Everywhere you look these days, security vendors are telling you to "automate or die." In fact, these vendors sometimes make it sound like automation will solve all your problems, calling it "adaptive," "agile," or even "self-healing." But is it really as magical as it sounds?
Gartner analyst Anton Chuvakin wrote his own take on the subject in a blog post titled "Security: Automate And/Or Die?" (yes, a year old, but still relevant). In it, he talks about good automation (time saving steps that are safe choices) and evil automation (potentially breaking things). But even the evil automation can be mitigated with some human intervention.
"Automation" is a pretty vague term that can mean a number of different things, but overall it's a way to cut out otherwise manual steps in a process. It's applied inconsistently, even across a single business, and older legacy systems probably don't offer it at all. Private or public clouds are more likely to include some form of automation tools. Even the consumer space is making a big deal of automation for your home, so why isn't it put to better use in business?
The most commonly known type of automation in the security space is automatic blocking or isolation of a compromised system, taking it off the network to contain the infection. The vendors who make these tools warn that if you don't automate blocking to react ASAP, you'll end up with the kind of headlines no security person wants.
However, these tools often developed a well-deserved bad reputation, known for taking down production business applications two minutes before quitting time. And if they weren't causing a panic by blocking critical applications, then they likely weren't doing much at all. These tools were designed with great intentions but often didn't work as expected in deployed life.
Those experiences left many rightfully wary of automation, but it can be a huge time-saver when used in the right applications. So what can you safely automate without putting your job at risk? Start with simple, repetitive, but necessary tasks that will save time for analysts without breaking the system.
A typical phishing investigation can take about 20-30 minutes and requires a number of manual steps; such as getting a copy of the email, analyzing the headers and content for IP addresses, URLs, email addresses, hashing and scanning attachments for malware, and checking who else in the organization may have received a copy. This initial research doesn't require any particular skillset, nor are there any steps here that will significantly disrupt business. Also, while these steps are often time-consuming, the potential consequence of not following up on a phishing email are grave. This makes the phishing investigation a great candidate for automation.
Automation should and will grow as your security organization matures. Adding automation in phases means you can continue to make wins without huge and embarrassing disruptions. Also, don't jump straight to blocking—start with those simple tasks first, such as correlating threat intelligence data.
Look for more safe automation ideas coming soon!
