Why Security Teams Need to Embrace Automation

February 25, 2020 • The Recorded Future Team

Fiction envisions a world taken over by autonomous machines — self-building, self-aware robots that are near perfect as they fight humankind. We marvel at their ability to operate and replicate.

In reality, automation saves time, money, and even lives. As an example, WannaCry, a ransomware variant, was responsible for a cyberattack costing an estimated $4-8 billion. However, it was preventable with a software update that was released eight months prior. Yet, 66% of businesses can’t or won’t rely on automated patching.

The adoption of automation has its challenges — but intelligence-led security can be challenging, too. The term “intelligence,” on one hand, brings images of James Bond and a powerful capability that delivers a crystal ball-like understanding. On the other hand, intelligence more abstractly reports Google’s DNS (8.8.8.8) as a malicious indicator of compromise (IOC).

Intelligence, like automation, is not a capability that can be picked off the shelf, plugged in, and instantaneously valuable. Both have their own unique challenges, but once those are overcome, both can deliver substantial value.

Resistance To Adopting Security Automation and Orchestration

Automation revolutionized the car manufacturing industry decades ago, because it is ideally suited to replace manual repetitive tasks. Today, other sectors too are adopting the use of automation, such as construction. Brick laying is a perfect example. A robot named SAM can now lay bricks 500 times faster than a human can. This will drive down cost and reduce delivery times with little human involvement. It is easy to see why automation is an aspiration for many. But if automation is so valuable, why is it not used everywhere?

The initial costs associated with automation can be substantial, such as developing the mechanisms and defining the problem. Regarding the initial generations of automation, each step within the solution must be documented, with no room for deviation. Automation can be inflexible and not always fit for purpose, especially in sectors with constantly moving goalposts.

Security professionals defending businesses from cybercriminals are involved in an ever-developing cat and mouse game. Security analysts must adapt to new and alternative attacks. Analysts must analyze, hypothesize, and distribute their respective intelligence products — all while being flexible and adaptive.

It is clear that humans will be required to analyze information and make valued assessments that help safeguard businesses from cyberattacks. But it is humans that cost substantial time and money by undertaking laborious tasks. While one of the objectives of intelligence is timeliness, intelligence teams struggle to provide valuable intelligence within a timely manner.

To source information and collate, process, analyze, and distribute it requires a substantial number of repetitive tasks — tasks that are ideal for automation. But that means humans must thoroughly define the steps within each task. That is something a mature intelligence cell should be able to produce. There are, however, aspects of the intelligence lifecycle that require constant alterations, adaptation to the millions of variables, and creation of new solutions to new unknowns. Humans are ideally suited to adaption and altering from a set course. Even with artificial intelligence (AI), we’re years away from AI machines fully replacing humans (if at all) in all aspects of the intelligence lifecycle.

Accelerate Repeatable Tasks With Security Automation (and Empower Analysts to Do What They Do Best)

Automation and intelligence production are well documented and valuable capabilities. We can leverage these existing best practices to support the adoption of automated intelligence while empowering people to be creative and adaptable — in short, a complementary partnership.

Automation:

  • Should belong to long-term planning and take on repeatable tasks for an extended period
  • Should avoid the Rube Goldberg effect and be kept as simple and direct as possible while adopting or defining an automated solution
  • Is not fit for every scenario

Intelligence:

  • Needs to be limited to reduce the risk of drowning in data — especially when utilizing automation that can quickly overwhelm a team
  • Should be integrated across functions and systems where possible — breaking down the tasks used to produce intelligence; Application programming interface (API) technology makes integration substantially easier, with frameworks such as STIX and TLP to assist information flows

Automation and intelligence have their own unique challenges, but together they can be used to overcome various problems while providing additional value. For many, the future goal is to automate as much as possible, yet organizations may be reluctant to proceed until a mature intelligence capability is achieved. However, this shouldn’t be the strategy going forward. By utilizing automation, difficulties can be overcome to move toward a mature intelligence service.

Explore Security Automation Further

To learn more about how you can improve security efficiencies at your organization by embracing automation, download our complimentary e-book, “Beyond SOAR: 5 Ways to Automate Security With Intelligence.”