It’s hard to believe that cars were once put together by hand, but it’s true. The early auto workers toiled with rudimentary equipment to build the first personnel vehicle to drive on four wheels. Due to the inordinate effort required to put together these lumbering beasts, only the very wealthy could afford such a luxury.
That all changed with the introduction of the assembly line. Henry Ford, the father of this automated approach to manufacturing set us, as a society, down a path that has led directly to where we are today, where packages ordered online magically, it seems, appear at your door faster than you could imagine.
What Ford introduced into the world is the idea that focusing efforts on a particular aspect of any process makes that process not only much more efficient but increases the quality of the output. In Ford’s time, the idea that one day the assembly line itself could eliminate the need for some (if not all) workers was unimaginable, but that is the fear.
It seems that the population at large has misgivings when it comes to automation. I have been fortunate to work in technology for over 20 years and have a history of introducing new technology in multiple industries, many of which dealt with automating, in one form or another, a formerly manual process. Interestingly enough, the initial reaction when showing these new technologies to the intended users the reactions were very similar. Seeing this firsthand, and being charged with convincing a less than enthusiastic audience to be open to a new approach to an old process I can make a pretty compelling argument for (and in some cases against) automation in the cybersecurity space, but you be the judge.
The Case for Security Automation
1) Time Savings
The shortest distance between two points is a straight line so let’s start with the easiest argument for automation – time savings. Visit any SOC anywhere in the world and I can almost guarantee you will find a team that has far more work on their plate than they can possibly handle. Whether it be reviewing logs for compliance purposes, triaging vast amounts of alerts, or working in-depth investigations, the security pros in the SOC are absolutely hammered with tasks, all of which are deemed essential
As the saying goes, though, when everything is a priority, nothing is. So it should come as no surprise that these teams are often faced with impossible choices. Complete these in-depth investigations, and new alerts will up. Plow through these fresh alerts, and watch the cases ready for investigation stack up.
How to handle this dilemma is complicated. Talking with many security analysts, I hear the same thing repeated: They spend more time gathering data for the investigation than actually completing the investigations, and it is because the processes they follow to gather the information is manual. Why manually copy a hash value so you can run it through your online battery of threat intelligence sources when you can, with the aid of the right technology, automate that whole process? This simple, yet powerful implementation of automation will have an immediate impact.
While we may be in strong agreement that time savings is an obvious argument for automation, you have to make sure you are automating the right things, in the right sequence. Before undertaking any automation steps, ensure you are working toward a goal. Nothing is more frustrating than automating a process only to have to go back and still complete it manually because a critical step, or piece of data, is missed.
Early in my career when I first began traveling internationally for business I was like a deer in the headlights. Here I was in a vibrant city like or Buenos Aires, yet I was so relieved when I found the golden arches and knew I wasn’t going to order a burger and get something I had never seen before.
People often crave familiarity, and those arches guaranteed the consistency that I needed at the time. In the SOC, incorporating automation into your incident processes also embeds consistency into the process. With formalized workflows that every SOC analyst uses means whether Bill, the new analyst on the team, or Jane, the most senior analyst, is working a case, they both can be confident that the agreed-upon steps were followed to the letter.
Of course, those “agreed-upon steps” don’t just materialize out of thin air. In any SOC with more than two analysts, especially ones with many years of experience, disagreements will naturally arise on the best way to investigate and respond to any given attack. Before racing to implement automation, give the team time to hash out these differences. Fortunately, if the tech you have in the SOC supports this, you can easily test out the steps in parallel and let the results speak for themselves.
If you are like me, you have found yourself replying to an email at 11 p.m. almost reflexively. In years past, when people left the office, there was a clear transition to home life. Now that is simply not the case.
Security professionals are prone to burnout partly due to this constant connection to work. The root cause of the problem is not the fact that this connection exists. It is the fact that the workload put on security practitioners today is not reasonable. Automation, while not a cure-all for prolonged stress at work, can certainly ease the load. With automation taking the place of the hours spent manually completing tasks, over time you can finally start making a dent into the backlog of investigations faced daily. As confidence in the deployed automation grows, so will your ability to shut off when you leave the SOC. Do not get the wrong impression that automation will eliminate the panicked 2 a.m. calls about a potential breach. But, what proper automation, combined with the right technology, can do is make the daily life of security pros more livable.
Automation for the People
The natural apprehension of taking tasks once completed by a human and putting them in the hands of technology has existed since the days of Ford. However, imagine everything that automation has given society that makes our lives better. From the simple programmable coffee pot that ensures your fresh cup is ready for you when you wake to the autopilot that safely maneuvers a 750,000-pound 747 flight from New York to Paris without issue. Automating security tasks is a natural progression should be embraced.
Steve Salinas is director of product marketing at Siemplify.