Go with the flow: How automation streamlines cybersecurity

The cybersecurity team has to get it right. Automation can help them do that.

By Bill Clark

Fri 5 Apr 2019 @ 14:52

Cybersecurity management faces growing challenges on numerous fronts. Systems have to keep out as many attackers as possible. Intrusions must be detected and thwarted. Network forensics must work backwards to determine what happened to ensure it doesn’t happen again. On top of all that, there are privacy and compliance issues to address. How can your security team keep up?

They can’t.

That’s why there’s rapid adoption of automation in cybersecurity circles.

The volume of information coming into organisations is already overwhelming and continuing to increase. At the same time, the cybersecurity skills gap is worsening, meaning positions go unfilled and existing staff are overwhelmed.

Stop swivelling, start flowing

Many organisations have built up their cybersecurity operation one piece at a time, resulting in disparate systems that may not even speak to each other. Security operations centre (SOC) staff find themselves doing swivel-chair analysis, turning from one screen and application to another and trying to piece together the full picture in their heads.

Automation, thankfully, promises to put this practice to an end.

Integrating systems to bring data together is the start of it all. Using a next-generation SIEM solution, a typical data flow would start with all log information, machine data and other meaningful data being collected, classified and then passed on to be analysed. User and entity behaviour analytics and network traffic and behaviour analytics (NTBA) identify potential threats and flag them for security staff. Both can also activate security orchestration, automation and response (SOAR) to take action.

Automating the process isn’t enough, however. Success requires understanding the cybersecurity process and building a workflow that defines the stages in the process, orders the stages and identifies the results expected in each stage. Microsoft Security defines what it considers best practice in SOC automation:

  • Move as much of the work as possible to your detectors – Select and deploy sensors that automate, correlate and interlink their findings prior to sending them to an analyst.
  • Automate alert collection – The SOC analyst should have everything they need to triage and respond to an alert without performing any additional information collection.
  • Automate alert prioritisation – Not all threats are created equal. Automation must be smart enough to help SOC staff respond to the most serious threats first.
  • Automate tasks and processes – Automate as much of the repetitive administrative task as possible, minimising the amount of time your analysts spend on them.
  • Continuous improvement – The process is never finished. Lessons learned can be used to fine tune both the automation and the human workflow to get the best out of both.

Creating and automating a workflow that frees staff from tedious, repetitive tasks can help with employee satisfaction. Those staff will also be free to provide greater value as they focus on more complex tasks and higher-level analysis than was previously possible.

Don’t forget the human touch

Automation is a tool, not an end in itself. And as good as it can be at detecting and flagging activity, it’s not ready to make all decisions on its own. Simple, rules-based responses may be able to handle some of the simplest threats, but experienced SOC staff know the environment and the enterprise better than any software can. It’s a mistake to use automation as a justification for removing staff or to avoid hiring much-needed staff.

When automating security workflows, remember that SOC staff are an integral part of cybersecurity defence. Organisations should be sceptical of any vendor that suggests its systems don’t need skilled analysts to deliver their full potential.

LogRhythm NextGen SIEM

Learn how LogRhythm can help automate security workflow and empower staff to reach their full potential.