Automating User Activity to Simulate a Real Environment (Part 1: The Importance of Automation)

Welcome to the first part of our series on automation in cybersecurity. This series will explore the importance of automation in modern security operations and provide practical examples. While this post isn’t a typical lab walkthrough, it’s crucial for understanding the context of our future hands-on experiments.

In this post, we’ll cover:

• The importance of automation in cybersecurity
• How automation addresses alert fatigue
• The role of automation in improving efficiency
• The intersection of AI and cybersecurity automation
• The skill gap in cybersecurity and its relevance to automation

Let’s dive in!

Automation: A Cornerstone of Modern Cybersecurity

What is Automation in Cybersecurity?

Automation in cybersecurity refers to the use of technology to perform tasks with minimal human assistance. This can range from simple script-based tasks to complex, AI-driven processes that analyze and respond to threats in real-time.

Automation I feel really does fly under the radar within the Cyber Security industry. It is just assumed that everyone knows what it is and why it’s important for security operations.

Let’s get back to basics though and look at why it’s important and an important skill to have in an analyst.

Alert Fatigue: A Growing Concern

The Problem

With vendors and internal teams creating numerous alerts, many of which have a high level of false positives out of the box, alert fatigue among analysts has become a significant issue in the cybersecurity industry.

Automation as a Solution

Automation plays a crucial role in preventing alert fatigue within your analyst team. Here’s how:

• Streamlined Information Gathering: Using automation, you can easily process a brute force alert by gathering intelligence on the IP and historical data for the user from your SIEM.
• Automated Actions: Depending on the system, automation can take appropriate action. This could involve:
  • Marking the alert as a false positive if the user recently raised a service desk ticket to reset their password.
  • Locking the account and temporarily blocking the source IP from authenticating if suspicious activity is detected.

By automating these regular tasks, analysts can focus on more complex issues that require human insight and decision-making.

Time to Triage/Remediation: Enhancing Efficiency

Metrics in SOCs

Most Security Operations Centers (SOCs) have specific metrics they need to meet. These often include:

• Number of alerts triaged per analyst (a metric I personally find problematic, but that’s a topic for another day)
• Time to triage and remediate/close an alert

For this discussion, let’s define Time to Triage (TTT) as the duration from when an alert first appears to when an analyst is prepared to take action, whether that’s marking it as a false positive or initiating remediation.

The Role of Automation in Reducing TTT

1. Information Gathering: Automation can significantly reduce the time an analyst spends gathering information, a task that could be efficiently handled by a computer.

2. Quick Decision Making: The ideal scenario is for an analyst to quickly understand a detection or alert and be ready to act within minutes.

3. Leveraging APIs and WMI: By utilizing APIs and Windows Management Instrumentation (WMI) internally, you can automatically gather about 95% of the information needed for decision-making, even if your alert-generating tools don’t provide this data.

4. Automated Actions: Using these same APIs and WMI, we can also automate responses to detections. This includes:

   • Resetting user accounts
   • Removing malware
   • Blocking IPs/domains

The extent of automated actions depends on your organization’s risk appetite, but the potential for improving efficiency is significant.

Artificial Intelligence (AI) in Cybersecurity Automation

As we move further into the age of AI, it’s becoming an increasingly interesting topic in the realm of cybersecurity automation. To those unfamiliar with the field, much of what we call automation might look like AI or “magic wizardry.” However, it’s crucial to understand the distinctions and limitations of AI in security operations.

The Role of AI in Security Operations Centers (SOCs)

1. Accuracy is Key: One of the most critical factors in any SOC automation program is accuracy. This is especially true when moving from automated triage to automated remediation - you need to be certain that what you’re remediating won’t cause unintended business impacts.

2. AI as a Suggestion Model: Currently, AI and Large Language Models (LLMs) are primarily used as suggestion models in security automation. They should not be treated as 100% accurate and require verification by a human analyst.

3. Automated Verification: If you have access to the right information, you can set up systems to automatically verify AI suggestions using secondary indicators.

4. Summarization and Explanation: Feeding all relevant information from a detection into an AI or LLM (like ChatGPT) can generate human-readable explanations of events. However, these are typically used for summarization rather than decision-making. The limiter here is the context window and number of tokens required.

5. Limitations of AI in Decision Making: While some companies have internal AI capabilities that provide confidence scores based on input information, the effectiveness of these systems depends heavily on the quality and quantity of data they’re trained on. Smaller companies with limited visibility into true positive vs false positive ratios may find their AI models biased due to limited training data.

The Future of AI in Cybersecurity Automation

In my opinion, AI should be used as another tool within the domain of automation, similar to an API for a firewall or ticketing system. It excels at generating summaries of complex incidents or summarizing the actions of an automation system. However, when it comes to making critical decisions, the technology isn’t quite there yet. All decisions made by an AI should still be approved by a human analyst.

As we progress through this series, we’ll explore practical ways to integrate AI into your automation workflows while maintaining the necessary human oversight for critical decision-making processes.

The Skill Gap in Cybersecurity Automation

When discussing any specific function within security, we need to address the skill gap. Over my 12+ years in security, I’ve heard numerous versions of the “skills gap” narrative. In my opinion, the crux of the issue is twofold:

1. Expectations of New Entrants: People entering the security field often expect it to be straightforward, similar to their college or university experience.
2. Employer Expectations: On the flip side, employers often expect new graduates to enter a SOC and make confident decisions on detections with minimal training and experience.

The Reality of Skilled Analysts

In my experience, the best analysts I’ve worked with often come from other sectors of the IT industry. Network engineers, software engineers, and helpdesk operators bring valuable experience and knowledge about the complex ecosystem that is an IT system.

“But Dan,” you might ask, “this is an automation post. Why are you ranting about skills gaps?” Bear with me - there’s a crucial connection.

The Skill Gap’s Relevance to Automation

The skills gap is highly relevant when it comes to implementing and creating automation systems for gathering information and making decisions on detections. Those responsible for these systems need to:

1. Understand the implications of potentially removing the wrong files and how to avoid it
2. Know what information is needed for a decision
3. Understand where to source that information

These skills are not typically taught in cybersecurity courses at colleges or universities. While these institutions impart a lot of valuable knowledge, the creation of effective automation systems requires experienced analysts who have:

1. Years of hands-on experience in the field
2. A track record of high-quality work on detections
3. A deep understanding of Quality Assurance (QA) processes (a topic I’ll be posting about in the near future)

As we progress through this series, we’ll explore ways to bridge this skill gap and develop the expertise needed to create robust, effective automation systems in cybersecurity.

Conclusion: Embracing Automation for a More Effective SOC

Automation stands as one of the most powerful tools in modern cybersecurity, offering numerous benefits:

1. Analyst Efficiency: It keeps your analysts fresh, engaged, and ready to face threats as they emerge, be it APTs, ransomware, or insider threats.
2. Improved Metrics: Automation can significantly reduce time to triage and remediation without the need for additional hiring.
3. Knowledge Transfer: By involving experienced analysts in creating and implementing automation systems, you create opportunities for mentoring and upskilling less experienced team members.
4. Scalability: Automation allows your SOC to handle increasing workloads without a proportional increase in staffing.

The key to successfully implementing automation in a SOC lies in leveraging the expertise of your most experienced analysts. Their knowledge can be used not only to create effective automation systems but also to train and mentor junior team members, thereby improving the overall capacity and capability of your SOC.

As we move forward in this series, we’ll explore practical examples of automation in cybersecurity, diving into specific tools and techniques that can help transform your SOC operations as well as looking at how we can automate things within our LAB environment.

Stay tuned for Part 2, where we’ll start looking at real world examples!

What are your thoughts on automation in cybersecurity? Have you implemented any automation in your security operations?

Remember, automation is a journey, not a destination. Start small, learn from your experiences, and gradually expand your automation capabilities. Your SOC will thank you for it!

---