Views on the role of automation in security are changing. Increasingly the global organisations we support are looking beyond compliance and risk concerns to consider where automation could sit in their future security strategy.

As a complementary service to existing approaches, it has great potential to strengthen security against the challenges yet to come.

I understand that Chief Information Security Officers (CISOs) may feel cautious about this development, so I wanted to run through why I see automation as a key consideration today and something to be welcomed.

There’s no denying that the sheer volume of data a cloud-based organisation has to deal with is increasing rapidly. Data’s coming from all directions – the number of devices that are connected is spiraling upwards, and the estate is much more complex.

Forward-looking organisations are now asking themselves how much longer their Security Operations Centre (SOC) will be able to manage this data deluge – how scalable is their current approach?  In some cases, the existing security analyst teams are already struggling to prioritise threats and maintain service levels. 

Many are reaching the point where there are just too many urgent and high-priority threats for the teams to manage. Recruiting more analysts is far from easy because of the current shortage of people with the advanced cyber-skills needed to meet the complexity of threats in the cloud.

Managing the volume and complexity of threats is becoming more difficult using traditional approaches, and there’s no sign that these volumes are going to stabilise. The opposite is more likely, with increasing volumes soon swamping organisations with potentially critical incidents. 

How big will the security team need to get? Will organisations be able to employ enough analysts to cope, when suitably qualified analysts are in short supply? At what point will the blizzard of threats get so intense that analysts are overwhelmed and unable to identify real issues from the blur of data?

Up until recently, I feel organisations have held off from exploring the possibilities of automation because they’ve assumed it involves handing over control of large parts of their security operation, and they’ve been worried about the potential risks of that.

This is understandable but, again, I’d urge them to take a fresh look at what’s available. The automation concept today is very much about working with other security approaches, rather than in isolation from them. Many organisations are choosing a co-managed approach for automation, retaining control over key aspects and making sure that its contribution to security is overseen by the SOC.

What’s clear is that something has to change if organisations are to stay secure, and it makes sense to explore the possibilities of automation.

Let’s look at a typical customer situation we come across in our SOCs and consider the workloads involved. This customer has an in-house team of analysts but outsources some of their controls to our SOCs.

In one month, the customer had 63 log sources that created 11bn events. This led to 5,500 offences with a total of 279 cases coming into our SOCs. After review and prioritisation by our analysts, we passed 46 incidents back to our customer’s team of analysts – a volume of incidents that the in-house team could handle comfortably.

But how does this system cope when the volume of incidents spirals upwards? Although log sources may reduce over time as a result of consolidation, as organisations broaden out their cloud infrastructures it will become very noisy, acting as a multiplier to events. And, alongside this, cyber-threats will be increasing, too.

Looking ahead, we predict that this same customer could end up with 100bn events a month rather than the current 11bn. Managing this securely is likely to be way beyond the capabilities of even the most well-staffed in-house SOC.

With automation in place and 100bn events coming in a month, the upfront management process will stay largely unchanged, but instead of 279 cases, there’ll be more like 3,000, of which nearly 500 will be incidents requiring action. 

The automated platform will deliver all the cross-domain security analysis, decision, and dynamic remediation required, using the organisation’s context to further refine the action. In this scenario, the platform will take 400 of the incidents and use prioritisation and intelligence to automatically remediate them, leaving only 60 incidents to be prioritised and handed back to the customer’s in-house analysts.

Fortunately for most organisations the vast majority of security alerts are for incident types that can be detected and automatically mitigated by a SOC provider e.g. malware, phishing, or data exfiltration. For other more complex or sensitive types of security incident such as malicious insiders or fraud, some organisations prefer to handle these themselves rather than use automation and / or outsource to a third party SOC. 

Ideally, any solution should allow the company the opportunity to specify which type of incidents or attacks are dealt with using automation and which aren’t.

Eagle-i is our cyber security platform that combines our industry-leading threat intelligence with response automation to predict, detect and neutralise security threats. We’ve designed the platform to improve as intelligence is provided by each intervention, so that it constantly improves its threat knowledge and dynamically refines how it protects customers across a multi-vendor environment.

When a customer chooses to use a managed security service enhanced by Eagle-i, we start with a core risk assessment to understand their baseline, working with them to determine their unique security posture and risk profile.

When it comes to specific incidents, we look at the asset being attacked and use Eagle-i’s automation engine to consider if this is a known vulnerability on that asset, which might put it at risk of compromise. We then use our knowledge of the customer’s baseline and the incident to prioritise the level of attack for them. As we move to response, we have a choice of actions, depending on the priority we’ve given to the attack. If it’s just noise, we include it in the weekly report. If it’s a severe threat, we can lock down. We work with the customer to establish personalised business rules filters across different controls to suit their chosen service level.

The customer can then choose whether they want us to remediate for them, or pass the incident to their in-house analysts.

I believe automation in cyber-defence is inevitable – it’s just a question of when it’s the right time for the organisation to make the move. Our experts are on hand to help you look at your unique operating circumstances to decide when adding automation will be right for your organisation.

Find our more about cyber-threat detection and response solutions.