BT began the automation journey for its security operations centres (SOCs) in 2018, with the goal to unify customer experience across them. The main learning point was “you should never try to automate a complex process that’s not fully documented and well understood.” From this starting point, there are five key considerations to apply to your security automation journey.
#1 Skills shortages should drive focus
The (ISC)2 Cybersecurity Workforce Study reported a worldwide cybersecurity skills shortage of 2.72 million people. In the face of these supply constraints, the cost of cybersecurity talent is extremely high, leading to regular churn as skilled employees leave to pursue other career opportunities. It also makes it very difficult for smaller organisations and less well-funded industries to compete for cyber talent, leading to huge security risks.
In an environment where resourcing is limited, it’s critical to consider how automation can handle the routine, the repetitive, and those tasks that are important but not urgent. It would be naïve to assume that whole tasks can be fully automated, but automating the repetitive parts frees your analysts to apply their skills in more complex ways that widen the breadth of their experience, leading to increased job satisfaction and better retention.
#2 Look at automation holistically
When looking at automation options for your organisation, you need to assess the overall value of automating each process. The goal is to use automation where it provides the most effective value, without watering down capabilities, introducing additional risk or removing necessary human oversight. Before implementing automation in your tools, be sure you’re clear on the benefits and why you’re automating. Consider all aspects of your processes, the types of threats you see, talent availability, and the costs vs. benefits of automating certain decisions.
#3 Think about the operational implications of automation
Clear communication between groups within the organisation is critical to any platform where automated change can happen. Operational teams, in particular, need to have understanding, sight, and sign-off of such systems to understand the implications. In most organisations, a human ‘in the loop’ during an initial phase, aware of how such systems operate and able to investigate any change and revert it back in moments is a wise precaution. After a period of optimisation, tuning and tweaking, confidence will grow to the point that the humans can be ‘out of the loop’ and the organisation can rely on the automation.
#4 Choose your scope and domain wisely
Deciding what areas to automate is a minefield for many organisations. For most clients starting out on the journey, we would recommend focusing initially on basic individual controls and policy enforcement capability. This area tends to be simpler, with less chance of clashes between technology areas and vendors.
Risks also vary by organisation. We’ve long advocated for building a strong understanding of the threats each organisation faces and determining responses based on the tools, techniques and procedures known to be used against them. This threat intelligence data can be one of the main drivers allowing these responses to be automated – as long as the accuracy of the data is high.
#5 Data clarity drives improvement
Having a clear view of what data is needed and the insight that it can give you is key to successfully implementing automation programmes. Be selective about security data, particularly when linked to security decision making. Security controls are generating more data points than ever before, but before we can use it, we must ingest, process and store all that information.
Collection plans and data prioritisation should be central to your data strategy. This ensures that you can consolidate and refine data to reduce volume (and therefore cost) without losing the integrity or value of the data or of the decisions that we can make. Inevitably, the data will come in many different forms and from a myriad locations and sources. Having a well thought-through data capture strategy will help deliver the most benefit down the line. With so much data on hand, being clear on validity and prioritisation is fundamental to making sure that automated decision making is accurate and predictable.
As the world becomes ever more interlinked and connected devices number in the billions, the cyber landscape will continue to increase in reach and complexity. To combat this, automation will move from a ‘nice to have’ into an essential tool that organisations can’t cope without. As a result, the importance of contextual, timely and accurate threat intelligence as an input to decision making cannot be overstated.
© Technews Publishing (Pty) Ltd | All Rights Reserved