The need for speed | Automating tomorrow’s security operations

by Stephen Mills

12 April 2021

Moving traffic at night
It’s no secret that cyberattacks are increasing with ferocity, speed, and sophistication. With this, the need to respond to security events before they turn into security breaches is more important than ever.

Without some form of automation, particularly larger-scale infrastructure deployments will struggle to maintain even the status quo in operational disciplines required today. A material number of incidents are related to poor systems hygiene through vulnerability, configuration, privilege, and asset management. At a basic level, these operational requirements are ripe for automation and will help meet compliance obligations and reduce risk.

Starting the journey to automation

Defining a strategy to help shape your automation journey is critical to responding to rapid change and making way for digital transformation.

Below is an illustration of some different approaches to automation, depending on your risk profile, operational maturity, enterprise scale.

Illustration of some different approaches to automation

For many companies though, the journey begins with leveraging scripts as they are the foundation to build on further automation. Moving forwards into an automation stack will provide opportunities to automate mundane tasks; while not specific to security they may help streamline your operational objectives. This could involve scheduling regular audits across your infrastructure to patching systems.

Security Orchestration and Automation Response (SOAR) platforms combine multiple security processes and tools that assist with orchestration, automation, and response.

There is now significant interest in SOAR platforms, as they can automate once laborious tasks performed by security analysts, which delivers faster response times and - as a result - can save you from a security breach.

Take for example the following use case of responding to an email incident, where potentially hundreds of malicious emails are sent to a company to harvest passwords through a fake login page hosted on a website. In the past, the task of identifying impacted users, blocking the domain, resetting passwords, and removing email from mailboxes could take many hours. With automation, this task can be reduced to mere seconds or minutes.

Example use case phishing investigation

A Security Service Gateway is a concept of providing an abstraction layer platform for all operational staff, not just for security personnel in your SOC. Much like the move from EDR (Endpoint Detect and Respond) to XDR (X replaces Endpoint with anything), I may be so presumptuous to suggest such a gateway is akin to a transition from SOAR to XOAR. It may not be an off-the-shelf product and we can expect highly motivated or well-resourced companies to create customized platforms to fill this need. Depending on the design, a gateway would be an API-first platform with built-in high-performance applications delivered through a microservice architecture. These applications will integrate through a workflow system to combine different data points to expose information relevant to the use cases that are defined by operational teams. Empowering your operational teams to tie together information across systems, applications, or platforms regardless of where they will help support a digital journey.

Despite automation being a long-term commitment, the above examples are not mutually exclusive, and we can expect companies to employ multiple platform strategies to support the objectives of automation.

Evaluating your success

‘Success’ is a broad term, but being able to evaluate how well your automation platform stacks up against your objectives using quantifiable metrics is vital to measure its effectiveness. Below are some strategies to evaluate and compare when using an automation platform versus performing the tasks manually:

  • Lead time to enrich, triage, respond: How long did the case take the ingested alert to be enriched with contextual data e.g. domain reputation and determining asset ownership to establishing priority and risk to then responding through a block action?
  • Keyboard stroke and mouse clicks: How streamlined is the process for the team logging cases, extracting necessary information, and updating those service tickets? Count every keyboard stroke and mouse click and compare results.
  • Rate of overall case closure: How long did it take to close the case end-to-end, taking into consideration when the alert was first known through to following your incident management process to closure.

Learning and reflecting as you go

SOAR use cases will be similar; however, their implementation will be unique and based on your company’s requirements. As your company changes, analyst feedback is critical to success, requiring continuous engagement between your operations and SOC teams.

If there are any takeaways you should consider, begin by asking the following questions:
  • Do your operational processes allow you to respond quickly enough?
  • Where are you on your automation journey?
  • Do you have a strategy that is endorsed by senior management to execute?
Stephen Mills

Stephen Mills

Group SVP, CISO Office, NTT Ltd