Automation Realities in the Context of SOAR

August 20, 2020
| |
3 min read

Anyone who has spent time on repetitive, manual tasks understands how tedious and cumbersome this work can be and how errors are commonplace. If only machines could do this work for us. This is the promise of automation: the application of technology, programs, robotics or processes to achieve outcomes with minimal human input.

Automation makes formerly arduous, time-intensive processes complete in a fraction of the time, revolutionizing entire industries. One of the best-known examples was the introduction of spreadsheets, which replaced manual bookkeeping and fundamentally changed the nature of the accounting industry worldwide. Likewise, approximately three-fourths of current trading on the U.S. stock market is done through automation.

For years, security veterans feared the automation “cure” could be worse than the disease, simply making mistakes more quickly or otherwise yielding unintended consequences. It was only a matter of time until the technology matured to the point that its benefits became undeniable. This is perhaps most notably shown by the adoption of Security Orchestration, Automation and Response (SOAR) platforms, which improve response times, address the security skills gap, and reduce complexity.

Adoption to date has already driven significant improvements. In a recent study by the Ponemon Institute, automation stood out as a differentiator for companies with high cyber resilience. In fact, 55% of high performers in the study stated their cyber resilience improved due to the implementation of automation tools, compared to 37% of other organizations.

Here, we examine the hype around automation and share some common automation pitfalls to help you avoid them.

Realities of Automation

Given the promise of automation, it is tempting to dive headfirst into solving an initial use case (like phishing) without considering broader people, process and technology considerations. The downside to jumping into the deep end can range from architectural mistakes that are expensive to undo, to unintended consequences from executing ill-informed actions.

Automation benefits may be proven and widespread, but there are several realities to know, such as:

Automation takes time. Automation is not an easy fix that happens overnight by deploying some software. Rather, automation requires an investment in time and resources in order to maximize its benefits. One of the most important prerequisites of automation for any organization is understanding its processes, which are usually more complex and unique than it seems. A clear view of the current state is needed in order to identify processes and tasks to automate. Yet, it is not always attainable. According to the Ponemon Cyber Resilient Organization study, only 40% of organizations use attack-specific playbooks, which outline the step-by-step response to specific attacks like malware or phishing.

Out-of-the-box playbooks are typically generic, requiring time and skill to be customized to a company’s unique standard operating procedures. This may require new skills, such as business process expertise to help define process flows or Python coding skills to tune an integration. The most successful automation projects are journeys. Organizations crawl, walk and run their way to continuous improvement.

Automation is not free. A common notion exists that automation is “free.” This can be misinterpreted given the ease with which third-party security and IT tool integrations can be downloaded and installed. The truth, however, is these integrations typically require customization to be effective given the uniqueness of an organization’s IT environment. In its report “Make Sure Your Organization Is Mature Enough for SOAR,” Gartner observed that “it is a fallacy to believe that automation-based vendor products can work effectively without customization.”

Even “free” customizations to address this reality have a shelf life. Sooner or later they break because the tool it integrates with changes, something else in the infrastructure changes, processes need to be updated, or any number of other reasons given all the moving parts.

Automation won’t eliminate people. Very few use cases can be automated end-to-end without human intervention. At some point, people typically provide interpretation and analysis of the best course of action. For example, in a ransomware incident, people should validate the presence of backups and determine if paying the ransom is an option. In other cases, you simply want to document approvals before taking certain actions.

In addition, automation of manual tasks helps to free up security analysts to focus on higher value activities. For example, many of the initial steps can be completed automatically during incident investigation. They provide the security analyst valuable insight from the moment they first start working on the incident and helping inform the next step.

Automation is just one piece of SOAR

Used effectively, automation can be an incredibly powerful tool in accelerating incident response. However, it is important to keep in mind that automation is just the “A” in SOAR.

In our next article, we’ll talk about how to leverage automation as part of a broader SOAR strategy that can not only drive new levels of efficiency but actually transform security’s relationship to the organization.

To learn more about automation and the journey to SOAR, join the upcoming webinar “SOAR Automation – How does it really work?” at 11 am (EDT) August 25, 2020. Listen to the experts and myself discuss automation in more detail.

Ted Julian
VP Product Management and Co-Founder of Resilient, IBM

Ted Julian is a well-known, highly regarded figure in the security and compliance markets. Over the last 12 years, he has conceived and launched multiple suc...
read more