Smart Automation: Why You Should Do It
Welcome to a short series of blogs on smart automation. While automation isn’t new – we have had a full Gartner cycle of SOAR tools after all – what you can use it for and the benefits you can achieve have reached a new potential.
In this first blog we will look through some of the traditional uses of automation in a security context, some of the things you could do and some of the things you really should do.
Throughout the series there will be a constant theme of ‘Safe Instruction, Safe Execution and Speedy Creation’. It is these three factors which must be employed to realise the full potential of automation.
Why Automate
So, as a recap, why would you be interested in using automation? The first two reasons are closely linked – speed and efficiency. Repetitive and predictable actions traditionally done by human analysts are prime candidates to be automated by scripts or through SOAR tools. These tasks are then executed more quickly and more efficiently than before, allowing analysts more time to explore the nuances of an incident.
The next reason is for improved accuracy. Whilst process and procedure can lead to greater standardisation amongst human analysts, genuine consistency and accuracy requires codifying and automation.
Lastly, and by no means least, we can use automation to help preserve the mental well-being of our employees. Ontinue has commented previously on the potentially negative impact of high stress, low value repetitive tasks that we subject junior analysts to. One may argue that automation could reduce the number of people you need, which may be true, but you are more likely to have them working on more valuable and rewarding tasks than before. I think we owe them that.
What to Automate?
In the context of security operations, one of the most common areas to apply automation to is enrichment – the practice of drawing in additional context to support machine or human-based correlation. Typically, one does lookups on the entities in an incident (IP addresses, hostnames, hash values of files for malware identification etc.) This can dramatically speed up the triage process for incidents managed by humans.
The next potential area is response actions. Whilst this has the potential to give great benefit in the time to respond to potential attacks, it is an area which has had only moderate adoption. The conservative adoption is due in large part to the nuances that often come with incidents, making the structured (and hence code worthy) determination challenging. The initial response actions to automate include forcing a user to reset a password, disabling a user count, isolating a device (usually end user devices) or blocking access to IP addresses or domains. Organisations typically identify user groups and resource groups which these actions can be applied to with acceptable impact.
Lastly, and far less frequently automated, are preventative actions. Whilst patching comes closer to being more fully automated (are you using Update rings in Intune yet?), we are talking about automated attack surface reduction based on incident data and threat intelligence.
Simple, right?
Not quite! More advanced automation is not for the faint hearted. It requires insight into the availability, quality and consistency of inputs as well as a firm understanding of what should be done in the scenario – each time and every time. Skills, experience, data and tools. If you can assemble these (and the magical element of time) then there are rich rewards. It is why many mid -sized organisations are looking to their MSSPs to unlock the potential on their behalf. I add the comment of ‘caveat emptor’ – not all MSSPs are equal!
There are things that you can look at doing yourself. A number of SIEM and SOAR platforms have out of the box automations which you should consider – especially the enrichment ones. You can also prepare yourself for more advanced automation by making sure you are keeping relevant logs and data from incidents to understand what inputs are available. Asset-based rules of engagement models are also useful for today and for future automation – determining what are pre-authorized actions on defined resources.
What’s next
Hopefully we now have a common understanding, the next blogs will expand on the mantra of ‘Safe Instruction, Safe Execution and Speedy Creation’. This, in our learned opinion, is the key to smart automation and a more dynamic response to evolving threats.
Gareth Lindahl-Wise
Chief Security Advisor and CISO
Gareth is Chief Security Advisor and CISO for Ontinue. As CISO, Gareth makes sure that Ontinue’s own internal information security – as well as security for the Ontinue ION managed extended detection and response service platform – is appropriate to the threats we face and the trust our customers put in us. As Chief Security Advisor, Gareth also has an outward-facing role to help raise awareness of new threats and novel ways of dealing with them. With Ontinue’s focus on Microsoft technologies, and the importance of people and processes, he helps potential customers understand where our services might fit.