Threats move fast, but security defenders need to move faster. Automation offers a way to achieve speed, but it’s not always an option for teams.
Without dedicated security engineering resources (namely those with programming skills), developing automated security workflows can be an impossibility. And while many companies do have in-house programming talent, gaining access to them typically takes too long. Even if you do get access to a security engineer, will your team know how to define a security workflow enough to solve a real problem?
To help you move beyond programming resource restrictions, here are three ways security teams can build automated workflows:
1. Find Resources Outside of Security
Begin by looking to your engineering department. By starting a conversation early on with the engineering team lead, you may be able to find a way to snag a developer’s time to work on security automation. Remember: It’s not that other teams don’t care about security work. Often it’s simply a lack of collaboration between departments.
If sourcing internal programming resources is out of the question, look for a consultant/freelancer who can come in and get this work done for you. There are many consultancy firms out there today with the expertise to do this fast, but if budget is an issue, look for a freelancer from your network, post on a site like Upwork, or ask other companies who they use.
If none of these is a viable option, find nearby colleges with interns eager to learn and make a real-world impact. Hiring interns to take on developing automated security workflows is not only a cost-effective option; it also helps to groom potential new hires.
2. Turn to the Broader Security Community
There are likely many other people dealing with the same security challenges and tasks as you. As a security community, we’re all in this together fighting similar adversaries, so to make the dream of collaboration a reality, we need to start sharing workflows and frontline expertise among each other in order to operate as a united front.
Where can we all start doing this? There are already public places like PeerLyst, OpenNSM, Reddit, and our own Komunity where people can openly share security knowledge for all to benefit. As for automated security workflows, turning to the broader community for advice on how other security organizations have implemented automation may help you get a better sense of where to begin and a plan of attack.
3. Leverage a Security Orchestration and Automation Platform
If the first two options won’t get you to your end goal quick enough, there’s a third option: a security orchestration and automation platform. A security orchestration and automation platform can help connect all your security tools in a single place. Once tools are connected, you can orchestrate processes between them and automate all the mundane tasks.
Let’s take phishing investigations as an example of how orchestration and automation works:
Security orchestration can automate workflows around routine investigatory tasks, like finding known phishing links on the internet and matching it to suspicious incoming emails. A good automated workflow should be able to tie in intel across systems for you, altogether eliminating manual data retrieval so you can instead spend your time understanding and responding to the incident.
Having connect-and-go functionality means you get all the benefits automated workflows offer for a fraction of the time and cost. And if orchestration and automation is new to you and your organization, many companies, including us, are happy to run a proof-of-concept (POC) to test out the benefits of automation before you commit to anything.
Getting to Automation Faster
We can’t let roadblocks like a lack of coding skills stand in the way of automated workflows. So when manpower isn’t ample, it makes sense to bring in the machines. This is a big pain point many of us at Komand felt ourselves while working at other companies, so it’s our vision to bring automated workflow capabilities to every security team.