Knowing staffing resources are scarce but threats are more damaging than ever, there has been an increased interest in using automation and orchestration technology to solve for gaps in cybersecurity coverage and challenges in hiring and retaining top talent.
Automation and orchestration can enable a lean security team to prioritize and manage the manual, tedious, and time-consuming response of alerts coming in from detection and SIEM tools. Intelligent use of automation orchestration can control the inefficiencies that would otherwise set in when multiple resources and teams try to investigate and remediate incidents.
But there’s a common misconception out there for everyone from the CISO to a level 1 security analyst: Does everything that is going to be automated have be automated at once? And, does the full process need to be fully documented before there is a benefit to automation and orchestration. Even for the most zealous or uber-ambitious expert, automating every incident and every step in your incident response workflow is as realistic as trying to boil the ocean. It’s much more effective to walk before you run, especially if you’re part of an enterprise security team, where typically multiple cross-functional teams are involved across a variety of different technologies.
So, what are more effective ways to put automation and orchestration into place? The first steps are to understand your organizations’ goals. This will help to drive the use cases where automation can be most effective. Automation and orchestration can be utilized to solve the most pressing and impactful use cases first. You don’t have to apply it to every step in a process or use case. Instead, take a bite-sized approach to automation and orchestration. In many instances, automation and orchestration can be used to improve individual tasks or steps in an overall process while allowing security analysts to stay in full control of the workflow.
The agile approach to automation
One key to successful automation is adopting an agile approach. Instead of trying to do everything at once, your team can begin by adding automation to the areas where it makes the most sense. Observe the results and actions required, adjust as you go and then implement those lessons as a continuous stepping stone into other areas.
One critical lesson you’ll learn fast: there are key cognitive decision points in most processes that aren’t suitable for automation. Machines and automation are great at executing repetitive or time-consuming tasks; humans are great at making decisions based on information presented to them. Together, humans empowered with automation can process and respond to incidents quicker and more efficiently.
Here are three ways to achieve a bite sized approach to automation:
1. To start small, you have to start
When evaluating an automation technology, ask yourself where you can first start adding automation for initial improvements to ease into it. It’s more important to find out your most advantageous place to start, which will be unique to your security incident response plan. To identify your jumping off point, ask yourself the following:
- What are your top business drivers and priorities?
- What’s driving your strategies right now? Is it the need for risk management, overall growth, stronger ROI, adherence to regulatory concerns like GDPR?
- What are the metrics that matter? Could it be an increase in the number of incidents investigated, for instance? Improved response time and MTTR? Cost management?
Your answers will form a map that essentially says, “Start Here.”
2. Analyze your incidents
Once you’ve started in a logical way, you’ll want to address those incidents with the highest impact, those most frequently encountered, those that take the longest to investigate and respond, or a combination of thereof. Set aside the top 5-10 incidents or use cases in those categories and begin your analysis. You’ll need to know which vendors and what type of systems are involved for these use cases. Do they require information to be gathered and actions to be taken on threat intelligence feeds, firewalls, email server, network devices centralized credential stores, etc.? The more complex use cases will touch more systems as well as more teams, which brings us to the next step.
3. Take a multidisciplinary approach
Incident response can’t be performed in silos. After identifying the systems and assets affected by each use case, you’ll need to find their owners and work with them on the best ways to automate certain steps within each process. Cross-functional teams should endeavor to understand the workflows and have an open conversation about goals and most efficient method of responding. Most importantly, make sure each team shares the valuable information required to effectively reduce risk and accelerate resolution.
Continuous improvement to add value
“A good plan violently executed now is better than a perfect plan next week.”
General Patton was on to something. The same methodology can be applied to incident response and by taking a bite-sized approach to orchestration and automation, you can reduce alerts in bite sized chunks, alleviate lack-of-staff challenges, and prove business value to expand automation.
One way to prove value is by pointing to KPI or KRI improvements; in particular significantly reducing MTTR (Mean Time to Respond) and others. But more than providing cost savings, or even cost avoidance, automation amplifies new strategies. For instance, you can quantify and compare the cost of a headache-laden manual system versus an automated one in terms of how much you’re saving in terms of mitigated risk and cost of a severe breach (which, as it stands, is US$3.6M according to Ponemon as of July 2017) by accelerating security incident response.
If automation means investigating incidents in minutes instead of hours or days, you can quickly calculate those costs and even assess the benefits of the “extra” time of the analysts to focus on other, more critical work. Being able to contain, validate, and eradicate incidents can take days but by applying automation can reduce this to minutes. Think of the time and money saved in having actionable incidents separated from the distracting false alerts, keeping your high-level staff focused on higher level activities such as threat hunting, complex investigations, and activities that require human intervention.
And remember, taking a bite-sized approach to automation and orchestration means you can get value from the disciplines immediately, giving you opportunity to further refine them over time as you learn more about the uses cases, incidents and actions that need to be taken. Gradual, focused implementation lets you educate your team and course correct as needed. Soon you’ll be able to leverage your new best practices and processes across the organization for the ultimate orchestration and automation benefits.