This article originally appeared in CSO Online

The prevalence of automation is everywhere in our modern, tech-first culture and continuously on the rise — with good reason. Cybersecurity experts see vast amounts of data and countless attempted breaches, becoming literally overwhelmed and specifically because of two challenges: (1) effectively finding attacks hidden among billions of daily security events, (2) efficiently responding to those attacks in a timely manner.

These challenges are not being addressed and, in most SOCs, decades-old tools are used to do only a partial job. These tools are simple, rules-based systems and fundamentally limited in capabilities. For those testing new techniques, automation is consistently used at the wrong times and in the wrong ways. This leads to a rise in breaches and millions of unfilled security analyst positions.

More specifically, these tools limit security teams to a process relying heavily — and unfortunately — on human bandwidth. For example:

1.SIEM systems collect security event data and generate alerts based on a fixed rule set. Rules are shallow and limited to known IOCs so they often generate too much noise, while simultaneously missing most new unknown threats.
2.Security analysts triage alerts by investigating as many as possible and creating incidents for ones that may need remediation, which is an unscalable process.
3.Senior security and IT operations analysts evaluate the incidents and determine the appropriate response.
4.If they have enough time, senior analysts cyberhunt for new threats and generate new rules.

In response to these inefficiencies, it’s only natural to turn to automation as a way to improve performance. However, not all automation is created equal. There are levels of automation, ranging from cognitive at the high end to robotic process at the low end.

Cognitive vs. robotic automation

One of the most distinctive elements of advanced automation is that it’s “intelligent” with key capabilities, such as deep reasoning, domain knowledge encapsulation, decision making and adaptability. Harvard Business Review categorizes the ways security work can be automated:

1.Robotic process automation (RPA) – the use of a machine (physical or digital) to replace a piece of repetitive work. This automation type is able to handle routine tasks that don’t require decision making. Manufacturing robots, for example, know exactly where to tighten a bolt every time.
2.Cognitive automation – a machine that improves its ability to conduct a given task over time, such as virtual assistants, image recognition and self-driving cars. It’s able to handle decision making and exploratory tasks when faced with situations it hasn’t seen before.

These terms are consistently underused and misunderstood among today’s cybersecurity teams.

SecOps automation today

Technology layers in today’s cybersecurity chain attempt to do different actions with varying levels of automation. Specifically:

SIEMs: designed to alert on “bad” events based on rules that human analysts create and maintain. Each rule represents a single snapshot of a negative event pattern out of a potential universe of billions. Most enterprises, even after creating only a few dozen rules, are overwhelmed by alerts, most of which are false positives. The system doesn’t learn from its experience.

Alert triage automation: intended to help humans evaluate whether the torrent of alerts from SIEM systems are real threats. While some of the tasks are routine and require robotic automation (e.g., checking against threat intelligence systems and blacklists), the task of determining if an alert is a true positive requires some cognitive automation. Without the capabilities of machine learning-driven automation, the system must resort to manual steps of analysts examining the data to judge an alert’s severity. However, with cognitive automation, we can automate more of the manual process, thereby truly automating the alert triage process.

Incident response automation: constructed to automate the steps taken in response to incidents that are deemed to be of high severity, so human analysts don’t have to do the same thing over and over, and over. These tasks are very routine (e.g., creating new firewall rules or a new ticket in a case management system) and only require robotic process automation. These systems do not learn from their experience.

Threat hunting automation: designed to automate the much more challenging task of finding new unknown threats in the environment. This requires exploration, judgement and intuition, combined with context and history of the organization’s environment. This is clearly a task primarily suited for cognitive automation. This is the highest level of automation and requires the system to intelligently learn from the skilled security analysts driving it.

What should SecOps automation look like?

Activity Level Type of Automation Required
Incident Response Low Primarily Robotic Process Automation
Alert Triage Medium Requires Cognitive Automation, plus Robotic
Threat Hunting High Primarily Cognitive Automation

 

Cognitive automation is a critical component for SecOps automation to catch up to the monumental task of catching thousands of threats from billions of events. When ranking by level of required automation, the activities and automation types include:

In a cognitive system, it’s critical the expertise and context of the human analyst be easily captured and used to further enhance the system. To accomplish this, all steps in the SecOps automation process need to have feedback loops built in that capture output results (in the form of ranked threats and patterns) and also input logic (in the form of a security analyst’s expert review). Building in such feedback loops will ultimately result in far less leakage from the system at each step in the process and lead to improved security overall.

Intelligent security automation

You could achieve the very basics with a solution that only provides robotic automation. However, it will not be able to fully automate alert triage nor even begin to tackle threat hunting. An “Intelligent Security Automation” solution is one encompassing both cognitive and robotic automation, which will get you much further in your SOC automation journey.

Request Demo

Blog

Related Posts

May 20, 2022 Willy Leichter

Automating Threat Detection: Three Case Studies

Demystifying the technology with case studies of AI security in action Many automation tools, such...

Learn More

May 17, 2022 Willy Leichter

It's Time to Put AI to Work in Security

While we’ve been talking about and imagining artificial intelligence for years, it only has...

Learn More

May 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: May 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

May 9, 2022 Tessa Mishoe

Bad Luck: BlackCat Ransomware Bulletin

Blackcat Ransomware On April 19th of 2022, the FBI Cyber Division released a flash bulletin...

Learn More

May 6, 2022 Kumar Saurabh

Let Humans Be Humans and AI Be AI

LogicHub’s unique decision automation technology can build clients the ultimate security playbook...

Learn More

May 3, 2022 Kumar Saurabh

How to Build a Threat Detection Playbook In 15 Minutes or Less

Automating a threat-hunting playbook with the help of AI Many threat-hunting playbooks we build for...

Learn More

April 29, 2022 Tessa Mishoe

Integrating Better: What Can Integrations Do For Me?

Introduction Within the realm of security, there are many different toolsets and opinions on what...

Learn More

April 27, 2022 Willy Leichter

Beyond No-Code: Using AI for Guided Security Automation

SOAR Playbooks Outside of football, the term “playbook” is well understood by a relatively small...

Learn More

April 21, 2022 Willy Leichter

Goodbye Lonely SIEM, Hello MDR

When updating your systems from a pure Security Information Event Management (SIEM), choosing the...

Learn More

April 15, 2022 Tessa Mishoe

LogicHub Security Roundup: April 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More