Welcome to the first part of our series on automation in cybersecurity. This series will explore the importance of automation in modern security operations and provide practical examples. While this post isn’t a typical lab walkthrough, it’s crucial for understanding the context of our future hands-on experiments.
In this post, we’ll cover:
Let’s dive in!
Automation in cybersecurity refers to the use of technology to perform tasks with minimal human assistance. This can range from simple script-based tasks to complex, AI-driven processes that analyze and respond to threats in real-time.
Automation I feel really does fly under the radar within the Cyber Security industry. It is just assumed that everyone knows what it is and why it’s important for security operations.
Let’s get back to basics though and look at why it’s important and an important skill to have in an analyst.
With vendors and internal teams creating numerous alerts, many of which have a high level of false positives out of the box, alert fatigue among analysts has become a significant issue in the cybersecurity industry.
Automation plays a crucial role in preventing alert fatigue within your analyst team. Here’s how:
By automating these regular tasks, analysts can focus on more complex issues that require human insight and decision-making.
Most Security Operations Centers (SOCs) have specific metrics they need to meet. These often include:
For this discussion, let’s define Time to Triage (TTT) as the duration from when an alert first appears to when an analyst is prepared to take action, whether that’s marking it as a false positive or initiating remediation.
Information Gathering: Automation can significantly reduce the time an analyst spends gathering information, a task that could be efficiently handled by a computer.
Quick Decision Making: The ideal scenario is for an analyst to quickly understand a detection or alert and be ready to act within minutes.
Leveraging APIs and WMI: By utilizing APIs and Windows Management Instrumentation (WMI) internally, you can automatically gather about 95% of the information needed for decision-making, even if your alert-generating tools don’t provide this data.
Automated Actions: Using these same APIs and WMI, we can also automate responses to detections. This includes:
The extent of automated actions depends on your organization’s risk appetite, but the potential for improving efficiency is significant.
As we move further into the age of AI, it’s becoming an increasingly interesting topic in the realm of cybersecurity automation. To those unfamiliar with the field, much of what we call automation might look like AI or “magic wizardry.” However, it’s crucial to understand the distinctions and limitations of AI in security operations.
Accuracy is Key: One of the most critical factors in any SOC automation program is accuracy. This is especially true when moving from automated triage to automated remediation - you need to be certain that what you’re remediating won’t cause unintended business impacts.
AI as a Suggestion Model: Currently, AI and Large Language Models (LLMs) are primarily used as suggestion models in security automation. They should not be treated as 100% accurate and require verification by a human analyst.
Automated Verification: If you have access to the right information, you can set up systems to automatically verify AI suggestions using secondary indicators.
Summarization and Explanation: Feeding all relevant information from a detection into an AI or LLM (like ChatGPT) can generate human-readable explanations of events. However, these are typically used for summarization rather than decision-making. The limiter here is the context window and number of tokens required.
Limitations of AI in Decision Making: While some companies have internal AI capabilities that provide confidence scores based on input information, the effectiveness of these systems depends heavily on the quality and quantity of data they’re trained on. Smaller companies with limited visibility into true positive vs false positive ratios may find their AI models biased due to limited training data.
In my opinion, AI should be used as another tool within the domain of automation, similar to an API for a firewall or ticketing system. It excels at generating summaries of complex incidents or summarizing the actions of an automation system. However, when it comes to making critical decisions, the technology isn’t quite there yet. All decisions made by an AI should still be approved by a human analyst.
As we progress through this series, we’ll explore practical ways to integrate AI into your automation workflows while maintaining the necessary human oversight for critical decision-making processes.
When discussing any specific function within security, we need to address the skill gap. Over my 12+ years in security, I’ve heard numerous versions of the “skills gap” narrative. In my opinion, the crux of the issue is twofold:
In my experience, the best analysts I’ve worked with often come from other sectors of the IT industry. Network engineers, software engineers, and helpdesk operators bring valuable experience and knowledge about the complex ecosystem that is an IT system.
“But Dan,” you might ask, “this is an automation post. Why are you ranting about skills gaps?” Bear with me - there’s a crucial connection.
The skills gap is highly relevant when it comes to implementing and creating automation systems for gathering information and making decisions on detections. Those responsible for these systems need to:
These skills are not typically taught in cybersecurity courses at colleges or universities. While these institutions impart a lot of valuable knowledge, the creation of effective automation systems requires experienced analysts who have:
As we progress through this series, we’ll explore ways to bridge this skill gap and develop the expertise needed to create robust, effective automation systems in cybersecurity.
Automation stands as one of the most powerful tools in modern cybersecurity, offering numerous benefits:
The key to successfully implementing automation in a SOC lies in leveraging the expertise of your most experienced analysts. Their knowledge can be used not only to create effective automation systems but also to train and mentor junior team members, thereby improving the overall capacity and capability of your SOC.
As we move forward in this series, we’ll explore practical examples of automation in cybersecurity, diving into specific tools and techniques that can help transform your SOC operations as well as looking at how we can automate things within our LAB environment.
Stay tuned for Part 2, where we’ll start looking at real world examples!
What are your thoughts on automation in cybersecurity? Have you implemented any automation in your security operations?
Remember, automation is a journey, not a destination. Start small, learn from your experiences, and gradually expand your automation capabilities. Your SOC will thank you for it!