Identifying and Implementing Security Automation Applications: A Guide
In the ever-evolving landscape of cybersecurity, automation has become a critical tool for enhancing security measures and optimising resources. One such expert in the field is Kevin Schmidt, a director analyst at Gartner, who supports the GTP Secure Infrastructure team in security operations and researches AI usage in security operations.
To effectively implement security automation, a four-phase approach is recommended. This methodology, which aligns with the "crawl-walk-run" methodology, ensures a gradual, measured implementation and ongoing optimization.
Phase 1: Prework
The prework phase involves gathering automation requirements, conducting a needs assessment in operations, identifying candidates for automation, analysing possible gains, identifying success metrics, and ranking candidates based on a scoring methodology. This phase sets the foundation for the subsequent phases.
Identifying Candidates for Automation
During this phase, it's crucial to record the actual work to be done on each tool at the lowest level and estimate the average time required for each task. This process helps in identifying the top 5-10 candidates for automation.
Phase 2: Use Case Selection
In this phase, security leaders select use cases based on gains analysis, focusing on heavy-hitter tasks that will help them reach their automation goals. The gains analysis should yield the success metrics, which can be used to validate the effort required to develop the automation.
Prioritizing Automation
To calculate the total time savings for all tasks and create a prioritized list of the activities for which automation delivers the greatest benefit, the gains analysis steps include determining a top automation candidate by ordering the list by total time taken or frequency. Performing a thorough analysis for only the top candidate is necessary due to its time-consuming nature.
Phase 3: Control Implementation
The control implementation phase involves deploying the appropriate security tools and automated workflows aligned with the assessment and policies created. It's important to start with foundational or less complex tasks and gradually expand to more complex automation to avoid overwhelming teams.
Ensuring Effective Implementation
During this phase, it's essential to provide adequate training to security teams on managing and optimizing these automation tools to avoid underperformance. Additionally, the upkeep of custom playbooks is an in-house responsibility, and during the development process, document any dependencies in the playbooks.
Phase 4: Continuous Monitoring and Improvement
The final phase involves continuously monitoring automated systems for effectiveness, identifying gaps and areas for enhancement, and using insights from monitoring to refine workflows, update policies, and advance automation maturity.
Maintaining Visibility and Optimization
Ensuring that visibility into automated processes remains strong is crucial to detect misuse, gaps, or emerging threats promptly. This phase emphasizes the importance of ongoing optimization to ensure that the implemented automations continue to provide the intended benefits.
This phased approach allows organisations to carefully select and prioritise automation use cases that provide the most significant security benefit without overwhelming resources or introducing new risks. By following this methodology, security leaders can identify security automations that can save time, provide better predictability with respect to response, speed time to response/containment, and act as a force multiplier for the staff that is already in place.
[1][4] References omitted for brevity.
In the context of data-and-cloud-computing, it's crucial to prioritize data privacy during the prework phase of security automation, while being mindful of potential data breaches that could compromise this privacy.
Effective use of security automation requires careful consideration of security operations, as the control implementation phase entails deploying automated workflows that adhere to established policies to ensure cybersecurity.
Continuous monitoring and improvement in the final phase of the three-step approach to security automation can help organizations maintain visibility over their systems, optimizing operations for enhanced cybersecurity and data protection.
