Is Cybersecurity Automation The Future?
By Darren Death
One of the trending topics in information technology is cybersecurity automation. Automating mundane and repeatable tasks that are people-driven allows businesses and individuals to concentrate on more productive problem-solving activities. A focus on these problem-solving activities can foster innovation and lead to a more resilient organization from a cybersecurity standpoint. Automation also increases the complexity of an organization’s information systems, and as malicious attackers expand their targets, cybersecurity programs must be ready to implement automated cybersecurity solutions.
What Is Cybersecurity Automation?
Cybersecurity products designed to automate specific processes are widespread, and the likelihood is that you have already implemented automation tools within your organization. For example, vulnerability management products can be configured to automatically detect and scan devices on an enterprise network. They can then conduct an assessment based upon a set of security controls authorized by the organization. Once the assessment is complete, identified defects can be remediated.
When discussing new automation practices, industry experts are generally referring to tools like security automation and orchestration (SOAR) products, robotic process automation (RPA) and custom-developed software and code that automate processes and perform analysis.
SOAR products are purpose-built tools that orchestrate activities between other security tools and perform specific automation activities in response to identified threats. RPA tools are a broader set of automation tools that allow for a wide variety of processes to be automated. RPA tools have seen a significant increase in adoption in the HR and finance fields but can also be leveraged by cybersecurity teams. Custom-developed software and code can automate all manner of analyses and is often leveraged for a niche or specific challenge within an organization that may not have an out of the box tool available.
All of the aforementioned approaches interact with an enterprise’s instrumentation to gather intelligence, perform analysis and either take-automated action or prompt a team member to take further action.
Why Cybersecurity Automation?
Organizations are increasingly placing an emphasis on their digital transformation activities and, as a result, are increasing the technical complexity of their enterprise. This affects the very nature of the work organizations perform, how they stay competitive, how they interact with their customers and their overall level of efficiency. Increasing organizational complexity can lead to significant risk if cybersecurity cannot sufficiently manage the changing environment by properly defending, monitoring and responding to threats.
As companies press forward with a variety of digital transformation activities, it is important to realize that those activities increase the overall attack surface from a corporate espionage perspective.
Many organizations inspect systems and data manually for evidence of unexpected behavior and indicators of compromise or defect.
This is a losing proposition in a modern organization and one that cybersecurity automation can help address. Automation can also help address lean or ill-proportioned cybersecurity teams (in relationship to the growing digital footprint of the organization). Paired with human error and the insurmountable amount of data to manage, it is inevitable that a potential threat will slip through the cracks. It is simply unrealistic to expect human teams to catch potential cybersecurity events reliably. Implementing automation could be vital in order to reliably protect your organization and ensure resilience through robust and repeatable processes.
What Is The Benefit Of Automation?
Automation is not just a technical buzzword or a passing fad. It is being adopted by large and small companies alike. By implementing automation in an organization’s environment, the cybersecurity team can focus on activities that are more complex. This means that the machine can perform the mundane, repeatable work and cybersecurity team members can devote themselves to more critical, creative and technical work to resolve issues and improve the organizational risk posture. Once the appropriate activities are automated, cybersecurity practitioners can focus on projects such as:
- Engineering and Architecture: Automation will allow the cybersecurity team to focus on designing and implementing cybersecurity strategies, including initiatives such as zero trust and cyber hygiene within the enterprise.
- Remediation Activities: The identified deficiencies from your automation efforts will assist your technical and mission teams by providing more repeatable and actionable insight into the enterprise environment leading to fewer vulnerabilities.
- Automation Development and Engineering: Automation will become an important part of the cybersecurity program requiring its own resources related to ongoing and iterative automation design and implementation.
What is Next?
I firmly believe that the future of cybersecurity operations is intertwined with automation. However, as this future manifests, it is imperative that cybersecurity teams become smarter when it comes to code and development practices. In the future, the cybersecurity program may become a developer shop where automation capabilities will be created and advanced using multiple automation techniques.
You must ask yourself the following question: “How will my program implement these capabilities?” The first step on your journey starts with creating a playbook for the processes you want to develop. It is very difficult to develop a process if you do not perform a detailed systematic analysis to determine each aspect of the process. Your playbook should be detailed enough to include all of the steps needed to perform the activity, as though a human is performing the function. If this level of detail is not included, then you will not be developing a process that mirrors the current human executed process, which could result in a failed automation project.
Three basic approaches to successfully implement automation concepts include:
1. Embed development capabilities in your cybersecurity team. In this way, developers report directly to cyber leadership.
2. Partner cybersecurity with organizational development teams. This allows cybersecurity to leverage the capabilities of organizational development experts.
3. Adopt a hybrid approach. Utilize an internal team for tactical development work and organizational development capabilities for complex integration tasks.
As the complexity of cybersecurity increases and evolves, the need for security automation tools and techniques will continue to expand, becoming an integral part of an organization’s cybersecurity roadmap. What will your organization do to stay up to speed in this industry?