You are here

Automation is now No. 1 for SecOps: How to put it to work on your team

public://pictures/John-Mello-Journalist.png
John P. Mello Jr., Freelance writer

Security automation has become a top concern for many organizations as they struggle with a growing number of cyber threats fueled by new attack vectors in the cloud, and with proliferating endpoints created by the Internet of Things.

That trend was revealed in a recent survey of 300 CISOs, CIOs, CTOs, architects, engineers, and analysts across a variety of industries by the threat detection and hunting company Fidelis Cybersecurity.

More than half the professionals surveyed (57%) said that a lack of automation is their top concern for their organizations.

Here's how to improve your overall security operations with automation.

[ Understand what's driving the next-generation SOC with TechBeacon's guide. Plus: Download ESG's report on the state of cloud-based security analytics and operations ]

Get more from your security stack

Automation is rising on the priority list because organizations are realizing it's a way to reduce risks, gain greater visibility into their networks, and get the most from their security stacks.

One of the biggest risks automation can address is human error. When an engineer is asked to repeat the same task every day, looking for needles in the same haystacks, eventually they will make a mistake, said Laurence Pitt, strategic security director at security and performance company Juniper Networks. "Computers will not do this. Once set to a task, they will get it right every single time without failure."

Automated and orchestrated processes can also reduce risks by allowing threats to be detected and addressed faster, said Joseph Blankenship, vice president and research director for security and risk at Forrester Research.

"Automated policy orchestration also helps reduce risk by ensuring that policies exist and are effective, reducing the risk that systems and the data in those systems can be breached."
Joseph Blankenship

There's an opportunity to incorporate automation to reduce risk at all stages of security, said Rani Osnat, vice president for strategy at Aqua Security, a cloud application security provider. 

This can start with automated scanning for vulnerabilities, flaws, malware, and configuration mistakes, and include automated profiling of allocation behavior for whitelisting and anomaly detection. Other security areas ripe for automation are detection of and response to breaches and attacks.

Security still takes a team

As good as automation is at reducing human error, it can't eliminate humans entirely.

"Computers can spot patterns, alerts, and bad actions on the network or on connected devices. Humans can spot the unexpected."
Laurence Pitt

That's why security automation is so important, he added. "It gives time back to the engineers to do what they are good at."

Integration of security solutions is another area where automation falls short and can actually create risk, said Joseph Carson, the chief security scientist at security tools vendor Thycotic. "For many organizations, this tends to be time-consuming and complicated and can introduce risks when done incorrectly."

[ Explore TechBeacon's guide to SecOps challenges and opportunities. Plus: Download the 2019 State of Security Operations report. ]

I can see clearly now

Automation can help security engineers by noticing patterns inside the millions of alerts sent to them daily. Automation can "spot the ones that actually need to be of concern and either act on them, or flag them for an engineer," Juniper's Pitt explained.

Automation using machine learning can give system defenders greater insight into network operations, too, said Shreyans Mehta, co-founder and CTO of Cequence Security, a maker of automated digital security systems. 

"By observing network and application traffic, machine learning can help model how good users behave on a web application. The same models can then be used to identify bad actors with malicious behaviors and intent."
Shreyans Mehta

Automation can also help organizations get more from their security stacks. Organizations are "overwhelmed" by the volume and velocity of alerts generated by their security systems, said Raphael Reich, vice president of product marketing at CyCognito, maker of an attack surface analysis platform.

"By leveraging automated, intelligent prioritization of risks. Organizations can ensure their security resources are focused on addressing the risks that, when eliminated, provide the greatest ROI."
Raphael Reich

Consolidate your security stack

A majority of organizations surveyed in the Fidelis report admitted they are not using their stack to its full potential. Just 6.54% of all organizations surveyed believe they are using their security stack to its full capability.

The good news, the report said, is that most organizations realize that this is a problem, with 78% of respondents replying that they already have, or are planning to, consolidate their security stack.

One approach to maximizing stack utilization is to create a standardized data ontology that represents the structure and flow of information between the components of the security ecosystem.

"This creates a common language that facilitates communication—not just between human stakeholders but also between the systems that comprise the security stack," said Syed Abdur, senior director of products at the risk analytics firm Brinqa.

"Of course, when you automate, it means that the resources you have can do so much more, and you can get more value out of your solutions."
Joseph Carson

While automation can address some of the concerns organizations have about risk, visibility, and utilization, it needs data to work effectively, said Blankenship. "Automation is only as good as the analytics technologies that exist. Automation can't do anything without good data."

Why companies aren't automating security

One reason for the lack of automation thus far is that the legacy systems in many organizations depend on signatures to function. These systems, unlike machine-learning-based systems, require constant writing and updating of manual rules and require manual feedback, which does not support automation, said Cequence's Mehta.

That's especially true in security operations centers (SOCs). Most organizations have very manual processes in their SOCs due to the wide range of technologies analysts work with, the need for human intelligence to identify threats, and the lack of automated tools until about four years ago, said Forrester's Blankenship. "Automation is still relatively new to security operations professionals."

Brinqa's Abdur explained that a lack of standardization within security programs themselves can also be a barrier to automation.

"There can be significant differences in how the same cybersecurity program may be designed and implemented across different organizations. As a result, a 'one size fits all' approach to cybersecurity process automation does not work."
Syed Abdur

In addition, he said, while it's possible to automate large parts of the vulnerability management process, to do that an organization needs an authoritative, accurate, and complete asset inventory.

A surprisingly large percentage of organizations lag behind in implementing foundational controls like asset management effectively, which makes it difficult to incorporate automation further downstream, Abdur said.

Pushback from security pros

While security professionals say they're concerned about the lack of automation, some of that sentiment may be a bit hypocritical. "At least in part, lack of automation is due to resistance to relinquishing control to automated systems," said Aqua Security's Osnat.

That's especially true when it comes to preventive controls or response to threats that can block processes or applications. In those situations, practitioners can be overly concerned about automation creating false positives that can be a time suck on the development process.

"Unfortunately, sometimes the speed of attacks, which themselves are often automated, requires an automated response if they are to be thwarted or contained in time," Osnat said.

Juniper Networks' Pitt agreed that the accuracy of existing automated systems can make security pros nervous. "This leads to solutions being deployed in the 'least automated' mode," he said.

A classic example of that is information intrusion, Pitt said.

"Everyone has the technology, but many run it in detect-only mode rather than risk false positives," he said. "So what we have is a lack of fully deployed automation."
—Laurence Pitt

SOCs, heal yourselves

That's typically the situation in SOCs. The tools are available from vendors, Blankenship said, but many SOCs don’t have them implemented or fully implemented.

"Many SOCs lack automated tools to do the grunt work of security, like running searches and collecting data. They also lack the ability to take automated action on identified threats."
—Joseph Blankenship

Organizations also lack automated tools to do things such as patching and policy management, Blankenship added. But as environments grow increasingly complex, the ability to automatically push out and enforce policies in multiple environments—including on-premises, cloud, multi-cloud, and hybrid—"becomes critical."

[ Effective SecOps requires staying one step ahead. Get up to speed with this Webinar covering UEBA and MITRE ATT&CK ]