Can Cybersecurity Be Automated?
Cybersecurity can, indeed, be automated. When it comes to security operations, there is always room for operational efficiency improvements, says Rishi Bhargava, a vice president of product strategy at Palo Alto Networks.
“Automation can play a critical role in aiding security teams with a deluge of security alerts, speeding up their investigations and handling the manual busywork that comes with triaging incidents,” he says. “This helps to effectively reduce the mean time to respond for alerts.” The MTTR measures the average time it takes to control and remediate a threat.
Cybersecurity automation will not make an IT security analyst “a better threat hunter or provide your team with skills it doesn’t already have,” Jesse Wiener, a solution domain manager for CDW’s security practice, writes in a CDW blog post, “Tapping Automation to Improve Your Threat Response.”
“It is a tool that can free up cycles for your analysts,” Wiener writes. “It can be the glue that links disparate systems, can correlate information, automatically take action and provide your teams with intelligent information at the beginning of an investigation.”
5 Ways Cybersecurity Automation Should Be Used
There are numerous ways in which cybersecurity tasks can be automated at government agencies. Here are some examples, but this list is by no means exhaustive.
- Automation can and should be used for tasks that are repeatable, repetitive and happen with a high degree of frequency, according to Bhargava.
“For example, phishing is a good use case for automation because it’s a common attack vector and the process for dealing with suspected phishing emails is relatively consistent from one email to the next,” Bhargava says. “You need to determine where the email originated from, if it is malicious or a false positive, who was impacted by the email, delete all instances of the email, block the offending sender and follow up with the impacted end users. Rinse and repeat for each email.”
He notes that “each of these steps performed manually would involve multiple systems and lots of communications between teams, averaging about 45 minutes for each incident, taking a huge chunk of the security team’s time.”
Automation tools can gather relevant data and present this information in an easily consumable format to the human analyst, Bhargava says, “who then makes the final decision to treat the email as malicious (and thereby spin off a series of automatic remediation actions) or close the incident as a false positive.”
Cybersecurity automation tools can be used to correlate and aggregate logs and threat intelligence feeds, “stitching together incidents to gain context and applying analytics to uncover stealthy attacks and in dealing with incident response cases,” Bhargava says.
Automation tools can be used in incident response cases, such as those involving phishing, endpoint malware infections, vulnerability alert management, threat intelligence management, anomalous user behavior, cloud policy misconfigurations and cloud threats, according to Bhargava.
Additional security use cases for automation include security compliance violations, SSL certificate management, remote user access monitoring and Internet of Things security threats, Bhargava says.
An open and extensible Security Orchestration, Automation and Response (SOAR) platform can be used to extend automation beyond security teams to HR case management, network performance monitoring, DevOps processes, employee shift management, identity and password management, and even physical security management, according to Bhargava
Cybersecurity Automation Tools for State and Local Governments
SOAR platforms that “unify security orchestration, automation, case management and threat intelligence management are the amalgamation of three historically distinct technologies,” according to Bhargava.
Those are security incident response platforms (SIRPs), security orchestration and automation (SOA) and threat intelligence platforms (TIPs).
The keys to making cybersecurity automation work are conducting a risk analysis to see which gaps exist already, says Jim Richberg, a Fortinet field CISO focused on the U.S. public sector.
“Automation technology including machine learning or artificial intelligence can close gaps by correlating threat intelligence and coordinating responses at machine speed,” Richberg says. “In particular, government IT leaders with limited budget resources and staff should leverage automated technologies to accelerate detection and response first and foremost, which in turn immediately frees up time for humans to focus on other cybersecurity needs.”
This kind of automation “is not easy to set up, and it will take a good understanding of your environment, tools and processes to make it work, but solutions like Phantom, ServiceNow and ThreatConnect (to name a few) can help,” Wiener writes.
Cybersecurity Automation Processes
Cybersecurity teams should “routinely evaluate all their work to identify opportunities to automate as much routine activity as possible,” CDW’s Falcon writes.
“They may add automation to existing workflows by incorporating automated threat intelligence, change control, configuration management, incident detection and response, and other time-intensive security activities,” he adds. “Reducing the time spent on routine work allows cybersecurity teams to refocus their efforts on high-value activities.”
According to Bhargava, when considering what process or task to automate, IT leaders should ask the following questions: Is the process or task repetitive? Does it happen frequently? Would automating the process or task result in a more consistent or faster response?
If the answer to these questions is yes, he says, then the process or task would be a good candidate for automation.
However, if the action requires decision-making or there is a high risk in automating the action (e.g. blocking access to high-traffic cloud services) then “chances are, you would want this step or action to be handled by a human reviewer,” Bhargava says.
“An important thing to note is that complexity does not necessarily factor into the equation when considering automation as automated workflows or playbooks can be easily customizable, with multiple subroutines and decision trees, to address the most complex use cases,” he adds.
IT teams should set policies and procedures to drive automation, Richberg says, “in other words, setting the goals and creating the playbooks for AI and automated action.”
“People are often the scarcest resource in cybersecurity, so using them on tasks that need human judgment and experience — and automating the rest — makes sense as an effective and cost-effective approach to cybersecurity,” he adds.
Cybersecurity Automation Examples
In July, the states of Arizona, Louisiana, Massachusetts and Texas, along with Maricopa County, Ariz., announced a partnership with the Multi-State Information Sharing and Analysis Center and the Johns Hopkins Applied Physics Laboratory (APL) to pilot a cybersecurity automation program.
The agencies are using SOAR tools, which “enable organizations to collect security-threat data through multiple sources and perform triage response actions significantly faster than with manual processes,” according to a Johns Hopkins press release.
The hope is that it will enable the agencies to “quickly and broadly share information — in near real time — and leverage automation to prevent or respond to cyberattacks,” the release states.
According to the MS-ISAC, the pilot will “focus on the curation of the feed and the processes used by the participants to triage, prioritize and act upon” the resulting indicators of compromise.
The states and the county will use automation and orchestration to gain “efficiencies in tasks, processes and resultant actions for the producer and consumers” of the indicators of compromise, according to a statement from the MS-ISAC.
Specifically, the pilot will help the states identify ways to cut down on manual tasks and promote the sharing of actionable threat information. Another key goal of the initiative is to identify the orchestration services needed to integrate cybersecurity responses, such as sensing, understanding, decision-making and acting.
The goal of automation, Bhargava says, isn’t to replace human analysts “but to help them be better, faster and more effective at their jobs.”
“By reducing the number of alerts that require human review and eliminating mundane tasks, automation helps analysts avoid alert fatigue and focus on proactive threat hunting and improving incident response procedures,” he says. “There would be a need for a subset of analysts who are comfortable with writing scripts and developing custom playbooks for more sophisticated routines.”