Why Data Confidence is the Key to Unlocking Security Automation

Coupling trusted, comprehensive data with a risk-based approach to prioritization can help triage events and lighten the security team’s load.

istock 1258622079
iStock

Automation has long been something of a pipedream among security professionals. Sure, it sounds great: Get more done, faster, without growing your team.

That would be a welcome change for security teams that are bogged down with thousands of alerts per day, endless vulnerabilities to investigate, and a growing number of assets to defend. Few teams are large enough to cover everything and automation would free up a lot of time and resources to focus on the few events that actually require their attention.

But a lack of confidence in the data that informs decision-making is holding back the ability to automate security actions, meaning these tasks remain manual.

Yet with more comprehensive data from across your email, endpoints, servers, cloud workloads, and networks, you can create higher fidelity and accuracy that breeds confidence. Coupling that data with a risk-based approach to prioritization can help triage events and lighten the load on overworked security teams.

Here are a few factors to think about when deciding if security automation is a road you’re ready to explore.

Two kinds of risk

Every event, every vulnerability, and every action you take to remediate poses risk to your business. Every organization has a different comfort level with risk and has to decide for itself what the acceptable level is.

When thinking about automation, it’s important to consider both the security risk of an event as well as the business risk of the decisions you make to avoid or remediate that event. Automation is most helpful at the point at which security risk outweighs business risk.

Sometimes it’s an easy call, like patching Microsoft vulnerabilities. There are so many of them, and they do pose some security risk, yet remediation can be a low risk to business operations making automating patches a no-brainer. Other scenarios, like deactivating an e-commerce storefront that is your company’s top moneymaker, should probably be a manual decision. The security risk would have to be extremely high to warrant an automatic shutdown of your business’s main source of revenue.

The aggressiveness of your strategy is also something to consider. Are you trying to stay ahead of attackers? Then you’ll want to put more automation into the small percentage of vulnerabilities that are scored high and deal with high-priority assets. Don’t even bother having a human involved. If you’re not as concerned with speed, then leaving manual decisions in place may still be your preferred strategy. It’s important to ensure that autonomous decisions that pose high business risk are rare.

Taking an XDR approach

Of course, to assess the level of risk accurately, you need larger data sets to ensure better fidelity and decision-making. Extended detection and response (XDR) can offer that more holistic viewpoint of your overall network.

This forward-thinking approach has already seen endorsements as cybersecurity experts consider future threats. Gartner ranked XDR third in its list of top 10 security projects for 2021.

XDR considers endpoints, which are the main focus of endpoint detection and response (EDR), but goes well beyond that to collect and correlate data across your network, servers, clouds, applications, and more to gain more visibility and context around every threat. Viewing that data through the lens of risk, you can determine how likely certain events are and how quick a response they need.

Among the thousands of alerts the typical SOC receives daily, how many events actually require the team’s attention? Likely only a small percentage. That manageable number of events might require manual intervention or decision-making due to the security and business risk they pose.

The vast majority of alerts, however, likely pose a lower security risk and you can safely automate the creation of a ticket to remediate the issue over a longer time frame without wasting human cycles.

At the same time, with events that pose a critical security risk, you might want as much automation as possible to quickly react to a threat until your team can respond. With the additional context XDR offers, you can ensure this occurs in only a small percentage of attacks.

Through a greater set of data, XDR can strengthen your confidence in the fidelity of your automated decision making. Many XDR use-cases also lend themselves to greater automation, reducing wasted cycles spent on menial tasks that security teams find themselves dealing with instead of the few alerts that require immediate and rapid action.

With that confidence, automation becomes more of a reality than an unrealizable dream and saves security teams’ valuable time.

Learn more about using data to define risk.

Related:

Copyright © 2021 IDG Communications, Inc.