In my 15 years of being a security practitioner, working on incident response and overseeing security teams, I've observed a major problem: There's too much work and not enough staff. More specifically, I've seen overworked staff doing repetitive, mundane tasks, leading not only to burnout but to human error that could cost a company millions.
We need to get security teams away from those monotonous tasks and focused on projects that could add value to the company and put their skills to better use.
The solution? No-code automation, which allows frontline security analysts to automate processes such as responding to phishing attacks, dealing with suspicious logins, and even onboarding employees—all with a few drag-and-drop actions.
No-code automation has the potential to save teams days and weeks of work, free up security practitioners for high-impact projects, and improve total productivity.
Here's why no-code automation is a critical skill that those of us who are at the forefront of security operations will have to adopt in the next few years.
What is no-code security automation?
No-code automation platforms remove the barriers from coding. The tools are built with a rich set of higher-level features that can model complex and intricate workflows through simple drag-and-drop actions; these actions can be connected to one another to perform a set of sequential events automatically.
The daily activities of an analyst are filled with repetitive, manual tasks. I estimated that my teams spent about 80% of their day working over and over on tasks that had already been done. Teams must also wait for developers to get involved, resulting in waits for deployment and more work added to already overworked teams.
Automation is simply a way to perform those tasks without a human manually sending emails, creating tickets, checking logs, or otherwise executing repetitive actions. Security workflows tend to be complicated, so the automation needs to be flexible and scalable, able to handle the complexities.
No-code automation allows security practitioners to build the automation they need, on their time, in their own way. Analysts don't have to rely on software developers, reducing not only time to value, but also the maintenance burden.
Another benefit is that analysts can automate more of their workflows, freeing themselves up to devote time and talents to more high-impact work, such as improving security approaches, reducing the risk posture, tuning out false positives, and improving awareness training.
No-code in the real world
Box, the cloud content management, workflow, and collaboration company, had created its own effective automation tools. But because the tools were coded in Python scripts, it was hard for a wider audience to read or edit what those tools did. Only proficient coders were able to make changes as the incident response team's needs evolved over time. This was a bottleneck to further improving the efficiency dividend that automation provides.
Box needed to simplify the creation of new tools and third-party integrations, and it needed to make editing them easy, no matter the skill set of the security professionals using them.
Tristan Waldear, senior manager of security automation at Box, said no-code automation allowed "a level of customization and utility that wasn't previously available to Box’s security analysts." They initially put no-code automation to work on workflows for suspected phishing emails.
The system they already had in place scanned attachments and links, looked up the sender and recipient, and automatically put all that data into a support ticket. But only members of the security automation team "knew how it worked or could change it," Waldear said.
Now incident response analysts can customize the workflow to suit their needs. And they can add extra features without having to request any software updates. For example, they can create a button that automatically removes a malicious email from an inbox.
No-code helps at McKesson, too
McKesson's director of cybersecurity, John McSweeney, looked to no-code automation to automate the repetitive work of processing alerts. The goal was to free up his team so they could focus their time and expertise on the most important incidents. They began by automating the most mundane tasks the active defense team has to deal with.
For example, when a new security incident is identified, one of the first jobs is to set up an incident response chat room, including all relevant security professionals and stakeholders from across the company. This used to be done manually and was prone to human error. When as many as 55 people might be invited to the room, "it was common that at least sometimes some incorrect people would be invited."
Some of McKesson's automation cases may sound simple, but they're impressively effective. "We've found that just one of our earliest implementations frees up 1.5 analysts per week," McSweeney added. "That's a lot of human hours that we can put into more complicated and professionally rewarding work."
Why no-code automation is a critical skill to develop in 2022 and beyond
No-code automation is vital to a security team for three reasons.
1. Increased job satisfaction and better hiring
We all have a general idea about the day-to-day struggles that security analysts face in the SOC: They love their work, and yet "burned out" is a common descriptor. They spend their time on tedious, manual work in understaffed teams. In the Voice of the SOC Analyst report, 71% of the analysts surveyed felt very or somewhat burned out at work, and 69% said their teams are understaffed.
True, there's been an increase in the number of cybersecurity pros working in the past two years, according to (ISC)², but there are still many more jobs open than there are security experts to fill them.
Minimizing or automating monotonous, mundane tasks not only reduces the number of lower-level staffers you need, but it also increases the job satisfaction of your current team, increasing retention. That same SOC report found that 64% of security analysts are likely to switch jobs in the next year.
Recruiting and retaining capable staffers who are engaged is a huge issue. You also have to balance that challenge with the ultimate, big-picture mission of reducing risk and protecting the organization.
2. No-code automation stitches security stacks together
Today, more organizations are unbundling their security stacks as they move away from all-in-one solutions and turn toward best-of-breed security tools designed for specific purposes.
Whether it's traffic behavior analysis, firewall management, intrusion-detection, phishing simulations "or anything else we use, no-code automation was very easy to plug into everything, get the alerts we want, and have it process them," said Joel Perez-Sanchez, security engineer at online restaurant-reservation service company OpenTable.
"For example, I’ve set it up so when a user reports a phishing email, it will go in and scrape all the data we need, check with VirusTotal, URLhaus, and Urlscan, and others, and then present all that information to us in our ticketing system. After just a short period using it, we found it saved us 40 hours of work per week."
To eliminate the risk of fragmentation, no-code automation can stitch the one-off tools together, since no-code platforms sync not just with known tools, but with niche and custom tools as well.
3. Staying ahead in the security game
Human analysts will always be in high demand, at least for the foreseeable future. The trick is to figure out a way to deploy them most efficiently while also giving them the leeway to tinker and develop their own tools without destroying everything if they mess something up.
As people and businesses rely more and more on computerization, there are ever-evolving technological threats, with today’s most prevalent being phishing, malware, and ransomware, as reported in a recent article by Joe Banks.
The key way for security teams to keep pace and even stay ahead is through automation, which can help analysts "click through" the mundane day-to-day tasks and free them up to develop new and better ways of detecting and responding. A top-performing analyst will even be able to automate some of the new ways of detecting and responding, and evolve the production workflow as the threats to their companies continuously change.
The future of security automation is no-code
Security operations leaders should always be on the lookout for how to remove barriers that keep their team from doing its best work. No-code automation is a way to put the power into workers' hands. It increases productivity by engaging workers and reducing the opportunity for human error, lowering the risk of major incidents and improving an organization's security posture.
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.
