluate potential solutions down the line.
It’s evident that the influx of too many security alerts is a growing problem. Given this, is managing too many security products and integrations getting difficult? Do you think there is trouble retaining talent because there is monotony in executing repetitive workflows?
Document and discuss all of your internal needs and prioritize them. Once you tightly define your needs, you can set about defining typical use cases. For example, you could start with automating a part of your phishing investigation workflow, where the automation takes care of extracting indicators from headers, body, and attachments and getting reputations.
Almost every aspect of reviewing threats (triage), calculating risk (escalation) and threat response (remediation) can be automated. This will free up vast amounts of operational time.
What are your top business drivers and priorities?
What are the metrics that matter to you? Could it be an increase in the number of incidents investigated? Improved response time and MTTR? Cost management?
You may want to automate your data enrichment tasks or orchestrate and automate your threat hunting, or perhaps you want to automate malware analysis if it becomes a problem for your CSOC. Once you define your needs and use cases, you can begin moving towards adopting automation on a larger scale.
Remember that you don’t have to apply automation to every use case or step in a process you have. In many cases, automation improves individual steps in a process while leaving the security operator in full control of the workflow.
Taking the first steps towards automation
Some CSOC teams adopt an agile approach to automation, meaning that they add automation incrementally in the areas where it makes the most sense, rather than trying to automate everything at once. Those experiences and learning processes the team goes through during automation are stepping stones into other automation areas.
One thing you’ll learn during the process of automating elements of your CSOC is that there are key decision points in most processes not suitable for automation. While automation is fantastic at executing time-consuming or repetitive tasks, humans are brilliant at making decisions based on information they can see. When automation accurately empowers humans, they can respond to incidents faster and with higher efficiency. I spoke to Joe Loomis (Cybersponse) to ask him how granularly automation could be embedded within a human operators workflow in a way that would make the operator more efficient. He told me “our own automation platform Cybersponse has many options in its workflow design arsenal, that blend in human decisions such that the automation could continue based on what the analyst inference was.”
So, for example, if during automation an IP was found malicious, a task could be created and the analysts could be presented a question, say, “Do you want to escalate this alert or continue the investigation?” Depending on the analyst’s response, the automation could go either way.
Analyzing your incidents is a great place to start looking for automation use cases
Take a close look at the incidents with the highest impact, the ones that take the longest to investigate. Try to resolve the ones that occur on a frequent basis. Work out which are the ‘top ten’ incidents from those criteria, and analyze which vendors and systems are usually involved. Do these incidents need more information to be gathered or other actions to be taken? If so, can the process be automated?
Take a multidisciplinary approach – incident response does not work in silos
When you discover which systems have been affected in each use case, collaborate with their owners to automate critical steps. Teams working on automation projects need to understand the workflows and discuss information sharing and their responses, if they are to leverage automation to speed up resolutions and reduce risk significantly.
Focus on continuous improvement by starting small and building on proven value
An excellent way to prove automation’s value is to measure response time metrics, and KPI improvements before and after automation. If your automation significantly reduces response times, calculate saved costs to work out the benefits of your team being able to focus on more mission-critical work.
You can find significant cost savings in cybersecurity automation. Taking a step-by-step approach allows you to glean value from automation and continuously refine your efforts over time.
The more you learn about your incident cases and the actions that need to be taken around them, such that a workflow/pattern could be formed, the more experienced your team will become at automating elements within those processes and leveraging automation in the real day-to-day world of your CSOC. When speaking to a SOC Manager at a reputed financial organization, he mentioned how they gained immensely by starting slow. For example, they usually first automated the bigger repetitive chunks like indicator enrichment, threat hunting, and notification pieces. Learn from that, and begin with baby steps.
Post provided to you by @InfosecScribe.