Debunked: Three Myths About Security Automation
Updated May 2021
“Vendor sprawl” is hitting a peak, as Dark Reading noted last October. There are too many security tools out there, with too little integration among them, generating too much noise for security teams to analyze and act on. We’ve seen first-hand the challenges that automation and data “noise” create for security teams: For example, they need the data to be normalized in a way that makes reviews and decision-making easier and less time consuming.
Security automation is one way to solve the “tool fatigue” problem – assuming your security teams use it correctly. There are plenty of myths surrounding automation and the best way to apply it to day-to-day security tasks; there’s also a lot of hype about automation’s potential, as Gartner outlined in its 2019 Hype Cycle for Threat-Facing Technologies report. Security teams have high expectations for what automation can accomplish – but they also need to acknowledge some home truths about its real capabilities. Below, we do some myth-busting around automation, and share some strategies for smart use of automation to gain context around threat detection.
Myth 1: Automation can replace people on your security team.
Reality: Automation complements talent, so teams can make better decisions.
Security automation is not a replacement for people. It can and should complement in-house talent, but you’ll still need mature processes and experienced people in place if you are to get the most out of an automation investment. Likewise, security teams shouldn’t assume that the canned playbooks provided in automation tools will work for their specific security processes and needs. Playbooks don’t really work well with a “set it and forget it” approach; they need to be customized and the steps need to be translated into orchestration engines.
Myth 2: Security automation is best used only for mitigation.
Reality: There’s more you can do with automation, including tasks that expedite threat qualification and investigation.
While automation can be helpful to contain and mitigate threats, it shouldn’t be limited to these tasks. Many organizations become reluctant to use automation because of the risks they see taking actions against devices and users. When automation focuses only on threat containment, security teams miss the opportunity to gain context and intelligence around threats, which can be used to expedite threat qualification and investigation. For example, automation offers an ability to capture more internal details about a host, its users, and threat intelligence about external domains, to help a security analyst determine the nature and scope of a potential threat. It’s also more innocuous to apply automation to tasks that expedite threat qualification and root cause determination without risk of disabling key business systems.
Myth 3: Automation will solve all of your orchestration headaches.
Reality: Automation can help you normalize data – a key step toward orchestrating alerts.
Perhaps one of the biggest myths surrounding automation is that it can solve all of the security issues around orchestration, performing tasks with integrations across many systems and increasing visibility into that data. This appears to be a high expectation for automation that is at odds with reality.
While automated systems such as Security Orchestration, Automation, and Response (SOAR) can aggregate alarms and orchestrate response processes, they rarely collect the source data that enables single-view investigations. They also do not normalize data from disparate systems. That’s a missed opportunity to become the “connector” for data sources by automating across the cyber lifecycle, beyond response – which means security teams need to rely on more tools and points of the investigation to make sense of alerts.
So, how can you use automation to gain the insights you need? Automation is useful for addressing remedial tasks and low-level decision making, freeing up security teams to do more high-value work. It’s also useful for speeding up processes that you already know and trust, since the team can better analyze the data generated by these processes.
Looking for more ways you can apply automation to your greatest security challenges?
Get the white paper: Security Automation Fundamentals and start creating your strategic plan for using automation the right way.
End-to-End Automation with ReliaQuest GreyMatter
The industry often thinks of automation only in terms of remediation plays. But ReliaQuest looks for opportunities to automate across the cyber response lifecycle.
ReliaQuest GreyMatter aggregates, de-dupes and enriches alerts from across your security ecosystem to serve up a research package, providing analysts with all of the information they need, in one place, to detect, investigate, respond and automate.