By: Will Ledesma, MDR Cybersecurity Director
The world of automation is fully upon us. We as humans want things faster, quicker, and cleaner, with trust in actions taken by computers. All too often, we see in the movies lighting speed actions happening in real-time. Is this real? In essence, we can see automation everywhere, from ordering food at a kiosk to robots making food and beverages. So how has automation taken a foothold in cybersecurity?
The concept of automation often bleeds into the artificial intelligence (AI) world. Where AI makes decisions based on a number of technologies and learned variables. In principle, automation also makes these same types of decisions, but it’s based on rules and patterns. Nonetheless, in cybersecurity, automation is only as smart as we make it. The cyber-world is colossal, and different teams and operations can all use automation in different ways.
This blog concentrates on automation in a Security Operation Center (SOC) and the pros and cons of automation used in cybersecurity.
How is Automation Being Used in Cybersecurity?
In cybersecurity, specifically Adlumin, automation monitors, audits, detects, responds, and/or prevents malicious activities against multiple technologies. One of the main challenges in the cybersecurity world is burnout. By using automation, a Security Operations Center (SOC) team can quickly scale up their operations. For example, automation helps reduce analyst fatigue. Plus provides the tools to quickly identify, contain, and respond to malicious activity. It streamlines mundane, labor-intensive tasks that would’ve otherwise required manual effort. Automation reduces the time for threat detection and provides response capabilities across an organization’s technology set. In addition, automation helps reduce costs associated with manual processes and investigations; by detecting and containing threats such as malware, phishing emails, and malicious code.
Now that we’ve covered its use let’s look at the pros and cons.
The Pros of Cybersecurity Automation
Simply put, as mentioned above, automation reduces the time for threat detection and containment. Furthermore, automation can pinpoint threats that the human eye may miss. Within Adlumin’s Security Operations Center’s (SOC) team, automation is used by taking the mindset of a Tier 3 (expert SOC analyst) and scaling that into playbooks to where automation is then inserted to make machine time-to-machine time decisions. This way, an attack can be stopped in machine time, thus denying a threat of further spreading.
Use Case: Automation Block Ingested into Next-Generation Firewall Systems
For this use case, we will examine an automation playbook that is being utilized to create IP blocklists for next-generation firewall systems (NGFW). In the past, SOCs had to have subject matter experts (SME) that knew a slew of technologies. Using automation, we have removed the need for a dedicated SME that knows how to create network objects, apply that to a network policy, ensure that it has been set to memory, and, most importantly, we have reduced the risk surface area. No longer must a company open additional vectors into its network for SOC SMEs. In addition, a customer drops the risk of worrying about the account management headache that comes with having to give credentials to outside-the-organization users or even depending on a third-party company that requires change request nightmares. Adlumin’s automation can implement a blocklist inseconds versus minutes, hours, or even days.
In addition to automation serving as an additional defender alongside cyber defense warriors, it also helps reduce mean time to remediation (MTTR), thus reducing service level agreements (SLA). Automation will also grab key intel artifacts and inject those in machine time into Adlumin for an analyst to utilize on a single pane of glass. Thus, reducing time to clicks instead of needing to go to additional outside sources.
The Cons of Cybersecurity Automation
The cons of cybersecurity automation are that threat actors are now also using automation within their attack playbooks. The playing field has been reduced in terms of expertise from attackers. Now a team can have one lead that creates and distributes a malicious weapon set to where other attackers can point and click on what they want to attack. Even here at Adlumin, our red teams are using automation in their attacks to brute force their way into systems.
Due to attacks now moving at lightning speeds, defenses must be able to keep up, and automation clearly is the key. For those possibly thinking otherwise, consider this, a leader approaches you and states, “Why am I going to invest in an employee if they’re just going to leave,” where a great response would be, “But what if we don’t invest in them and they never leave?” The same is true for automation in the world of cybersecurity.
Illuminate Threats and Eliminate Risks
Learn more about how Adlumin’s Managed Detection and Response Services and Security Operations Platform can empower your team to illuminate threats, eliminate cyber risk, and command authority. Contact us today, schedule a demo, or sign-up for a free trial.