IT security is more complicated today than ever before – teams have more platforms to support, more changes to manage and more vulnerabilities to fix. This is only compounded by there being 3.12 million empty security roles worldwide, according to ISC2.
In response to this, IT security teams want to use automation to deal with these problems more effectively. Automation can help your team concentrate on making the most of their skills rather than on manual tasks like preparing data. However, you have to approach automation in the right way to be successful over time.
The first step is to audit your processes. This should be a straightforward exercise, but it may also show any changes or shortcuts that your team has adopted to be more efficient. These can be checked and then included or discarded. This provides you with an opportunity to enforce best practices from the start. It also offers an opportunity to check in with your team on how they feel ahead of the project starting and make sure they are comfortable with the approach.
The second step is to find the right processes to start your automation implementation with. Trying to cover everything in one go is something to avoid, so instead, concentrate on a couple of the priority processes that your team has to carry out. There are already a lot of good automation resources available to help you get started; for instance, there are bundles of integrations and processes called playbooks that you can customize to meet your requirements and then get implemented. Good examples include processes around phishing attempts, incident response for key applications and detecting misconfigurations.
One important point to consider is that any automation project you start should follow your needs, rather than requiring you to change your processes to fit the technology you implement. Your tools should fit into how your organization works, rather than the other way around. In the past, implementations that had to fit around the technology invariably failed to deliver.
The third step is to look at supporting your employees with better analytics results and integrations. This involves looking at how your security operations center uses its security incident and event management (SIEM) system to aggregate data from across the business and get those automated results delivered to staff to work with. This should be part of the overall playbook that you deploy, and the SIEM can help you automate the data analysis side.
However, alongside the analysis, there are more processes involved to help your analysts work with those results, as there might be hundreds or even thousands of alerts coming through. Taking these analytics results through the incident response process can also be automated using security orchestration, automation and response (SOAR) to help your team be more productive with this data.
The fourth step is to look at metrics to see how well your automation implementations are delivering. A good starting point is to compare your processes before and after automation to see how much time is being saved. This can help you demonstrate how much time your team is getting back and how this equates to cost savings and attacks being stopped. By looking at your playbooks as part of a wider business process – say, a bank looking at the time taken to manage fraudulent transaction attempts or investigate industrial machinery attacks for manufacturers that would otherwise cause downtime – you can also provide business-level results that you have achieved.
The fifth step is to look at automation as part of a continuous improvement process rather than a one-off implementation. Once you have completed those initial automation projects, you can look at other processes that can be moved over using the lessons you have learned and cover more edge cases over time. You can improve your approach by refining your analytics, streamlining how you push work through to analysts and supporting your staff members in being more efficient over time.
Based on these guidelines, you can increase your team’s efficiency around data and security and keep them happier by taking out manual, frustrating work. Of course, no company is the same, and everyone will have to adopt automation in their own way. To make the most of automation, it’s important to adopt a holistic approach to your processes and people, rather than simply thinking about technology as a means to an end.
Source: Infosecurity magazine