There’s been a lot of talk about security automation, but it’s increasingly unclear what is what. The fact is, the technology is starting to go beyond prevention and detection, reaching into other important components of IT infrastructure to more reliably protect organisations.
Here are four of the newest and most advanced elements you should consider when discussing security automation:
- Policy execution. As networks have grown significantly more complex, manually managing associated security policies has become nearly impossible. Enter policy execution automation, which refers to the automation of any administrative work required of IT security. A variety of vendors offer tools for automating the management of network security policies, which can help you more easily meet internal or regulatory security requirements. Some also offer automated services for administrative tasks like user onboarding/off-boarding and user lifecycle management. Automating the provisioning, deprovisioning and user access can help IT teams gain greater control over data, costs and time, and the companies offering the tools sometimes refer to themselves – or are generically referred to by others – as offering security automation.
- Alert monitoring and prioritisation. Some people view the job of automation through the lens of monitoring and prioritising alerts. Traditionally, alert monitoring and prioritisation was a manual task, and a very tedious one at that. A team of analysts in a security operations centre would have to compile alerts and literally stare at monitors all day in order to determine which data points were important. Today, there are methods for automating alert monitoring and prioritisation that vary in sophistication. For example, this might include setting rules and thresholds, relying on threat intelligence or implementing more advanced behavioral analytics or machine learning technology.
Setting rules and thresholds is dwindling in its effectiveness, as it relies on manual input from a person to determine which alerts are important and which aren’t. And it also requires regular maintenance of those rules because cybersecurity threats are constantly changing and often hackers know exactly which alerts companies will be looking for. Relying on threat intelligence, on the other hand, is a little more reliable. This form of automation refers to the collection of threat intelligence from multiple sources, and it can help companies know which alerts to look for and which are important. For instance, if a company is able to access and consume multiple intel sources, it would know when a certain type of attack is occurring across the globe. Automated threat intelligence can then help the company prepare to protect itself against that potential, incoming attack before it’s too late.
Behavioural analytics and machine learning are among the most advanced forms of automation for alert monitoring and prioritisation because they don’t rely on rules and thresholds or “known threats.” Instead, this type of technology can learn what normal network behaviour looks like, easily and immediately pinpoint any abnormal behaviour, and then statistically score the priority of each potential threat that should be investigated.
- Incident response planning. Incident response planning is also being referred to as security automation. One way to think about this technology is as a smart ticketing system that helps companies track the evolution of a security incident and coordinate the actions required to respond. Vendors in this space help companies develop playbooks for different types of threats so they can automate portions of their response when every second counts. They automate workflow so companies can make sure they’re communicating with the appropriate internal and external contacts, adhering to regulations for topics like privacy notifications, and establishing a clear audit trail.
- Investigation, action and remediation. Automating the investigation, action and remediation of a cyber threat is about utilsing technology to perform tasks just as a qualified cyber analyst would. In a way, the other elements of security automation – from policies, to prioritisation, to planning – are all working towards this end goal of quickly finding threats and shutting them down before they impact operations.
There are different aspects of what a vendor might automate when it comes to investigation, action and remediation. For example, some might only address one of those three components, while others focus on a specific task, such as automating the containment of compromised devices. There are also companies that use automation and artificial intelligence to conduct the entire process from end-to-end, just as a cyber analyst would.
All of these security automation technologies free up overtaxed security resources, allowing security teams to be less focused on mundane – but essential – tasks, and more focused on strategic initiatives that will make their organisation more secure.
According to data from the Breach Level Index, 1.9 million online records were compromised every day in 2015. That’s 80,766 records every hour, or 1,346 records every minute. The near constant occurrence of data breaches shows no signs of slowing down, so companies can’t afford to have any lingering questions about the concept and capabilities of security automation.
Prioritise the automation of your IT security infrastructure and recognise that multiple elements can be automated to help keep your business safe. Automating policy execution, alert monitoring and prioritisation, and incident response planning can drastically increase company productivity and reduce costs. And by fully automating the investigation, action and remediation of threats, companies can simulate the experience and logic of experienced cyber analysts at scale, thereby, guaranteeing stronger security and compliance overall.