“Vendor sprawl” is hitting a peak, as Dark Reading noted in October. There are too many security tools out there, with too little integration among them, generating too much noise for security teams to analyze and act on. We’ve seen first-hand the challenges that automation and data “noise” create for security teams: For example, they need the data to be normalized in a way that makes reviews and decision-making easier.
Automation is one way to solve the “tool fatigue” problem – assuming your security teams use it correctly. There are plenty of myths surrounding automation and the best way to apply it to day-to-day security tasks; there’s also a lot of hype about automation’s potential, as Gartner outlined in its 2019 Hype Cycle for Threat-Facing Technologies report. Security teams have high expectations for what automation can accomplish – but they also need to acknowledge some home truths about its real capabilities. Below, we do some myth-busting around automation, and share some strategies for smart use of automation to gain context around threats.
Myth 1: Automation can replace people on your security team.
Reality: Automation complements talent, so teams can make better decisions.
Automation is not a replacement for people. It can and should complement in-house talent, but you’ll still need mature processes and experienced people in place if you are to get the most out of an automation investment. Likewise, security teams shouldn’t assume that the canned playbooks provided in automation tools will work for their specific security needs. Playbooks don’t really work well with a “set it and forget it” approach; they need to be customized and the steps need to be translated into orchestration engines.
Myth 2: Security automation is best used only for mitigation.
Reality: There’s more you can do with automation, including tasks that expedite threat qualification and investigation.
While automation can be helpful to contain and mitigate threats, it shouldn’t be limited to these tasks. Many organizations become reluctant to use automation because of the risks they see taking actions against devices and users. When automation focuses only on threat containment, security teams miss the opportunity to gain context and intelligence around threats, which can be used to expedite threat qualification and investigation. For example, automation offers an ability to capture more internal details about a host, its users, and threat intelligence about external domains, to help a security analyst determine the nature and scope of a potential threat. It’s also more innocuous to apply automation to tasks that expedite threat qualification and root cause determination without risk of disabling key business systems.
Myth 3: Automation will solve all of your orchestration headaches.
Reality: Automation can help you normalize data – a key step toward orchestrating alerts.
Perhaps one of the biggest myths surrounding automation is that it can solve all of security’s orchestration problems, performing tasks with integrations across many systems and increasing visibility into that data. This appears to be a high expectation for automation that is at odds with reality.
While automated Security Orchestration, Automation, and Response (SOAR) systems can aggregate alarms and orchestrate response processes, they rarely collect the source data that enables single-view investigations. They also do not normalize data from disparate systems. That’s a missed opportunity to become the “connector” for data sources – which means security teams need to rely on more tools and points of the investigation to make sense of alerts.
So, how can you use automation to gain the insights you need? Automation is useful for addressing remedial tasks and low-level decision making, freeing up security teams to do more high-value work. It’s also useful for speeding up processes that you already know and trust, since the team can better analyze the data generated by these processes.