It’s not very productive to come into work day in and day out just to perform the same task dozens of times when you were trained to hunt threats and remediate complex problems.
The repetition of rote tasks like IP scoring, alert monitoring, and URL lookups can be fatiguing and dissatisfying, which, as major security breaches show, can cause alerts to slip through the cracks and threats to get in.
In fact, many of these tasks are ones our customers automate using Komand so they can move on to more strategic (and rewarding) work. Here’s a look at the most common tasks security analysts do and why and how to automate them.
1. Data Enrichment Tasks
Keeping up with alerts is an exhausting job, especially when many of them are false positives. A few common tasks that many teams currently perform manually include:
- Looking up IP addresses
- Fetching URL intel
- Investigating domains
- Retrieving logs
- Querying accounts
Tasks such as these are done to provide data enrichment or even threat scoring. When done per alert, performing these tasks become time-consuming, leaving little time for responding, and even less time to proactively hunt for threats.
Soon enough, alert fatigue sets in, which can quickly lead to errors. In some cases, security analysts stop looking at their event consoles altogether. What’s the point, when they’re riddled with false alarms?
Using security automation, you can integrate your systems and automate data enrichment, including querying of logs, lookups, and more. This conserves time and allows defenders to respond faster and more accurately.
2. Malware Investigation Tasks
Malware is a huge (and growing) threat today. And it shows itself in many different forms — from ransomware to malvertising to botnets and more. Catching it requires being able to accurately identify it, investigate how far it has spread and which machines are infected, and then remove the malicious code.
Even trickier is trying to understand its intentions so that you can determine your response. Is it just sitting on your network, or is it actively holding data hostage?
Here are some common tasks in the malware investigation process
- Extracting from email or other source
- Detonating files in a sandbox
- Performing VM snapshots
- Finding and identifying malware
- Reverse engineering malware
- Removing malware
A threat that isn’t going away anytime soon, malware demands an automated method to handle it end-to-end, from identification to investigation to removal. That’s where security automation comes in. By orchestrating your security tools, workflows can be executed automatically so that your only (and most important) job is remediation.
3. Alert Notification and Escalation Tasks
Often when an alert comes in, teams need to be kept in the loop. This doesn't always just include the security team(s), but sometimes the IT operations or development teams, too.
Let’s say a developer just pushed code to production and a security advisory tool detected a known vulnerability. That’s something that both your DevOps and security team need to know in order to remediate it. And this can be time sensitive. If it’s a particularly dangerous vulnerability (according to the National Vulnerability Database) you need to know that fast, so you can jump into action and remove it.
These kind of tasks include:
- Sending an email to involved parties
- Posting a message in Slack
- Creating a ticket in JIRA
- Triggering an alert in PagerDuty
Hopping from system-to-system to perform these tasks manually is time-consuming, and key information can easily get lost. Instead, automate your security alerts and escalation tasks so that they feed into the tools your teams already use. This way, everyone who needs to know will see the alert the moment it comes in. This also gives your team the opportunity to discuss the alert in a single, collaborative channel so you can quickly escalate it and then delegate remediation tasks.
Automation as a Force Multiplier for Security Analysts
Goodbye to the days when rote tasks take hours to do, and you have to repeat the process again and again. Security orchestration and automation enables you to do your job better and faster so that you can focus on the parts of security you like most while also providing more value to your team and company.