Defense in Motion: To Automate or Not to Automate

h@shtalk
3 min readAug 13, 2024

--

Imagine you’re a security analyst, and every day you have the tedious task to go through thousands of alerts to find out which ones are real threats. Doesn’t sound like much of a fun job, doesn’t it? It’s like searching for a needle in a haystack, and it takes forever. Here is where automation enters the chat. Suddenly, a smart system does all the heavy lifting for you, sorting through alerts in seconds and flagging only the real dangers.

Photo by Igor Omilaev on Unsplash

But there is much more to automation than the first thought that comes up. In order to be able to keep up with the contemporary cyberattacks, we need to retire the old-school defense techniques we previously employed. This is where automation becomes a game-changer rather than just a tool.

What is Automation under the Security Umbrella?

Now to anyone that works in cybersecurity, the first thing that pops into mind when the term “automation” is mentioned, is SOAR. Security Orchestration Automation and Response platform. And that is fine. But that is not all. Associating or practicing automation only through SOAR limits its potential to how the business defines SOAR, which in most use cases involves automating the process of triaging alerts and identifying incidents.

Automation under the security umbrella refers to the integration of automated processes and tools into an organization’s overall cybersecurity strategy. This means effectively detecting repetitive manual tasks and removing the human factor from them. The main objectives would not only be for humans to be able to focus on more critical tasks, but also to reduce the margin of error.

Many use cases are suitable for automation, but determining which ones to start with is a difficult undertaking in and of itself.

To Automate or Not to Automate: A Decision Making Guide

When it comes to deciding whether or what to automate and integrating automation into cybersecurity practices, the decision isn’t always clear-cut.

There are multiple factors that need to come into consideration. However, when starting out, it is essential to start with something simple, the low-hanging fruit, but with a high return on investment. And when we talk ROI in cybersecurity automation, we usually mean one of these four:

  • Time: Saving time by streamlining processes, reducing manual intervention and enabling faster response to incidents.
  • Money: Cost savings by minimizing the impact of security breaches and reducing the workload on personnel. That will allow the business to allocate resources more efficiently.
  • Risk reduction: By automating routine security tasks and responses, the likelihood and impact of security incidents can be decreased. Consequently, lowering the risk associated with data breaches, reputational damage and compliance violations.
  • Scalability and Flexibility: Automated processes can handle increased workloads without proportionately increasing costs.

Making a decision on whether to automate and what to automate has to include the above factors. However, those always come with a bundle that includes evaluating the complexity of the task and the volume of work that will be involved. For instance, if the workload is sporadic, manual overlook might be sufficient. Adding to that the assessment of resource availability, including time, budget and skilled staff also makes a big part of the decision. Risk tolerance is another crucial metric. Some security tasks may carry higher risks if automated, especially if there is potential for false positives or false negatives.

Getting Creative with Automation

Approaching security automation with innovative ideas is exactly the right way to automate. The different use cases may vary, but a great starting tip is to look anywhere where spreadsheets are involved. Getting CSV files to talk to each other, automatically filling up the daily reports by ingesting data points from different systems, automatically creating the monthly report from the dashboards.

Glimpse into the Future

The future of cybersecurity automation holds exciting possibilities. By putting artificial intelligence and machine learning technologies into the mix, we can expect it to lead to automation strides in incident response, threat detection and operations.

However, as we explore and embrace the future, it is important to remain vigilant and ensure the responsible use of automation in cybersecurity. The way forward is with accountability, transparency, and an ongoing dialogue.

--

--

h@shtalk
h@shtalk

Written by h@shtalk

engineer by day, offsec enthusiast always—serving tech bites that matter and pushing security automation to the next level