Maximising your investments through security automation

Let’s face it, we’ve talked about security automation for years. We’ve grappled with what, when and how to automate. We’ve debated the human vs machine topic. And at certain points, when we’ve been “burned” (automatically shutting down systems in error), we’ve wondered if there’s any place at all for automation. But in our heart of hearts, we’ve known for years that automation is the future. Now the future is here.

While most organisations had at least minimal automation of key security and incident response (IR) processes, the events of 2020 served as a tipping point, says Noor Boulos of ThreatQuotient. The new SANS report discusses how the global pandemic forced many organisations to accelerate their plans for automation, where they are prioritising their investments and the plans they have for the future. The survey spanned companies of all sizes, representing a diverse blend of industries and with operations in North American, Europe, Asia Pacific and Africa.

Some of the key findings include:

  • Nearly one-third of organisations indicated that their plans for automation accelerated because of the COVID-19 pandemic.
  • More than 80% of organisations have at least partial automation of key security and IR processes, up from 47% in 2020.
  • Drilling deeper, IR processes saw the most significant growth in automation with extensive automation jumping nearly 18%, from 10.5% in 2020 to 28.3% in 2021.
  • Security operations and event or alert processing remains the top area for automation with 35.5% reporting extensive automation.
  • The future looks bright for security automation, with 85% planning on automating key security and IR processes in the next 12 months alone.

As you look to the future and use these survey results to help better understand how to expand your use of automation within your security operations, it’s important to consider when to apply automation within the security lifecycle to maximise business value.

At ThreatQuotient, we have long believed that data is the lifeblood of detection and response automation, so the key to effective automation starts with data. Let’s take the two primary use cases in the report, Alert Triage and Incident Response, as examples.

Alert Triage:

Analysts are inundated by the number of alerts that require human attention, generated by noisy SIEM rules and default defense infrastructure. In an attempt to reduce the volume and velocity of security alerts they must tackle on a daily basis, analysts apply external threat data and threat intelligence feeds directly to the SIEM, but challenges continue for two main reasons.

First, the amount of external threat data is staggering. Sending all of this data directly to the SIEM for correlation results in tons of non-contextual alerts, each of which requires significant work by an analyst to research. Second, there is a lack of decision support capabilities in current tools to provide additional context and understanding to determine relevance, before applying threat intelligence feeds directly to the SIEM. Prioritisation is imperative to focus and determine the appropriate next actions to take during the alert triage process.

With the ThreatQ Platform you can address the alert triage challenge and stop the useless alerts before they happen by ONLY feeding threat intelligence that is relevant to the organisation. By automatically applying context, relevance and prioritisation to threat data prior to applying it to the SIEM, the SIEM becomes more efficient and effective.

Customised threat intelligence scores based on parameters you set, coupled with context, allows for prioritisation based on what’s relevant to your specific environment. Now, using a subset of threat data that has been curated into threat intelligence, the additional overlay allows the SIEM to generate fewer false positives and encounter fewer scalability issues.

Incident response:

The current approach to Security Orchestration, Automation and Response (SOAR) has focused on automating processes. The challenge is that when applied to detection and response, process-focused playbooks are inherently inefficient and complex because the decision-making criteria and logic are built into the playbooks and updates need to be made in each playbook. This complexity grows exponentially as you increase the number of playbooks. Automating and orchestrating noisy data just amplifies the noise.

With ThreatQ TDR Orchestrator you can take a simplified, data-driven approach to SOAR, where the data, or information, drives playbook initiation and data learned by actions taken is used for analytics and to improve future response. Putting the “smarts in the platform” and not individual playbooks provides for simpler configuration and maintenance, and a more efficient and effective automation outcomes. Users can curate and prioritise data upfront, automate what’s relevant and simplify actions taken.

The author is  Noor Boulos of ThreatQuotient

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow


Ospitek, BEST Health System partner to improve the outpatient surgical experience with IoT, AI

Posted on: December 6, 2022

OSPITEK INC., the developer of the proprietary Digital Health platform VIEW, has partnered with Ohio’s BEST Health System to implement the VIEW software platform in BEST’s outpatient surgical centres. The VIEW platform is a cloud-based software and IoT enhanced, Ambulatory Surgery Centre (ASC) management and communication platform, designed for rapid adoption to compliment legacy EHR

Read more

KORE collaborates with Google Cloud to deliver IoT solutions

Posted on: December 6, 2022

KORE, a global specialist in Internet of Things (IoT) Solutions and worldwide IoT Connectivity-as-a-Service (IoT CaaS) has announced that it has established a go to market alliance with Google Cloud to bring IoT capabilities to global businesses.

Read more

The IoT Adoption Boom – Everything You Need to Know

Posted on: September 28, 2022

In an age when we seem to go through technology boom after technology boom, it’s hard to imagine one sticking out. However, IoT adoption, or the Internet of Things adoption, is leading the charge to dominate the next decade’s discussion around business IT. Below, we’ll discuss the current boom, what’s driving it, where it’s going,

Read more

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into a more switched-on place to live.

Read more

What is IoT?

Posted on: July 7, 2019

What is IoT Data as a new oil IoT connectivity What is IoT video So what’s IoT? The phrase ‘Internet of Things’ (IoT) is officially everywhere. It constantly shows up in my Google news feed, the weekend tech supplements are waxing lyrical about it and the volume of marketing emails I receive advertising ‘smart, connected

Read more