A Practical Approach to Security Automation

Editor’s note: This is part one of a series on applying automation to security operations.

• Part one (this blog): A Practical Approach to Security Automation
• Part two: Automating Your Phishing Playbook
• Part three: Automating Your Malware Playbook
• Part four: Automating Your Compromised Credential Playbook

Cyber attacks pose severe threats that require an effective defense strategy and automation plays a critical role in combating them. Security automation enables rapid and accurate responses, enhances efficiency, reduces errors, and boosts the scalability of security operations. However, it’s rarely adopted because organizations lack clarity on when and where to apply automation.

This blog series aims to offer security practitioners, incident responders, and cybersecurity leaders a practical approach to implementing automation in their operations. By simply integrating automation into their response playbooks, organizations can strengthen their defenses against malicious attacks, shorten response times, and empower their security teams to stay one step ahead of clever adversaries.

The Cybersecurity Playbook

A cybersecurity playbook serves as the foundation for a well-prepared security operations team. It comprises a comprehensive set of guidelines, procedures, and best practices, meticulously designed to equip teams with the necessary strategy to respond effectively to common cyber threats, such as phishing, malware or ransomware, and credential compromise. Within a playbook, you’ll find crucial elements like clearly defined roles and responsibilities, communication protocols, documentation procedures, and channels for receiving valuable feedback. While these items are undeniably important, the heart of a well-constructed cybersecurity playbook lies in its three pivotal phases: containment, investigation, and remediation.

These phases collectively form a structured framework for incident response, ensuring that organizations can promptly and effectively minimize the impact of incoming attacks. But here’s the game-changer—integrating automation into each of these phases significantly elevates an organization’s capacity to respond quickly, consistently, and efficiently when dealing with these attacks.

In the sections that follow, we will delve into automation and offer insightful strategies and guidelines tailored to each of the critical playbook phases.

Containment: Swift Response to Stop the Spread

The containment phase in a playbook represents the critical first line of defense against threats—it’s where the battle against potential breaches truly begins. This phase is all about isolating and limiting the impact of a security incident as soon as it’s detected. The containment phase is vital to minimizing damage caused by a breach, preventing it from spreading like wildfire through your organization’s systems and data, which safeguards your organization’s reputation, customer trust, and financial well-being. Given that threats can materialize in seconds, the containment phase is arguably the most important phase to automate.

Objective	Stop the ongoing or potential harm caused by the attack and prevent the incident from spreading further within the environment.
Why Automate?	Reduce the attacker's window of opportunity. A rapid and well-executed containment response can be the difference between a minor incident and a full-blown breach.
When to Automate	Initiate automatic responses immediately after the detection of an attack to minimize its impact, focusing on short-term actions to halt its progression.
What to Automate	Initial actions such as: Block IP, Quarantine Email, Reset Password, Block URL
Nature of Automation	Platform-initiated automation, where automated responses are initiated by the platform.

Investigation: Insights for Informed Decisions

After successfully halting the ongoing threat, the subsequent step is to conduct a thorough investigation, enabling informed decisions for the next course of action. The investigation phase delves deep into the incident, providing an analyst with the full scope and impact of an attack. Gathering detailed information is crucial for deciding the most appropriate response and taking steps to mitigate potential damage. Applying automation to this phase allows for rapid analysis, uncovering dormant threats and other critical information that provides valuable context and enables timely decision-making.

Objectives	Determine the scope and impact of the attack. Identify the source and method of the attack. Assess potential data breaches or compromise. Gather crucial evidence for response and remediation.
Why Automate?	Ensure a consistent and comprehensive understanding of the incident. Accelerate the discovery of answers. Enhance scalability for alert influx. Eliminate the need for manual pivots. Improve overall incident response times.
When to Automate	Automation should be applied to initial data collection and analysis, addressing common questions that arise with each triggered detection.
What to Automate	Common questions a human analyst will ask during an investigation, such as: Who are the impacted users and devices? What types of devices are impacted? How widespread is the threat?
Nature of Automation	Platform-initiated automation, where automated queries are initiated by the platform.

Remediation: Recovery and Prevention

If the investigation phase reveals a confirmed threat, the remediation phase is where recovery and prevention efforts are concentrated. It involves removing threats, restoring affected systems, and implementing measures to prevent similar incidents in the future. Automation accelerates the remediation process, ensuring that threats are swiftly addressed. It also brings a systematic and consistent approach to recovery, reducing the risk of lingering vulnerabilities or incomplete remediation. This strengthens an organization’s cybersecurity posture and minimizes the potential for recurring incidents in the future.

Objectives	Eliminate the threat, clean up any damages, and prevent future occurrences of the same or similar cyber attack; strengthen security measures and enhance resilience against threats.
Why Automate?	Minimizes financial, reputational, and operational risks associated with the attack; prevents further exploitation and compromise of systems and data.
When to Automate	To create predefined automated play actions based on the actions typically needed after a threat is confirmed; post-investigation phase and after impact assessment is complete.
What to Automate	This could be host isolation, malware removal, host scanning, deployment of security patches, etc.
Nature of Automation	Human-initiated automation, where automated actions are initiated by a human using the platform.

Key Considerations

While automation offers tremendous benefits, it’s crucial to approach this transformation thoughtfully and strategically—it’s not a one-size-fits-all solution. These insights will help you understand the key considerations that should guide your decision-making process when choosing to automate these critical components of your incident response strategy:

Business Impact and Risk Tolerance

• Consider how the action chosen will impact the business (e.g., productivity, customer service, revenue generation, etc.).
• Choose to automate actions that will contain as much of the attack as possible while minimizing potential harm to the business.
• The action should be one the business would feel comfortable doing even if the outcome were a false positive.

False Positives

To mitigate the risks associated with false positives, apply automated responses only to detections with 80%+ true-positive rates.

• A good place to start would be “known-bad” detections. These are detections generated based on known malicious entities such as malware, viruses, phishing websites, or IP addresses. Once triggered, these alerts are typically a confirmed threat, and any investigative efforts focus on assessing the impact.

Note: Follow the risk tolerance of the organization. If an 80% true-positive rate is too low, adjust to a higher percentage. Ensure the threat intelligence used to generate detections are of high fidelity, current, and from diverse sources.

• Remediation play actions should only be executed after the investigation confirms it is a true positive.
• Consider actions that are easily reversible.

Guiding Questions

Choose a set of response actions to automate based on the answers to the questions below:

Question	Insight
Will this action stop the ongoing threat from spreading?	This question assesses the effectiveness of automated action in containing the threat. It ensures that the action is not just a response but an immediate and effective countermeasure that will prevent further damage.
Does a human analyst do this action every time this detection triggers?	Understanding whether human analysts regularly perform this action helps determine if it's a routine and well-established response. If analysts consistently perform the action, it’s likely suitable for automation.
Will this action disrupt critical business operations?	Avoiding unnecessary disruption is critical, particularly in cases where the action might impact productivity or service delivery. It’s important to choose initial actions that maintain operational efficiency and trust while addressing security threats.
Does this action correspond with the organization’s risk tolerance?	Aligning the action with the organization's risk tolerance ensures that automated responses reflect the organization's overall cybersecurity strategy. Actions that are within acceptable risk parameters should be considered for automation.
Can this action be easily reversed or modified?	Flexibility is crucial. Being able to reverse or modify automated actions is vital for cases where the initial detection might be incorrect or when circumstances change. It reduces the risk of unintended consequences.

Conclusion

The power of automation is undeniable—however, it’s important for organizations to adopt and apply it appropriately to respond swiftly, accurately, and effectively to an array of threats. This blog sets the foundation for a practical approach to security automation, emphasizing its role within the cybersecurity playbook’s three pivotal phases: containment, investigation, and remediation. But this is just the beginning.

In the forthcoming blogs in this series, we’ll dive even deeper into the specifics of automation, focusing on the practical implementation of automating response playbooks to common cyber threats like phishing, malware and ransomware, and credential compromise. We’ll explore the strategies, best practices, and real-world examples that will equip your organization to stand resilient against these threats. Stay tuned for our upcoming blogs and unlock the full potential of security automation in your organization.

To witness the power of automation in action, reach out to us to request a demo of the ReliaQuest GreyMatter, which applies automation across various cybersecurity playbooks.