Leveraging automation for enhanced cyber security operations

The field of cyber security is expanding, bringing with it an ever-increasing array of tools and solutions. There comes a moment when the complexity of handling infosec-related tasks manually becomes too much. Companies need to bring on board highly skilled professionals, yet a significant portion of their time is dedicated to performing routine, repetitive tasks.

When companies recognize that their problems have escalated, they understand the need to enhance their management of security tasks. Automation of some processes emerges as the only solution, enabling faster operations while still keeping critical decisions in human hands.

The conviction towards automation, however, varies among companies. For instance, some realize the importance of automating their security operations center (SOC) only after reviewing the outcomes of cyber security exercises and penetration tests.

In most medium-sized and some large organizations, a typical cyber security solution can log up to a million security-related events daily that need to be processed. Of these, 100,000 events are classified as critical or “red” level, making manual review impossible. Some larger corporations handle up to a billion events daily, with around 50,000 triggering alerts based on correlation rules. Given that a single security officer can manually process only about 200 to 300 events per shift, automation becomes indispensable. It is the only viable solution to prioritize events and manage risks effectively.

Automation saves analysts time and reduces errors. It also liberates employees from monotonous routine tasks that can dampen their enthusiasm for work. The automation of information security further ensures better adherence to service level agreements (SLAs). It guarantees high operational accuracy and prevents the oversight of important elements.

Economic factors are the main drivers behind the growth of automation, but they are not the only ones. Government regulations also play a significant role. When it comes to compliance, companies must take stock of their IT infrastructure, which involves collecting comprehensive details about servers and their equipment. For some businesses, this could mean regularly managing data for tens of thousands of machines.

Security automation debate

There are two conflicting views on automating cyber security. One perspective advocates for giving customers automation tools across all aspects of infosec operations, including log management, analysis, playbook creation and cyber threat intelligence. This approach allows customers to tailor automation to their needs across numerous security tools.

The opposing view argues that detailed automation is too complex for businesses, emphasizing the need for a simpler solution. It suggests a straightforward, effective system that can immediately counteract hackers, symbolized by a “big red button” for easy threat mitigation and system recovery.

Cyber security automation strategy: First steps

When you automate processes, it is important to follow clear logic. If not, you risk creating more problems: automation of chaos generates automated chaos.

A practical approach to refining automation logic involves leveraging experiences from cyber exercises, penetration tests or red teaming. Analyzing the defensive strategies of the “blue team” during various attack scenarios helps identify their response algorithms and steps. This process starts with differentiating between true and false positive alerts, identifying hacker attributes and evaluating compromised resources. Such insights enable the automation of defenses by validating logged events, ensuring a more effective and streamlined response to modern cyber threats.

The first step in enhancing incident response is to automate the collection of contextual data that informs decision-making. This includes information about the particular machine or another asset involved in the security incident, user account details and intelligence on external threat elements like domain names. This foundational data is important for understanding the scope and impact of security incidents, enabling quicker and more effective responses. If an attack still evolves, the context gathered initially assists in correlating future defensive measures with a pre-established hypothesis regarding the attack’s propagation.

The second phase can focus on automating processes triggered during the incident investigation phase. This strategic automation ensures that, as an attack unfolds, defenses can adapt quickly based on a solid understanding of the attack’s trajectory.

Automation and machine learning integration

We should avoid using the phrase artificial intelligence (AI) when discussing cyber security automation, as new technologies here tend to be more closely linked with the concept of machine learning (ML). We can refer to examples like automating the process of prioritizing security events to pinpoint the most crucial ones. For example, data clustering assists security analysts in swiftly determining what is most important to them.

The application of ML in automation benefits from the extensive experience gathered from calculating credit scores in banks. Similarly, in information security, deciding between a false positive and a true positive often relies on the same fundamental principles.

Another area where ML makes strides involves compiling a series of events into a coherent sequence, helping security experts in their analyses. Machine learning plays a key role here by uncovering extra connections between labeled parameters and events.

The progression of automation tools is moving towards adopting a new concept known as the Security Data Lake. This is anticipated to aggregate indicators of all threats detected by the SOC. The automated examination of this collected data, augmented with contextual information, is expected to become a principal strategy in information security in the future.

SIEM necessity in security automation

Sometimes, a security information and event management system (SIEM) is necessary for customers who want to automate routine tasks. However, it is not always a must-have. For example, you do not need an SIEM if you need to develop a standalone automation script for a specific function, like supporting a WAF against DDoS attacks.

However, you cannot get by without a SIEM when it comes to fully-fledged automation scenarios. That is because SIEM is crucial in achieving situational awareness, enabling cross-tool interaction scenarios or facilitating context exchange. As we know, even with solid protection across the entire perimeter and centralized risk management, hackers can still find a way through. Only a unified SIEM system can address the issue of creating detection logic that goes beyond making decisions based on a specific security tool.

Measuring security automation effectiveness

Cyber security officers can measure performance in many ways: how quickly we respond to incidents, how many incidents we identify, etc. Countless metrics are available, but business owners often do not find these numbers directly relevant. It is crucial for a business to grasp what it wants from its information security efforts. Counting the number of blocked IP addresses does not provide that insight.

Business owners do not need to get into the weeds of information security. Their main goal is to make money, whereas the role of information security is to highlight any problems in terms that the business can easily understand and propose solutions.

Indeed, to measure the effectiveness of automation, you are always free to combine traditional information security metrics, such as detection time, response time and the number of incidents, into a comprehensive evaluation and calculate a specific performance score.

However, there is another approach: consider the chance of mistakes during response actions and count how many staff members handle information security duties. By measuring efficiency with these factors, business owners can more easily grasp the tangible advantages of automation.

The concept of “cost-effectiveness” always plays a significant role, highlighting the balance between resources allocated at the beginning of an information security project and those spent to achieve the desired results.

The ultimate goal is to prevent incidents that are considered unacceptable, using the outcomes as a benchmark for success. The efficiency of information security automation measures can be assessed by how swiftly and effectively we achieve this goal. Additionally, the impact of security measures can be measured through cyber exercises and pen tests, comparing outcomes to a predefined list of events considered unacceptable.

Automation stages

The process of automating cyber security routines unfolds in several steps. Initially, the customer just acknowledges the real advantages of automation, moving away from their old routines.

In the next phase, it is necessary to identify already well-defined processes and where automated routine tasks cannot directly harm the core business. They are chosen for the initial rollout of automation.

In the third stage, the customer may encounter some information security failures caused by resource shortages. Automation comes in to resolve these issues.

Moving on to the fourth stage, the customer’s interest surges as they actively explore new security tools possibilities and seek possibilities for further automation.

Challenges in implementing automation

Unfortunately, the implementation of automation in cyber security is most often hindered by a lack of budget and support from senior management. It is essential to understand that attacks are becoming more frequent and complex; sooner or later, you will still have to deal with automation. As all businesses aim for growth, it will inevitably become more expensive and complicated in the future. Therefore, it is crucial to consider implementing automation as early as possible.

The significant challenge in implementing automation lies in the need for the customer to assume responsibility and acquire the security vendor’s expertise to properly configure the system. The more complex the infrastructure, the more challenging its implementation becomes.

When vendors provide customers with automation tools for information security, they also assume the responsibility of supporting various customer resources, such as the operating system version and hardware configuration. When implementing such a solution, it is granted system privileges, which are highly sought after by hackers. Not all IT departments are prepared to incorporate and implement a powerful tool with extensive control and account privileges. Ensuring the system’s security and effectively handling access control poses a challenging task.

Another challenge in implementing automation is the absence of standards. This becomes evident in real-world scenarios where there is no universal format for data presentation, and inventory and user account records lack a common standard. For example, when working with Threat Intelligence data, total chaos prevailed until recently due to the absence of any standards.

It is important to use automation thoughtfully. Automating security operations demands careful attention and a willingness to enhance expertise within the company, ensuring more effective information security management.