May 24, 2019 / by J Burks / In threat-intelligence /

Tips for Getting Started With Security Automation

Security automation can seem like a daunting, complicated subject. With so many things you can automate and tools to automate them with, you might have a hard time figuring out where to start, or if security automation is even right for you. In this article, we’ll share a few tips to help you get started.

Before you start

If you’re thinking about introducing security automation into your environment, take some time to ask yourself a few questions. Your answers to these questions can serve as a foundation for your first steps.

  • What simple tasks can I automate easily? You don’t have to start by hand-coding complex scripts that are hundreds of lines long. Simple tasks, like checking for an IP address in lists of known malicious IPs, are easy to automate right away.
  • What repetitive tasks could be handled without human intervention? Look for time-consuming workflows in your environment where many (or all) of the steps involved are performed the same way each time. It’s fine to not automate the entire workflow if a human still needs to make a decision at some point. Automating any portion of a process can still save lots of time and effort.
  • How can I evaluate the results of automation? Before you automate anything, think about how you can measure the results. This way, you’ll be able to see how effective your implementation is (or isn’t), and you’ll have an idea of what works well and what doesn’t. For example, you can measure the mean time to resolution — the amount of time that passes from when an incident is detected until it is resolved. This is a common metric in SOCs, and it’s often abbreviated to MTTR.

Start with deployment

When you think about cybersecurity automation, infrastructure and deployments may not be the first things that come to mind. However, by automating deployments, you can save yourself from a lot of costly, drawn-out headaches down the road.

From a security standpoint, deployment automation is a proactive measure; i.e., one you take to prevent attacks from succeeding in the first place. (Measures you take in response to an attack that has already occurred are called reactive instead.) Automation brings uniformity to your infrastructure. When all your servers are configured to the same standard, there are no inconsistencies to worry about. Without having to look, you know that if one server is up to date, so are the rest. If a critical vulnerability is discovered in the software running on your servers, patching it on all your servers is as easy as patching it on one server.

Start sooner, not later

The earlier you begin incorporating security automation tools into your environment, the easier the process will be. Organizations that have been around for some time often end up with IT environments that have almost as many custom configurations as they have devices — and when they finally decide they’re ready for information security automation, straightening out the mess they’ve created proves to be an expensive, time-consuming undertaking. Fortunately, it’s easy to avoid this pitfall by building your environment with automation in mind. Investing in automation early on also makes it easy for you to future-proof your environment. Once you have your security automation tools up and running, adding new software and hardware to your organization is simple.

Take advantage of out-of-the-box integration

Many security automation companies offer solutions that come ready for integration with third-party services and tools you’re already familiar with. Security automation and orchestration tools can fetch information from threat intelligence providers and apply it in various ways. For example, you can have your firewall rules automatically updated from a feed of known malicious IP addresses.

Know what not to automate

Not everything can or should be automated. Trying to automate responses to everything can lead to more wasted time, rather than less. Consider, for instance, how you could use automation to handle phishing emails and other social engineering attacks. If you have these emails automatically deleted, legitimate messages may also be deleted if they appear suspicious to the software. Instead, you can automatically flag the messages to be reviewed by a human.

Further reading: