Automation is supposed to simplify things for IT security teams in increasingly complex technology and business environments. But people and process factors pop up even here.
Many enterprises lack the foundation of people, process, and technology to execute well on IT security automation.
“Automating threat detection and response is a top priority for most enterprises – but many lack the foundation of people, process, and technology to execute on it effectively,” says Joe Partlow, CTO at ReliaQuest. “We often hear from enterprises that they’ve invested more in enabling and maintaining automation than they’ve seen in increased efficiencies as a result of it.”
That kind of defeats the point. Moreover, there’s added pressure right now on IT leaders to fortify their security posture for the remote workforce – a paradigm that’s likely to remain at least partially in place for many companies for the foreseeable future.
[ How can automation free up more staff time for innovation? Get the free eBook: Managing IT with Automation. ]
“The rapid shift to remote work models, especially now, is raising the stakes on the complexity of attack surfaces and therefore adoption of automation to maintain visibility and control over a growing number of endpoints and a new normal of network behaviors,” Partlow says.
That’s a point of friction: IT and security teams need automation more than ever to keep up with emerging risks and vulnerabilities, but the path toward that goal is not always well-lit. Where do you get started, especially if you’re mired in a maze of manual processes and tools today? And how do you avoid the scenario Partlow describes, whereby greater security automation actually increases your operational overhead?
How to start IT security automation sensibly
We asked Partlow and other security leaders for their advice. Here’s how they recommend IT leaders and their teams begin automating more of their security work in a sensible fashion.
1. Categorize and prioritize security tasks and processes
You’ve probably heard plenty of automation pitches that promise to make security automation “easy.” In reality, says Laurence Pitt, global security strategy director at Juniper Networks, there’s not much that’s inherently easy about it. Rather, you’ll need to simplify things for yourself and your team by categorizing and prioritizing candidates in a manner that makes automating them actually achievable.
“The best way to work through this – and be successful – is to start at the bottom and work up,” Pitt says. “Begin with tasks a security engineer repeats daily and look to automate those that can reduce the risk of an overlooked alert, plus reduce workload.”
Jerry Gamblin, principal security engineer at Kenna Security, offers a framework for applying this kind of thinking to your own organization and environments: “The first step in any automation is to understand what tasks your teams complete on a daily basis.”
Once you’ve worked with your team to build that list, Gamblin says, it’s time to organize it into four categories:
This task is simple and takes very little time to complete.
This task is complicated and takes very little time to complete.
This task is simple and takes a long time to complete.
This task is complicated and takes a long time to complete.
Now you’ve got a basis for automating security chores in a manner that will produce results without becoming overly daunting, especially in the early phases.
“In the beginning, and for the biggest impact, you want to ignore any tasks your team has flagged as either ‘this task is complicated and takes very little time to complete’ or ‘this task is simple and takes a long time to complete,’” Gamblin advises. “Come back to them at another time.”
Instead, start with something in the “this task is simple and takes very little time to complete” bucket.
“An example of this would be to build a simple slack bot to send alerts [upon] completion of your vulnerability scans every day instead of having someone log in to manually check,” Gamblin says.
Once you’ve earned an “easy” win, tackle a more complicated, time-consuming task – one that will probably require a non-trivial amount of time on the part of an analyst or engineer.
“This task could often be something like preparing a report of statistics for leadership from a variety of different APIs and tools,” Gamblin says. Don’t get discouraged if it takes some extra effort. “Automating tasks in this category often take a very long time and seem to ‘take more time than they are worth,’ but usually end up making the biggest differences for teams in the long run.”
Then, Gamblin recommends alternating between “simple/short” and “complicated/long” tasks to build both short-term momentum and significant long-term results.
Let’s look at two more important steps to take: