Security Automation: Tools, Process and Best Practices
What is Security Automation?
Security automation is machine-based execution of security actions, which can detect, investigate and remediate cyberthreats with or without human intervention. Security automation has the potential to identify incoming threats, triage and prioritize alerts as they emerge, and perform automated incident response.
Activities performed by security automation tools include:
Detecting threats in the IT environment.
Triaging potential threats by following the same workflow used by security analysts to investigate and classify events.
Deciding on the most appropriate action to contain or mitigate a threat.
Security automation can have significant advantages in the security operations center (SOC):
Faster threat detection—SOC analysts are overwhelmed with security alerts and unable to deeply investigate all security incidents. Automation can help automatically triage alerts and identify real incidents, allowing analysts to identify threats faster.
Faster containment and mitigation—automated tools can immediately execute security playbooks in response to certain types of incidents. This means threats can be contained or even completely eradicated with no human intervention.
Improved productivity—SOCs suffer from a chronic skills shortage and analysts are overworked. By offloading manual tasks to automated processes, security analysts can focus on higher value activities and improve productivity. Automation also makes it possible for Level 1 to work a broader range of tasks without escalating to more skilled analysts.
Standardization of security processes—implementing security automation and playbooks requires a standard taxonomy of security tools and processes throughout the organization. This does not only facilitate automatic processes, it also helps clearly define manual processes and ensure they are applied consistently across the organization.
Types of Security Automation Tools
The following are three categories of tools that can help automate security processes.
Robotic Process Automation (RPA)
RPA technology can automate low-level processes that do not require intelligent analysis. RPA services typically use the concept of a software “robot” that uses mouse and keyboard commands to automate operations on a virtualized computer system.
Here are a few examples of security tasks that can be performed by RPA:
Scanning for vulnerabilities
Running monitoring tools and saving results
Basic threat mitigation—for example adding a firewall rule to block a malicious IP
The downside of RPA is that it performs only rudimentary tasks. It does not integrate with security tools and cannot apply complex reasoning or analysis to guide its actions.
Security Orchestration, Automation and Response (SOAR)
SOAR systems are a stack of solutions that enable organizations to collect data about security threats and respond to security incidents without human assistance. The category was defined by Gartner, and applies to any tool that can help define, prioritize, standardize, and automate incident response functions.
SOAR platforms are able to orchestrate operations across multiple security tools. They support automated security workflows, policy execution, and report automation, and are commonly used for automated vulnerability management and remediation.
eXtended Detection and Response (XDR) solutions are the evolution of endpoint detection and response (EDR) and network detection and response (NDR). They consolidate data from across the security environment, including endpoints, networks, and cloud systems, allowing it to identify evasive attacks that hide between security layers and silos.
XDR can automatically compile telemetry data into an attack story, giving analysts everything they need to investigate and respond to the incident. It can also directly integrate with security tools to execute automated responses, making it a comprehensive automation platform for incident investigation and response.
XDR automation capabilities include:
Machine learning-based detection—includes supervised and semi-supervised methods to identify zero day and non-traditional threats based on behavioral baselines, including threats that have already breached the security perimeter.
Correlation of related alerts and data—automatically groups related alerts, builds attack timelines, and traces event chains to determine root causes.
Centralized user interface (UI)—one interface for reviewing alerts, in-depth forensic investigation, and managing automated actions to respond to threats.
Response orchestration—enables manual response through the analyst UI, as well as automated responses via rich API integration with multiple security tools.
Improvement over time—XDR machine learning algorithms become more effective at detecting a broader range of attacks over time.
A Typical Security Automation Process
While different security tools operate in different ways, here is a typical process followed by an automated security system. In many cases, an automated security system will perform only one or more of these steps, and the rest will be carried out by a human analyst:
Emulating investigative steps of human security analysts—receiving alerts from security tools, correlating them with other data or threat intelligence, and deciding if an alert is a real security incident or not.
Determining responsive action—identifying what type of security incident is taking place, and selecting the most appropriate automated process or security playbook.
Containment and eradication—performing automated activities, via security tools or other IT systems, to ensure the threat cannot spread or cause more damage, and ideally, to eradicate it from affected systems. For example, at a first stage automation can isolate an infected system from the network, and at a second stage, wipe and reimage it.
Close the ticket or escalate—automated systems can use rules to understand if automated actions were successful in mitigating the threat, or if further activity is needed. If so, they can integrate with paging or on-call scheduling systems to alert human analysts, with specific information about the ongoing incident. If further action is not needed, automation can close the ticket, providing a full report of the threats discovered and activities performed.
As you prepare to implement security automation technology in your organization, here are a few best practices that can help you make the most of it.
Identify the security events that occur most often, and those that take the longest time to investigate and resolve. Then define use cases and create a list of how security automation can help, based on organizational goals.
Start with manual playbooks
Start with manual playbooks documenting the steps, processes, and best practices your teams use today to effectively address an incident. Ensure teams follow a consistent and repeatable process whenever an incident occurs. Then, identify the most time-consuming, repetitive processes and use them to define your first automated playbooks.
Once you identify all the security tasks you can automate, recognize you can’t automate all of them at once. Start where automation makes the most sense, has high chances of succeeding, or can bring immediate value. Adopting small scale automation, you can monitor your progress, view the results and make adjustments as needed.
Invest in training
You’ll need to educate staff how to use automation tools effectively. Training should not only focus on how to set up and operate automated processes. Define which types of processes and activities should be handled by human operators, and how to escalate smoothly to a human analyst when needed. Ensure that analysts know how to receive tasks from automated security systems, understand the data they receive, and can smoothly continue handling the incident.
Security Automation with Cynet XDR
Cynet 360 is the world’s first Autonomous Breach Protection platform that natively integrates the endpoint, network and user attack prevention & detection of XDR with the automated investigation and remediation capabilities of SOAR, backed by a 24/7 world-class MDR service. End to end, fully automated breach protection is now within reach of any organization, regardless of security team size and skill level.
XDR Layer: End-to-End Prevention & Detection
Endpoint protection—multilayered protection against malware, ransomware, exploits and fileless attacks.
Network protection—protecting against scanning attacks, MITM, lateral movement and data exfiltration.
User protection—preset behavior rules coupled with dynamic behavior profiling to detect malicious anomalies.
Deception—wide array of network, user, file decoys to lure advanced attackers into revealing their hidden presence.
SOAR Layer: Response Automation
Investigation—automated root cause and impact analysis.
Findings—actionable conclusions on the attack’s origin and its affected entities.
Remediation—elimination of malicious presence, activity and infrastructure across user, network and endpoint attacks.
Visualization—intuitive flow layout of the attack and the automated response flow.
MDR Layer: Expert Monitoring and Oversight
Alert monitoring—First line of defense against incoming alerts, prioritizing and notifying customers on critical events.
Attack investigation—Detailed analysis reports on the attacks that targeted the customer.
Proactive threat hunting—Search for malicious artifacts and IoC within the customer’s environment.
Incident response guidance—Remote assistance in isolation and removal of malicious infrastructure, presence and activity.
Cynet 360 can be deployed across thousands of endpoints in less than two hours. It can be immediately used to uncover advanced threats and then perform automatic or manual remediation, disrupt malicious activity and minimize damage caused by attacks.