The much-quoted shortage of skilled IT professionals particularly affects those areas that require specialized knowledge and broad experience. Hence cybersecurity is one of the fields most affected by this scarcity – a fact that will only get worse in the future. In other words, the challenges in cybersecurity are growing faster than companies are able to face them successfully. Attempting to compensate the lack of manpower and the challenges of limited resources by technical means is therefore an obvious option.

In terms of market development, the field of security automation is in a relatively early phase where mostly larger organizations recognize the opportunities offered by security automation and drive corresponding projects forward. Larger companies have larger and more complex IT infrastructures and as a result are faced with a greater number of threats and associated risks. More risks mean an increased demand for resources bot often these resources are not sufficiently available. Herein lies the probably greatest potential for security automation and it is not surprising that the focus on security automation generally increases with the size of an organization.

Security Automation and Orchestration

The amount and the power of cyberattacks are continuously increasing while the digitalization is quickly progressing and the world around us is coined by an ever-increasing technical complexity. It is safe to assume that ultimately, no organization will be able to avoid automating its cyber security processes.

The term Security Orchestration, Automation and Response (SOAR) was conceived by a well-known market research firm and in the broadest sense refers to the interaction and cooperation of individual (technical) security components to handle security processes automatically. In contrast to other cyber security topics, security automation is often understood as relevant or even necessary already today. However, the decision when, where and how to automate is often a considerable challenge. The two topics automation and orchestration are closely related and are sometimes used interchangeably. However, closer inspection reveals important differences that must be considered in practical implementations.

Security Automation

Security automation refers to the automatic execution of security-relevant tasks and procedures. Tasks are executed without human intervention, frequently in the area of security operations, i.e. the daily, regular security tasks of an organization. The term security automation is often used in the context of automated detection, analysis, and response concerning security-related events or incidents. This can range from relatively simple tasks such as automatic vulnerability scans or the simple correlation of individual log information to complex, technically advanced applications such as the automatic detection of security incidents.

The main goal of security automation is the reduction of manual effort and a speed up of processes.

Security Orchestration

A modern SOC uses a multitude of applications and tools but more often than not, they are integrated only to a small degree leading to complex and manual processes. Without proper integration and concerted use of tools and information sources, valuable resources are wasted and the extraction of usable information from existing data is unnecessarily difficult. Therefore, typical applications of security orchestration are the enrichment of data with contextual information, the domain of incident response playbooks or in the context of adopting zero trust architecture models.

The main goal of security orchestration is to _increase effectiveness and value _through clever combination and interaction of security components and technologies.

Practical Applications

In the context of cyber security operations, time to detection and time to response are two very important parameters. They indicate the time span that elapses between the occurrence of a cyber security incident and its discovery and the reaction to it. These two time spans are significant in terms of the amount of damage a security incident can cause and at the same time strongly depend on the available resources and skills. Their reduction is therefore often the focus of automation projects.

The following challenges offer promising starting points for security automation efforts and at the same time are good indicators that more automation and orchestration would probably be quite beneficial:

• scarcity of resources
• an excess of data, alerts and alarms (“alert fatigue”)
• frequent and time-consuming investigations that absorb valuable resources
• operational inefficiencies because of heterogeneous, isolated security systems
• no free capacity to drive and advance integration and automation

Many security operations tasks are prone to human error. Compared to machines, humans are relatively good at analyzing situations and problems, but they often fail to correctly process large amounts of data and to take quick and accurate decisions based on such analysis. This is particularly relevant in the context of individual and non-integrated security systems that must be used by security experts separately to discover and analyze relevant events.

Considering this, the challenges mentioned above are typically addressed with automation efforts in the following areas:

• Monitoring and detection of security relevant events: Consolidating, correlating and analyzing large volumes of data provides a lot potential for automation and can not only help to provide insights much quicker but allows to discover information that would be invisible in the large amounts of data without automatic analysis.
• Data enrichment with contextual information: Manual enrichment of data with contextual information usually requires and tedious and resource intense querying of individual isolated systems. Automating this process increases efficiency and enables a more effective resource usage.
• Management of user rights and roles: The administration of rights and roles is one of those tasks that are very important but tend to be quite boring and time-consuming. The more resources that can be freed from these tasks the more resources are available for more sophisticated activities.
• Patch and vulnerability management: Although the importance of up-to-date software is well known, time and time again security incidents occur that use exploits for known vulnerabilities. Automating the patch and vulnerability management processes can help to reduce this attack surface and to reduce the vulnerable time window.
• Incident Response: In incident response situations the speed of the reaction typically competes with the accuracy and carefulness of the incident analysis. A well-chosen automation and orchestration solution can provide decisive advantages for both of them.
• IT service continuity management: Automated tasks and processes can significantly increase the availability and resilience of IT services in case of disruptions and security incidents.

Challenges and risks

Skills shortage

Many environments suffer from a lack of IT security skills. It is therefore obvious to think about security automation also in this context. However, the perception that missing competences can be completely compensated for by means of automation is a mistake in most cases. First, already the design and the implementation of automation solutions requires competences and secondly, it is rarely possible to make up for missing quality by quantity. In other words, a lack of resources can be mitigated with automation, but a lack of know-how only to a small degree. However, automating repetitive, tedious work is a great way to free the scarce resources for more important and demanding problems. It is always a good idea to assign interesting and challenging work to experienced professionals and to not occupy them too much with boring and repetitive tasks.

Risks and side effects

The benefits and opportunities of security automation must be weighed against the potential risks and disadvantages. Although automated processes can handle the defined tasks without manual interaction, they are usually unable to handle unexpected situations. For example, automated patching can save time and effort but carries the risk of undesired side effects, incompatibilities and even service failures.

Automating processes requires that the tools used for automation have the necessary rights and permissions in the involved systems, applications and services. The amount of required rights correlates with the complexity of the automation and the number of automated steps and involved systems. Consequently, this bears its own risks and potential for abuse and it must be ensured that the automation does not create more problems than it solves. Decisions about the scope and application of security automation must therefore use a risk-based approach.

Heterogenous tool landscapes and legacy systems

Most environments make use of many different security solutions and tools with the result that the collection of these tools is already quite complex in itself. One of the biggest challenges in implementing an effective security automation architecture is the integration of these different security tools and technologies. Nowadays, more and more solutions feature API interfaces that can be used by automation tools. However, older solutions and legacy applications don’t always have APIs which can lead to significant challenges and added effort.

Too much at once

Organizations looking for suitable security automation solutions are often faced with offers that promise to cover the full SOAR spectrum. Introducing a complete SOAR solution can be an enormous project that requires strategic planning and sufficient time to implement. In most cases it is better to start with small and manageable steps and then gradually increase the degree of automation on this basis rather than tackling everything at once.

Conclusion

There is no doubt that automation and orchestration can help to significantly improve an organizations security posture and resource usage. However, it is important to maintain a clear common understanding of the goals to be reached with automation and to ensure that it will not become an end in itself. Automation should solve problems and once they are clearly described, the most appropriate solution can be evaluated.

When starting an automation initiative, it is advisable to begin with well-defined and simple use cases that are relatively easy to implement and provide quickly achievable value. Even though the ultimate goal may be to automate as much as possible, it is better to start with small steps and to use an approach of continuous progression and improvement.

Finally, experience shows that automation initiatives with the primary goal to reduce the required amount of human resources are usually not sustainable. Such projects may be initially successful but will rarely provide the desired benefits in the long term. Rather it is worth to strive for a combination of human resources, skills and machine possibilities in such a way that new and previously unsolvable problems can be approached successfully.

About the Author

Tomaso Vasella has a Master in Organic Chemistry at ETH Zürich. He is working in the cybersecurity field since 1999 and worked as a consultant, engineer, auditor and business developer. (ORCID 0000-0002-0216-1268)