Security automation refers to technologies that reduce the need for human intervention in security operations. In a simple example, software might be configured to automatically update firewall rules every hour using a feed of known malicious IP addresses. In a more complex setup, software can use a set of rules (known as a playbook) to automatically investigate the most common security alerts in a given environment. If predefined conditions are met, the software may even respond to the alert on its own, such as by isolating a machine from the network until an analyst has time to look at it.
Security automation is particularly useful in today’s high-volume SOCs, where alerts are often generated more rapidly than analysts can respond to them. Implementing automation in a high-volume environment can significantly reduce the burden on analysts, giving them more time to focus their attention where it is genuinely needed.