Automation is a key strategy in the face of a security talent shortage and the need to perform advanced security operations such as detection and response. However, automation must be data-driven and include how businesses initiate and learn from responses, not just how they conduct the process, in order to be efficient and competitive. This is how businesses can fully utilize the benefits of security automation.
Security Operations Centers (SOCs) face a lot of challenges when it comes to systems, data, and people as they transition to become detection and response organizations. Prioritized and relevant data, bi-directional integration through processes, and active and passive collaboration are all crucial. Automation is what ties everything together, particularly given the scarcity of security skills.
Extended Detection and Response (XDR) solutions as well as Security Orchestration, Automation, and Response (SOAR) systems and tools, have emerged as new product categories to address the automation challenge. However, because the emphasis has been on identifying a process and automating the steps required to complete the process, the security industry’s response to automation has ignored the radically different requirements of detection and response use cases.
It’s perfect in static situations, however, that is not the case for detection and response, which is complex and variable. Since what is gained by conducting an action is much more relevant than the action itself, security teams should examine the process’s inputs and outputs.
Automation cannot be limited to simply running the process; it must also involve three key stages:
Input – Determine what actions should be taken and when they should be taken
Input entails deciding the appropriate criteria and triggers for the process. This begins with analysts gaining a thorough understanding of the threat they are facing and what they must protect by automatically aggregating the appropriate internal data into a central repository.
Analysts can automatically supplement and enrich this data with threat data from the various sources to which they subscribe – open source, commercial, industry, government, security vendors and frameworks like MITRE ATT&CK. Merging and correlating internal and external data, as well as using an integrated scoring system, allows organizations to prioritize what actions to take based on what is important to them.
Run –Carry out the course of action or specified process to the end
Security teams can simplify actions and run the right process now with the help of right inputs. Instead of wasting precious time running processes that aren’t required or useful against the latest threat, they can concentrate on what matters most to their business. They can send the right intelligence to the right tools, updating their sensor grid in real time and automating a lot of the manual and repetitive work. This data-driven approach allows for timely and efficient responses.
Output – Keep a record of what is learned for analytics so that it can be analyzed to improve future response
The output and feedback when performing an action are much more critical than the action itself for detection and response. Defining the desired results and what can be learned from the action taken would help to refine future responses and reinforce defenses against similar threats in the future. Intelligence is automatically reprioritized and re-evaluated as new data, feedback, and learnings are applied to the platform, making the input stage of automation more effective.