Automation is supposed to simplify things for IT security teams in increasingly complex technology and business environments. But people and process factors pop up even here.

“Automating threat detection and response is a top priority for most enterprises – but many lack the foundation of people, process, and technology to execute on it effectively,” says Joe Partlow, CTO at ReliaQuest. “We often hear from enterprises that they’ve invested more in enabling and maintaining automation than they’ve seen in increased efficiencies as a result of it.”

That kind of defeats the point. Moreover, there’s added pressure right now on IT leaders to fortify their security posture for the remote workforce – a paradigm that’s likely to remain at least partially in place for many companies for the foreseeable future.

[ How can automation free up more staff time for innovation? Get the free eBook: Managing IT with Automation. ] 

“The rapid shift to remote work models, especially now, is raising the stakes on the complexity of attack surfaces and therefore adoption of automation to maintain visibility and control over a growing number of endpoints and a new normal of network behaviors,” Partlow says.

That’s a point of friction: IT and security teams need automation more than ever to keep up with emerging risks and vulnerabilities, but the path toward that goal is not always well-lit. Where do you get started, especially if you’re mired in a maze of manual processes and tools today? And how do you avoid the scenario Partlow describes, whereby greater security automation actually increases your operational overhead?

How to start IT security automation sensibly

We asked Partlow and other security leaders for their advice. Here’s how they recommend IT leaders and their teams begin automating more of their security work in a sensible fashion.

1. Categorize and prioritize security tasks and processes

You’ve probably heard plenty of automation pitches that promise to make security automation “easy.” In reality, says Laurence Pitt, global security strategy director at Juniper Networks, there’s not much that’s inherently easy about it. Rather, you’ll need to simplify things for yourself and your team by categorizing and prioritizing candidates in a manner that makes automating them actually achievable.

“The best way to work through this – and be successful – is to start at the bottom and work up,” Pitt says. “Begin with tasks a security engineer repeats daily and look to automate those that can reduce the risk of an overlooked alert, plus reduce workload.”

Jerry Gamblin, principal security engineer at Kenna Security, offers a framework for applying this kind of thinking to your own organization and environments: “The first step in any automation is to understand what tasks your teams complete on a daily basis.” 

Once you’ve worked with your team to build that list, Gamblin says, it’s time to organize it into four categories:

• This task is simple and takes very little time to complete.
• This task is complicated and takes very little time to complete.
• This task is simple and takes a long time to complete.
• This task is complicated and takes a long time to complete.

Now you’ve got a basis for automating security chores in a manner that will produce results without becoming overly daunting, especially in the early phases.

“In the beginning, and for the biggest impact, you want to ignore any tasks your team has flagged as either ‘this task is complicated and takes very little time to complete’ or ‘this task is simple and takes a long time to complete,’” Gamblin advises. “Come back to them at another time.”

Instead, start with something in the “this task is simple and takes very little time to complete” bucket.

“An example of this would be to build a simple slack bot to send alerts [upon] completion of your vulnerability scans every day instead of having someone log in to manually check,” Gamblin says.

Once you’ve earned an “easy” win, tackle a more complicated, time-consuming task – one that will probably require a non-trivial amount of time on the part of an analyst or engineer.

“This task could often be something like preparing a report of statistics for leadership from a variety of different APIs and tools,” Gamblin says. Don’t get discouraged if it takes some extra effort. “Automating tasks in this category often take a very long time and seem to ‘take more time than they are worth,’ but usually end up making the biggest differences for teams in the long run.”

Then, Gamblin recommends alternating between “simple/short” and “complicated/long” tasks to build both short-term momentum and significant long-term results.

Let’s look at two more important steps to take:

2. Take a risk-based approach

Partlow suggests a separate but similar way of prioritizing your security automation strategy: Base it on your company’s risk profile, prioritizing automation that will best serve business continuity and consistency in uncertain times. This may be of particular interest if your automation goals are connected to the shift to remote work or recent changes to your business model as a result of the COVID-19 pandemic.

[ Related read: Remote work security policies: 5 essential components ]

“As the economy has shifted to a largely online dependency over the past months, enterprises across varying industries must reevaluate their security priorities to align with new strategies to generate revenue,” Partlow says. “To decide where to focus automation efforts, start by working with executive peers and stakeholders to detail how your business priorities have changed, as well as changes to where your sensitive data lives. From there, you can determine the greatest risks to the evolved business.”

This could mean, for example, focusing part of your automation effort on refurbishing an ancient pillar of IT security: endpoint protection.

“Automation can then be used to push out patches and updates on your endpoints, saving time and energy from doing these processes manually and improving consistency,” Partlow says.

One pandemic-related reason that this is a good early area of automation focus: Many of your endpoints have quickly and literally left the premises after the rapid shift to working from home in many corporations, as SAS CISO Brian Wilson told us recently. That means not just laptops but even desktops and other hardware.

3. Next step: Automate enforcement, too

In the earliest phases of a security automation project, teams will likely focus on areas like monitoring. That’s a fine starting point (see #1 on this list), but you should plan to expand from there to land a greater impact.

“When many organizations start to look at automation, it’s for anomaly detection and to spot intruders on the network. This is a great start, but not enough,” Pitt says. “They should also be looking at automatic enforcement since this will help reduce the workload on the security team.”

This category includes myriad follow-up actions or remediation necessary after an alert or potential incident. Automating some of these tasks or processes can not only reduce the burden on your security analysts and engineers but also save valuable time in the event of an actual breach.

Pitt shares three examples of automation candidates in this category:

• Blocking/quarantining users and devices: “Automation can do this many times faster than an engineer,” Pitt says. “Remember that some things that require blocking will be devices, not users. Therefore, should something suspicious be detected, you need it gone in an instant.”
• SIEM escalations: “Many incidents are actually a number of different actions that only become an issue when they join together under certain circumstances,” Pitt says. “Security information and event management (SIEM) is powerful at joining actions together, and with a well-defined set of rules can also perform automatic intelligence and remediation tasks before needing to involve an engineer.”
• Task routing: “Often when something bad happens, the time it takes to reach an engineer can cause even more damage,” Pitt says. “Using automated routing of task-based actions to an engineer can speed this process up and get to a more successful mitigation.”

Partlow is also seeing growing interest in automating key response and remediation tasks, to help boost security while reducing the manual effort required of people and teams.

“We see a lot of automation around the incident response process, with plays such as isolating hosts from the network, banning file hashes, removing files, blocking phishing senders/attachments, adding users to blocklists, etc., in addition to operational tasks like patches and updates,” Partlow says.

Again, the theme in these examples: Automating security tasks in a manner that actually improves the speed and strength of your security tactics, without crushing teams under the weight of unrelenting work to keep up.

“These few tasks can significantly reduce the amount of manual work required from an engineer, while at the same time speeding up detection and enforcement actions against anomalies on the network,” Pitt says.

[ Learn the do’s and don’ts of cloud migration: Get the free eBook, Hybrid Cloud Strategy for Dummies. ]