According to Bill Gates "the first rule of any technology used in a business, is that automation applied to an efficient operation will magnify the efficiency", and while he may not have been thinking about cybersecurity operations at the time, his thinking absolutely applies to the modern cybersecurity operations centre (CSOC).
Do You Need To Automate Your Cybersecurity Operations?
The answer is probably yes and whenever I ask anyone about automation, they tell me that automation would unquestionably improve their overall cybersecurity footing if properly implemented within their organisation. They say 'if' because not many of the organisations I speak to have implemented automation into their operations yet, even if they intend to. The usual reason why is that they are too busy to stop and learn how.
Which is the probably the most compelling reason to automate...
We live in a world where it's much cheaper to launch a cyberattack on an organisation than it is to defend the organisation. Making matters worse, the threat landscape just keeps getting harder to cover. You have threats multiplying exponentially, adversaries becoming more advanced daily, and your security tools bleep alerts at you incessantly.
Business resilience is the end goal of any cybersecurity operation, and the only way to improve the overall resilience of your organization is to increase your overall efficiency when protecting it. The role of a modern CSOC is to translate resilience into capabilities across every function of the cybersecurity operations model and become increasingly efficient at protecting, detecting, responding and recovering from attacks. But it's easier said than done, especially when you have your hands full and lack the in-house automation knowledge to implement automation effectively.
The Low Hanging Fruit
Let's assume that like everyone else, you know a couple of things that you should automate but haven't. If that's the case, this is your low hanging fruit, the places where you will find quick wins and immediate ROI when you automate whatever process it is.
Correlating Threat Data - Holy smokes, that data! On a good day, you get a handle on it and on a bad day, it gets a handle on you and doesn't ever let go. First, you need to collect threat data from your various security tool silos, correlate it with global threat intel, and perform threat analysis on your data. If you try to do any of this manually, you are going to consume a huge chunk of your CSOC's time and resources. Automate data correlation first for a quick win and invest all that spare time in value-added work.
React & Respond To Threats - When you do eventually detect an intruder or threat, your whole team needs to kick into action and respond faster than the threat can spread through your networks, endpoints, devices and servers. Mitigation involves working with different security products in your environment while creating protections across that environment and trying to stay one step ahead of the attacker. Much of this workflow can be automated, boosting your detection and intervention times when threats occur.
Breach Reporting & Notification - Efficiency is going to be important as new regulations demand greater transparency and impose narrower timeframes on breach notifications, requiring a faster understanding of events. On average it takes 200 days for organizations to identify and report on a breach. Automation is the key to reducing analysis, reporting, and notification times in order to ensure regulatory compliance.
Start by defining your automation needs and identifying the low hanging fruit in your CSOC, a good place to start is by automating elements of your security investigation, incident response, and remediation tasks. Automate the correlation and analysis of data using the output of multiple tools to save your team huge amounts of time when responding to alerts. Some CSOC teams adopt an agile approach to automation, meaning that they add automation incrementally in the areas where it makes the most sense. Those experiences and the learning process the team goes through during automation are a continuous stepping stone into other automation areas.
The threat landscape is forever growing in complexity, efficiency and volume. If you do not automate at least some of the operations in your CSOC, the threats will get the better of you at some point. Cybersecurity operations automation is now, more than ever, a necessity rather than a luxury and leveraging it will dramatically increase your efficiency.