While many see automation as a universal panacea, experience shows that the best outcomes derive from a pragmatic approach to application. Some of the greatest potential automation benefits come when there’s a focus on implementations designed to help solve business problems: augmenting available human talent by more efficiently orchestrating mundane tasks; gaining a competitive edge in areas where speed is important; and analyzing large, often unstructured data sets. In a hyperconnected world with a myriad of tools available, organizations should be future-ready as the threat landscape continues to expand and increase in complexity.

Realize the business value

Companies are successfully automating the security function and freeing up resources by applying automation to routine, repetitive tasks. Work that was previously performed by highly trained professionals, such as vulnerability scanning, log analysis and compliance is being standardized and automatically executed. This can boost the analyst’s productivity, speed up incident detection and reaction times and can provide an opportunity for scalability. Automating lower level threats and routine transactions augments the security operations center by enabling it to prioritize tasks more effectively and respond more quickly to threats that require human intervention.

In situations where data sets are too large or complex for direct analysis, automation has been tested to be tremendously valuable and is being applied in many sectors to discover hard-to-identify links and patterns. Automation is also being effectively employed to tasks that benefit from increased speed, such as identifying security incidents in voluminous log data, and performing high-volume data discovery, where analyzing individual files is often inefficient.

From a DevOps perspective, security automation should be built into every critical intersection point in the software development life cycle (SDLC) from user stories and secure-code reviews to threat modelling and secure-design reviews with the help of both static and dynamic application security testing (SAST and DAST) products. With that in mind, DevSecOps is gaining momentum in response to the need for rigorous security that moves at the speed of cloud delivery.

There are a lot of things that can be solved with automation, but there are only a few things that should be solved with automation. Identify those use cases upfront and make sure the automation strategies and tools you implement are fit for purpose.

Matthew Miller
Principal, Cyber Security Services
KPMG in the US

With the shift to the cloud, organizations don’t have consistent control over software versioning and the general features available in the cloud environment. Automation has been integral in securely assessing risk and adopting new baseline features, as needed. In multi-cloud environments, unintended data exposure, mismanaged account permissions, unsecure network connections, ransomware attacks and other risks are major concerns for organizations. Automated security frameworks can provide better visibility and control.

What’s your move?

Start small and identify the use cases for automation that your organization truly needs and with which it will be able to generate business value. While it is prudent to implement integrated corporate security architecture, keep it simple and do not over-engineer solutions. Fearing they may miss the latest trend, companies may go on a buying spree, acquiring various tools that often go unused for lack of knowledgeable employees. Resist that impulse.

Leverage your current technology stack first. There is an enormous amount of advanced automation capabilities that exist within current tooling and often it is not necessary to look outside of your organization. Similarly, seek out colleagues with existing automation experience and consider making them part of the cyber team. It’s easier to take someone that has previous experience using robotic processing automation (RPA) in other areas of the business, or with a previous employer, and teach them how to apply it within cyber than to take someone that has basic cyber credentials and teach them RPA.

Cyber security teams are increasingly overwhelmed by ever-growing workloads. It’s a smart move to use tools sensibly in terms of automating some of your Level 1 or low-level incident management, so you have enough time to devote to problems that require more nuanced or creative thinking.

Rather than having a separate security team for identifying vulnerabilities and breaches, security automation should shift left and be present at every critical intersection point in the SDLC, from user stories and secure code reviews to threat modeling and secure design reviews. Use products like static and dynamic application security testing that seamlessly integrate into the continuous integration/continuous delivery (CICD) pipeline, making it less challenging to incorporate security into the entire SDLC.

Certain technologies, like security orchestration automation response (SOAR) are inherently complementary, meant not to replace human analysts, but to augment their skills and workflows for a better employee experience.

Benoit Watteyne
Director, Technology Advisory
KPMG in Belgium

Some key actions to consider for 2022

  1. Take a proactive approach to security automation by focusing on threats instead incidents
  2. Automate mundane tasks to free up human capital and cognitive ability for more important activities
  3. Leverage existing technology and automation experts within your organization
  4. Build security automation into every critical intersection point within the SDLC
  5. Push the limits of what’s already known to be possible — be willing to fail but learn quickly and implement that insight
  6. Keep it simple and don’t over-engineer solutions or acquire automation tools that don’t fit the problem or lead to business value for the firm.