Updated June 2021
Automation has become an imperative for many security teams to increase efficiency and effectiveness. It’s an opportunity to eliminate the noise, reduce low brain tasks, and increase fidelity so the team can focus more energy on events of interest. At the same time, if you’re not careful in your approach to process automation, your team may lose rather than gain productivity: by duplicating time-consuming efforts, becoming distracted, or over-engineering automation.
The top pitfalls security teams face when trying to adopt automation include:
1. “Too many cooks in the kitchen”
It’s often on cyber security teams that you will see individuals start on their own path of the automated systems without direction. In these cases, team members end up working on the same automation without communicating and either approach the automation in different directions or unintentionally perform redundant work. If you organize and communicate priorities centrally, then your team will be able to contribute properly to building the automations.
2. A stack of ideas without results
Another common sinkhole you want to avoid is going too far down the idea train without focusing on automating tasks. It’s common for teams to continuously add to the stack of ideas without solutioning the automation. Brainstorming and idea generation is important, but ensure your team is focused on outcomes so you can form a solution together.
3. Maintenance nightmare!
It’s common to see teams creating scripts that require more maintenance than the actual task itself. Before going live with an automation, measure the time savings to validate that it will increase efficiency – then track that efficiency gain over time.
I’m going to go through four simple steps you can implement with your team to avoid these pitfalls and build automations that create efficiencies within your business:
- Identify tasks to automate
- Determine the expected ROI
- Create a step-by-step plan
- Evaluate the automation’s impact
Step One: Identify the tasks to automate.
Perform this step collectively with your team and any other teams in the organization that may be impacted by the automations. When identifying these tasks, consider what, if automated, would reduce the greatest amount of time, risk, and effort – while also increasing quality and efficiency. We commonly refer to these tasks as dominos. Can you knock out one large domino or multiple small dominos that will make a significant impact? If the big domino makes the largest impact, then focus on that first before the smaller dominos.
Pose these questions to your team to create an initial list of tasks to automate:
Q1: What is something that we must do every day that requires low brain power?
Examples: OSINT lookups, searches in platforms (contextual lookups/investigations), restarting a service, etc.
Q2: What are the most common mistakes or procedures that are prone to error?
Examples: Missing a step in a process, sending an e-mail to the wrong team, not utilizing the right technology.
Q3: Are there opportunities to streamline the work we are doing?
Examples: Consolidate information (threat detection intel, contextual data), automate notifications, etc.
Step Two: Set the bar – determine the expected return on investment (ROI).
This is an important step and will be measured in step four when you are evaluating the impact. If you automate a task that takes 30 minutes out of your day, you could save 182.5 hours per year. When the team is submitting ideas around enhancements, require them to document the expected ROI. Then hold a review session where you collectively pick the item that makes the most sense to automate first based on the efficiency and expected ROI your team gains.
Example of ROI breakdown:
|Task||Current Time (Minutes)||New Time (Minutes)||Time Savings (Minutes)|
(Frequency Per Week) x (Time Savings) / 60 = Hours saved per week
IE: If the above overall operation took place 5 times a week, this automation would save 8 hours per week. (5 (Frequency Per Week) * 97 (Total Time Savings) / 60 = 8 Hours)
When performing expected ROI calculations like the above, you will be surprised to see how much of your team’s time is spent on simple, repetitive tasks in a year!
Step Three: Create a step-by-step plan to build and implement the automation.
Once you have a good list of ideas and have defined your expected ROI, you can further break down the steps needed to develop and implement the automation. Depending on the type of tasks you’ve identified, they may be broken into a few separate automations. One example of this would be threat intelligence enrichment:
Task 1: Pull data into a database (Goal: avoid searching against 5+ individual threat intel feeds)
Task 2: De-duplicate and prioritize feeds (Goal: Increase quality and usability of the threat intel enrichment process)
Task 3: Integrate threat intelligence data into SIEM Alerts and other security technologies (Goal: automatically alert on the high-fidelity IOCs)
Task 4: Enhance feeds from manual feedback (Goal: tweak IOCs based on findings – increase the severity, etc.)
The above steps provide value and enhance your workflow; however, they are large tasks to take on and can be prioritized and worked separately. When breaking down each task, you want to note the goal behind the specific task and whether it’s something that will require manual processes or can be 100% automated.
For instance, when looking at the example above, Task 2 (De-duplicating and prioritizing feeds) can be automated to a degree but will also need to be manually reviewed and validated for fidelity, while Task 1 (Pulling data into a database) can be completely automated.
Step Four: Evaluate the impact.
When determining the expected ROI, you will have a baseline of effort around the expected outcome (IE: 15 times a day I do X which is equivalent to 182 hours a year). When evaluating the impact, you will want to see if you are hitting your expected ROI, as well as identify any additional maintenance the automation requires. It’s recommended to review your automations each quarter to determine how impactful they are to the business.
An example of this would be reviewed if the analyst team has been leveraging the automation or if they are reverting back to the old process. If the team isn’t leveraging it, then you will want to fix or remove the automation/process.
Be sure to document why you chose the automation, the ROI, and the needed steps to build the automation, as this allows you to transition automations or turn them off if they don’t provide value anymore. This document should function as a ‘lessons learned’ report to help the team create more efficient automations in the future.
How do you track your automations, the ROI, and their impact?
It is recommended to look at using a Kanban board, such as JIRA and ServiceNOW. These allow you to keep track of your progress, prioritize a backlog, and reference what has been automated when evaluating the impact.
You can create parent tasks for the overall automation goal and then associate stories that make up the smaller tasks for the automation. In each story, you would break out the time (ROI) that piece of the automation provides. You will want to be sure you track when it was enabled for the teams, so you can calculate the time savings easily.
In conclusion, you can’t automate everything. You can, however, prioritize security processes and automation based on what provides the most efficiency for your team and test the workflow with a couple of smaller projects – then scale up. Ensure you have your team’s buy-in to avoid common pitfalls and delegate leadership around the automation tasks and idea creation. The more involved the team is, the more empowered they will be to automate other security tasks.
How ReliaQuest Accelerates the Adoption of Automaton
At ReliaQuest, we take a comprehensive approach to automation – looking for opportunities to automate across the cyber response lifecycle. ReliaQuest GreyMatter aggregates, de-dupes, and enriches alerts from across your security ecosystem to serve up a research package, providing analysts with all the information they need in one place, to detect, investigate, respond, and automate.