In a survey conducted by the Ponemon Institute and Domain Tools, 51% of respondents said they believe that automation will cut headcount in the security department (up from 30% in the previous survey). I had to read it twice before it sunk in, so go ahead and do that. Fifty. One. Percent.
Now, I cannot claim that this is wrong. After all, this is a sentiment-style poll question. What I can say is that the belief is misguided, and surely a holdover from the first industrial revolution.
If you are an executive or someone who is deciding to replace people in your security department with automation, please stop and reconsider. Is there really a shortage of work in the security department that replacing a handful of processes with automation would leave nothing for the humans to do? Even the most mature security programs have a backlog of work that can keep an employee busy for years.
If you are an individual contributor worried that automation is going to replace what you do, well, you’re right. Great security automation tools do everything they can to automate the mundane tasks they have to repeat 100 times a day. After all, the tools you use today once replaced some mundane task you had to perform.
I am having a hard time reconciling the results of the Ponemon report with the fact that our future in infosec depends on automation. What I do know is that I have 51% of you that I need to reach.
Why automate in the first place?
Automation solutions are vital because most of the outcomes we are trying to achieve in our security programs are time-based. No one ever wants things to take longer, so these outcomes are about achieving efficiencies through time reduction (and thus cost reduction).
Here are a few example outcomes that business and security leaders want to achieve:
- Minimize the time it takes to respond to a critical situation
- Minimize the time it takes to remediate vulnerabilities, both manually and in an automated way
- Minimize the time it takes to validate an alert
- Minimize the time you spend managing incidents
These outcomes are taken from some work that Rapid7 recently completed with our customers. The goal of the exercise was to use our UX research experts to work with our customers and identify outcomes they were trying to achieve in their jobs.
According to Rapid7’s most recent Threat Report, over 80% of the tasks organizations must perform after a breach require low-level effort but are high-priority. Some examples include:
- Change passwords, lock account, or remove account
- Block IP, domain, hash, or email
- Terminate a malicious process
Business leaders value time savings, while security analysts are growing frustrated and disgruntled due to the volume of repetitive tasks they perform on a daily basis. The tasks we need to perform when time is the most critical are extremely time-intensive.
If that doesn’t scream “automation!” as the answer to these problems, I have one more for you: Attackers are automating everything. I cannot tell you how many a.bat and a.sh files we’ve recovered during investigations (scripts that run commands in a sequence—automation). These did the hard work of collecting and sorting information before sending the results to the attacker. This doesn’t even consider the substantial automation that attackers use to collect information about their targets (both organizations and people).
Automation with Rapid7’s InsightConnect
I hope that I have you sold on the value of automation, but I may not have yet convinced you that our future depends on it. So, I reached out to my friends on the InsightConnect team, and they provided me with some data. First, the Security Orchestration and Automation (SOAR) Playbook offers seven workflows as a “starter guide” for getting value from your SOAR solution:
- Phishing investigations
- Provisioning and deprovisioning users
- Malware containment
- Alert enrichment
- Distributed alerting (in chat)
- Threat hunting
- Patching and remediation (note that this one is very complicated due to the existing patching processes depending heavily on human checks at various stages. While it is technically possible to automate end-to-end, most organizations opt for partial automation support).
So, right out of the box with some work from your team, you’ve knocked two of the most recommended actions from Rapid7’s MDR team from minutes, hours, or even days to a matter of seconds to run an automated workflow.
Digging just a bit more in the data from the InsightConnect team, we see the following plugins used in the top 10:
- Microsoft SCCM and IBM BigFix to automate patching. (Again, with the same caveats as mentioned above.)
- VirusTotal and urlscan to add context to alerts so that analysts can validate them faster.
- ServiceNow to engage existing workflows on supporting teams (like IT)
- Proofpoint and PaloAlto for active defense for URLs and IP addresses
- Active Directory/LDAP to remediate user accounts
So right out of the box, with some work, automation tools like InsightConnect have done the following:
- Reduced the time it takes to remediate an attack on your organization
- Ensured you have the capabilities to quickly implement the top recommendations from Rapid7's MDR team
- Reduced your attack surface by quickly and efficiently remediating parts of your vulnerability management process
- Connected your different security tools so that they can run together (the same workflow can block an IP in Proofpoint and PaloAlto)
- Made your analysts happy by giving them more context on the threats they investigate
- Created a source of metrics for how often you are performing certain actions
- Given yourself a full toolbox of automation capabilities to further speed up existing processes
With this newfound time, your threat analysts can start being proactive about identifying areas where security can be improved. They can interact with the rest of the teams in the organization and provide user education—the No. 1 recommended proactive measure given to Rapid7 MDR customers. They can get training so that they stay abreast of the latest changes in the threat landscape. The possibilities are really endless because employees with more time on their hands will spend more time making themselves more valuable to the organization than they are today.