Log4j/Log4Shell

Log4j Vulnerability Response Center. Get Informed Now

Back to blog results

March 17, 2020 By Enrico Benzoni

Automation in cybersecurity: Benefit or a threat?

Automation in cybersecurity is becoming all the more important, but it is vital to have total control over how automation operates. With the increasing number of alerts and threats that cybersecurity organizations are facing on a daily basis, it becomes overwhelming for SecOps teams and analysts to deal with each and every one of them. That is why automation plays a vital part in modern cybersecurity.

The role of automation in SOAR (Security Orchestration Automation and Response) is to ease the burden of cybersecurity organizations by automating repetitive behavior and recurring tasks. The degree of automation can be adjusted, and security teams can determine whether they want some tasks to include human interaction (extremely fundamental in some processes) or if they want all of their tasks to be fully automated.

Either way, not everyone is familiar with the details of how automation aids cybersecurity teams and why it is becoming an integral component of cybersecurity technology. That’s why, in this blog post, we will shine a light on some of the most integral characteristics of cybersecurity automation.

What does automation mean in SOAR?

To answer what automation means in SOAR, first, we have to learn what SOAR is and what it represents. In short, SOAR is a kind of technology that allows organizations to replicate their own security operations processes in an automated workflow to orchestrate tasks to better detect, track, and remedy potential threats.

SOAR is a specific technology that helps SecOps and SOC analysts avoid repetitive tasks and save time, and automation has a particularly important role here. SOC analysts have a myriad of tasks and processes that they have to overlook, and automation here plays a vital role in liberating them from analyzing repetitive tasks, thus allowing them to have more time to focus on more important issues. So, automation enables faster response to potential security threats whilst allowing analysts to proactively direct their attention to real threats.

What is the difference between security automation and security orchestration?

Thanks to Orchestration, you can connect all the technologies SecOps need through API connectors. This permits replication and improvement of the SOC process, and security analysts have all the information they need on a unique SOAR platform.

Automation allows SOCs to speed up the implementation of processes because the operator intervenes only where there are decisions to be made. Security automation is focused on assisting teams with repetitive, time-consuming, and low-level tasks.

How can automation improve security operations?

Automation allows SOCs to automate many time-consuming and repetitive tasks and makes sure that they run smoothly without the need for human assistance. It allows SecOps and analysts to take a more proactive stance toward tackling other, more unpredictable threats.

Without automation, security teams have to deal with an increasing number of security alerts and potential incidents, which would require many hours of their valuable time to resolve. And because there are too many false positives (mislabelled alerts), that time ends up being spent in vain. But, with security automation, those repetitive processes don’t require human intervention, thus freeing up a lot of their time to deal with real cyber threats. In other words, automation allows security teams to deal with potential alerts in a faster, more effective manner.

Which security operations processes can be automated?

By implementing the automation process, SOAR solutions use Playbooks, or automated workflows, to fully automate the triage, investigation, and containment processes. Furthermore, security automation enables the workflow process to perform a variety of granular data enrichment, notification, containment, and custom actions based on logical decision making, all the while making sure no threat goes unaddressed.

The automation of these tasks is adjustable, meaning that security teams alone decide to which degree they want to implement automation in their security operations. Theoretically, automation can be implemented in both high-risk and low-risk security operations. However, automation works best when used to automate repetitive tasks that won’t jeopardize the quality of security operations.

Is there a downside to automation in security operations?

Even though security automation handles tasks independently, it still has to be instructed and navigated by human intervention. Analysts and SecOps are required to instruct their SOAR solution on whether the workflow procedures should be fully automated or semi-automated.

The automation process requires human control in order to be tweaked and tailored to how the organization wants the automation process to be handled. And because the level of automation is customizable, it means that the analysts will still have to tread lightly when dealing with the decision-making process. That is why automation is recommended to be used for low-risk operations that don’t evolve and move in unpredictable patterns.

Is automation proactive or a reactive procedure in security operations?

Security automation can be considered a reactive approach to replying to cyber threats. Security automation is tweaked in a way that anticipates familiar behavior and uses machine learning and AI to automate certain tasks, as instructed by the analysts. However, automation can also take a proactive approach toward the remediation process, as the analysts decide what kind of response the automation should have in case a real threat is detected.

How to implement automation safely and effectively?

To make sure that you’re using security automation in an optimal manner, first, you need to make sure that you’ve analyzed your security operations properly. You need to figure out which areas of your security operations generate the most alerts, which kind of alerts take up the most of your analysts’ time, and which responses analysts usually respond to in a predictable way.

The automated responses are tweaked in a way that they learn from experience and with the action taken from the SecOps and Analysts, and over time, incorporate responses based on those experiences. This is why it is best to first make an assessment of your security operations and then decide to which degree you want to use automation in your security operations.

How does automation address the staff shortage in the cybersecurity industry?

Implementing automation in cybersecurity operations liberates analysts and SecOps teams from handling mundane, repetitive, and time-consuming tasks. And this is exactly how automation addresses the staff shortage in cybersecurity - by allowing the staff to optimize their time and spend it more productively on higher-risk tasks.

Automation is perfect for handling low-risk processes that would otherwise consume too much time. By automating such tasks, the staff can focus on other, more relevant problems that require human intervention.

Do security teams trust automation?

Security teams trust automation, but they use it with care. In the early stages of setting security operations, security teams don’t rely on automation, and they usually use it in the enrichment and notification phase. Most of the time, security teams use automation mostly for repetitive tasks which they believe can’t be compromised. So, even though automation is very useful in security operations, security teams still use it with care and rely on automation only for low-risk tasks.

What is the ROI of investing in an automated SOAR solution?

The ROI of investing in an automated SOAR solution varies depending on which key metrics you want to measure. Depending on whether you want to save time, resources or measure how you’ve improved in handling security operations, the ROI will accordingly vary.

Still, the ROI of implementing an automated SOAR solution is imminent, as the effectiveness of the entire security operations process gets drastically improved with automation.

SOAR and automation, in particular, affect the time needed to respond to cyber threats, save countless hours that would otherwise be spent on repetitive tasks, require fewer resources and minimize the human intervention needed to address repetitive tasks. So, while there is an obvious ROI of implementing a SOAR solution, the degree to which you’re satisfied with the investment depends solely on your unique type of security operations.

The bottom line is, automation in cybersecurity is an advantage many SOCs rely on and will continue to rely on in the future. As the ever-present cyber threats continue to rise in numbers with each passing day, security teams need to implement the proper technologies in order to detect, prevent, and tackle each cyber threat in a timely manner.

Complete visibility for DevSecOps

Reduce downtime and move from reactive to proactive monitoring.

2021 GigaOm Radar Report for SOAR

See why Sumo is recognized as a Leader and Outperformer

Read the report

Enrico Benzoni

Manager, Marketing and Technology Alliances

More posts by Enrico Benzoni.

People who read this also enjoyed