This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
There’s been a lot of talk about security automation, but it’s increasingly unclear what is what. For example, a Network World article on security automation last year focused mostly on threat detection, a Gartner report on Intelligent and Automated Security Controls focused on the threat intelligence component, and another recent piece referenced security automation simply as “the automation of cybersecurity controls.”
The fact is, security automation is starting to go beyond prevention and detection technologies, reaching into other important components of IT infrastructure to more reliably protect organizations. Here are four of the newest and most advanced elements you should consider when discussing security automation:
1. Policy execution. As networks have grown significantly more complex, manually managing associated security policies has become nearly impossible. Enter policy execution automation, which refers to the automation of any administrative work required of IT security. A variety of vendors offer tools for automating the management of network security policies, which can help you more easily meet internal or regulatory security requirements. Some also offer automated services for administrative tasks like user onboarding/offboarding and user lifecycle management. Automating the provisioning, deprovisioning and user access can help IT teams gain greater control over data, costs and time, and the companies offering the tools sometimes refer to themselves – or are generically referred to by others – as offering security automation.
2. Alert monitoring and prioritization. Some people view the job of automation through the lens of monitoring and prioritizing alerts. Traditionally, alert monitoring and prioritization was a manual task, and a very tedious one at that. A team of analysts in a security operations center would have to compile alerts and literally stare at monitors all day in order to determine which data points were important. Today, there are methods for automating alert monitoring and prioritization that vary in sophistication. For example, this might include setting rules and thresholds, relying on threat intelligence or implementing more advanced behavioral analytics or machine learning technology.
Setting rules and thresholds is dwindling in its effectiveness, as it relies on manual input from a person to determine which alerts are important and which aren’t. And it also requires regular maintenance of those rules because cybersecurity threats are constantly changing and often hackers know exactly which alerts companies will be looking for. Relying on threat intelligence, on the other hand, is a little more reliable. This form of automation refers to the collection of threat intelligence from multiple sources, and it can help companies know which alerts to look for and which are important. For instance, if a company is able to access and consume multiple intel sources, it would know when a certain type of attack is occurring across the globe. Automated threat intelligence can then help the company prepare to protect itself against that potential, incoming attack before it’s too late.
Behavioral analytics and machine learning are among the most advanced forms of automation for alert monitoring and prioritization because they don’t rely on rules and thresholds or “known threats.” Instead, this type of technology can learn what normal network behavior looks like, easily and immediately pinpoint any abnormal behavior, and then statistically score the priority of each potential threat that should be investigated.
3. Incident response planning. Incident response planning is also being referred to as security automation. One way to think about this technology is as a smart ticketing system that helps companies track the evolution of a security incident and coordinate the actions required to respond. Vendors in this space help companies develop playbooks for different types of threats so they can automate portions of their response when every second counts. They automate workflow so companies can make sure they’re communicating with the appropriate internal and external contacts, adhering to regulations for topics like privacy notifications, and establishing a clear audit trail.
4. Investigation, action and remediation. Automating the investigation, action and remediation of a cyber threat is about utilizing technology to perform tasks just as a qualified cyber analyst would. In a way, the other elements of security automation – from policies, to prioritization, to planning – are all working towards this end goal of quickly finding threats and shutting them down before they impact operations.
There are different aspects of what a vendor might automate when it comes to investigation, action and remediation. For example, some might only address one of those three components, while others focus on a specific task, such as automating the containment of compromised devices. There are also companies that use automation and artificial intelligence to conduct the entire process from end-to-end, just as a cyber analyst would.
All of these security automation technologies free up overtaxed security resources, allowing security teams to be less focused on mundane – but essential – tasks, and more focused on strategic initiatives that will make their organization more secure.
According to data from the Breach Level Index, 1.9 million online records were compromised every day in 2015. That’s 80,766 records every hour, or 1,346 records every minute. The near constant occurrence of data breaches shows no signs of slowing down, so companies can’t afford to have any lingering questions about the concept and capabilities of security automation.
Prioritize the automation of your IT security infrastructure and recognize that multiple elements can be automated to help keep your business safe. Automating policy execution, alert monitoring and prioritization, and incident response planning can drastically increase company productivity and reduce costs. And by fully automating the investigation, action and remediation of threats, companies can simulate the experience and logic of experienced cyber analysts at scale, thereby guaranteeing stronger security and compliance overall.
Barak is CEO and Co-Founder of the security orchestration and automation company, Hexadite. Prior to founding Hexadite he was the head of Elbit Systems Ltd.'s Cyber Training and Simulation Team, training analysts to respond to cyber threats – in both private and public sectors, and served five years in an elite intelligence unit of the Israeli Defense Forces (IDF).