Is security automation the solution for overworked cyber-security staff?

Paul Cash discusses the use of automation technologies to improve security processes

Contributed by Paul Cash, managing partner, Fruition Partners UK
Contributed by Paul Cash, managing partner, Fruition Partners UK

Security Operations Centres (SOCs) continue to be under significant pressure to respond, manage and assure security. Ponemon Institute finds it takes enterprises an average of 206 days to spot a breach and 69 days to contain it. The speed with which an organisation can identify and contain data breach incidents strongly corresponds with financial consequences, which are significant; the average total cost of a data breach increased 23 percent over the past two years to US$ 3.79 million (£2.9 million).

Cloud sprawl escalates risk

These escalating costs are set against a backdrop of the growth of the cloud and the resulting increased security risks. Recent independent research into the impact of public cloud services found that over 85 percent of CIOs believe the proliferation of public cloud services is reducing the control their organisation has over the IT services it uses. Cloud sprawl is a particular problem; 80 percent of CIOs think the widespread use of cloud services not sanctioned by IT, and not governed by IT Service Management (ITSM) processes, is creating longer-term security risks.

Overreliance on manual remediation continues

As threats and their impact continue to escalate, businesses are struggling to cope, particularly as staffing and skills shortages can make it difficult to find and retain security staff. As a result, many SOCs are exploring how automation can help them manage the workload and, equally importantly, deliver a better service. Automation is becoming more widespread but, while there are several tools and systems that provide automated incident visibility, few of them extend to the effective management of response and remediation.

In fact, incident response and remediation processes are typically manual, involving a variety of handoffs, systems, information sources and stakeholders. They generally do not provide a ‘closed loop' solution; where vulnerabilities are not effectively managed, leading to continued risk. Further, reliance on tools such as emails, spreadsheets, phone calls, meetings and text messages, makes it difficult to analyse how processes are performing, where the bottlenecks are, and how to improve them. The number one issue cited in recent research was a lack of coordination between security and IT teams; while nine out of 10 respondents said that their incident response effectiveness and efficiency is limited by the burden of manual processes.

Service management technology integrates security

The good news, which many SOCs are unaware of, is that many can use their organisation's current service management technology to improve automation and process management across security operations. Benefits of this approach include: 

  • Providing a single platform for managing security incidents and vulnerabilities: Modern service management software offers workflow, automation, orchestration and systems management capabilities. These platforms enable teams to manage the process of responding to and remediating incidents, and remove manual processes that slow security incident resolution times.
  • Prioritising security risks with business criticality: Users can attach incidents to records, pairing security data with insight into the virtual or physical asset at risk, and the business service that asset supports. By doing this, a SOC can see, for instance, that the server being attacked contains sensitive HR data and should be prioritised accordingly.
  • Automating manual functions frees SOCs to address critical issues: Through service management platforms, SOC teams can trigger automatic patching and configuration changes to security infrastructure, or other standard workflows, to contain and fix security incidents and vulnerabilities. Automatic post‑incident reports crucial to the auditing process can be generated – eliminating the tedious manual process many organisations complete.
  • Gaining greater visibility into current security issues by category, class and priority, and status of tasks: Through the use of dashboards that service management solutions typically have, SOCs can access real‑time trending data that helps them understand their effectiveness in securing their enterprise.

To increase the value of security products that organisations have already deployed, these technologies can also integrate with third‑party software applications; including security incident and event managers, and vulnerability identification solutions.

Addressing the wider context

In addition to automating threat detection and remediation, the extension of ITSM technology to security operations also ensures higher security standards are applied to processes carried out across the business. For example, when onboarding a new employee, automation can complete a new password setup, or automate the authentication of a new mobile device/account, ensuring optimum security processes are built in from the outset. In the age of BYOD and ‘shadow IT', this will increase in importance and value to businesses, as well as facilitating closer integration between security teams and other functions. Finally, automation of detection and remediation of security issues frees security teams to focus on mission-critical activities and improved collaboration.

Contributed by Paul Cash, managing partner, Fruition Partners UK