The state of security operations today
No matter what cybersecurity reports you’ve been reading these past few years, there’s a leitmotiv when it comes to Security Operations teams (and also that automation and orchestration are among the top 3 challenges for like 5 years straight!). Quite pessimistic to start our article like that, but the fact resorting from these reports is that they’re trapped, curbed by the immensity of work they must perform. We’ve been talking about the challenges they’re facing on various occasions. The years are pilling on, and these challenges only grow stronger.
Ultimately, these challenges imply a series of consequences, among which are the lack of improvement of the processes. Being continuously overworked doesn’t allow much free time for analysts to perform other tasks. They end up being in a challenging reactive stance, putting out fires here and there. The issue here is that being positioned on the receiving hand is exhausting when you do things manually.
A good comparison would be a game of tennis. Being at the bottom of the court makes you have to make more effort than your adversary, who can distribute their shots and concretely suppress you and make you run from one side to the other, chasing your shots.
A player in such a position finds it challenging to elaborate their game. They can only return shots. In cybersecurity, the same thing is happening to analysts. Of course, you’re by default responding to incident, you’re in a reactive stance. However, when your process aren’t optimized there’s a risk that you end up running after new alerts and don’t have the time to perform feedback and look at what should be changed in a workflow to investigate the origin of the alert.
No time to start advanced processes, to assess coherence. Why? Because it needs time. You have to take a step back and think about what’s currently in shape, determine caveats or better ways to solve an issue and improve from there. You can’t do that between two alerts, on the side of a table, as we could say.
This leads us to the observation that there isn’t room for improvement in the processes today. Ultimately, it suppresses the creativity that is seen as a risk because, if unproperly done, it can leave loopholes or create ones, and there’s not enough time to do it well.
This puts the security teams in an unsustainable position because they’re doomed to stay in a static environment, whereas the broader landscape is shifting rapidly. They’re not suited for adaptability and, thus, are condemned for more risks.
Ultimately, it generates unexploited potential at multiple levels: technologically and humanely. It thus generates a need to discover a new way to look at SecOps where adaptability is allowed and fostered among the teams.
More and more companies are heading towards Automation and Orchestration as a solution as it frees up time for analysts and allows for adaptability of the processes by streamlining their automation.
Adopting automation and orchestration in your enterprise
We already learned that Automation and Orchestration deliver value regarding shortages and skills. Here, we’re focusing on fostering the improvement of your processes.
Adopting Automation and Orchestration is moving towards restructuring your processes, from their understanding to their use as a coherent stack—structuration, cohesion, and knowledge of your tools to extract the maximum value from them.
It is about defining your processes and your policies.
You’re going to tell me that you already did this and that processes are already in place. Sure, but the fact is that when you’re substantially changing a condition in an environment, you have to reassess other conditions regarding the newly-changed environment and make changes accordingly.
How are you going to tackle this risk according to this new environment? What tools have you got at your disposal, how are they linked, and what is the most efficient way of taking care of the said risk?
In short, adopting an Automation and Orchestration tool changes the way you work. An Automation and Orchestration platform is a backbone on which processes are built.
Thus, it redesigns how tools work together to resolve use cases. Doing this brings coherence to the whole architecture and cyber stack and answers the tool sprawl issue, as we said in one of our first articles published on this blog.
But in what way is this advocating for more adaptability in the process and, ultimately, more creativity?
As we said, automation goes with orchestration. Orchestrating your tools in newly designed workflows eventually leads to redesigning these processes on your automation platform. This is where the ability to create in an accessible way and make it understandable in a pictural way comes into play.
New automation platforms are focusing on this as opposed to traditional platforms. It is fundamental because it allows other team members to understand what one has done, in a matter of minutes, without requiring endless explanations.
By doing this, you’re also making sound connections between your tools. It helps you increase the usage of every tool and determine which ones you need and which are superfluous.
In the end, using automation and orchestration, you can connect your tech stack and understand each tool’s usage from a high-level perspective.
All the points describe an “Automation journey” journey that will ultimately ease the concrete adoption of automation in your enterprise as a de facto process.
As in any journey, as we said, you have to prepare and create a plan. What do you want to achieve with automation? What is your starting point? From point A to point B. You do not want to go guns out and implement automation without proper preparation work because automation will structurally reform your processes and the way you work.
Automation journey; from adoption to synergy
Let’s get to the actual journey. The ways to take advantage of Automation and Orchestration capabilities are infinite, but every one of them starts somewhere. That’s you getting your hands on the tool and starting the process of implementing it into your organization.
Starting low to slowly achieving great results, as in anything bringing real change. To achieve structural improvements, you have to enforce structural changes. Automating a few use cases from the get-go doesn’t carry the real value potentially attainable by automation and orchestration.
An automation and orchestration tool is about discovering a new way to achieve existing tasks. Combining automation and orchestration produces an effect more significant than their simple accumulation. You’re creating a unique effect that is called synergy. Redesign existing processes to extract the most value from every one of them.
Synergy comes out of work. It requires apprenticeship and dedication, as in any training.
Define and design them first. Pragmatic thinking. What are my needs, what do I need to protect, and how? Collaboration in the reflection:
- Onboarding, gaining knowledge of the automation platform
- Re-discovering your environment by designing templates or importing out-of-the-box ones (harnessing the full potential of your tools)
- Answer your basic needs, leave place for humans in the process
- Slowly go up and reduce the need for humans in processes, and start designing end-to-end workflows applying to various use cases, potentially outside the starting perimeter
- Start flying independently by creating from scratch more complex playbooks and cover more use cases
- Then imagining from scratch more complex ones where the human element is reduced to the strict necessary, such as cognitive decisions, thus increasing the coverage of use cases
Mindflow, the relation between automation and creativity
The end game of automation and orchestration is multiple. Automation and orchestration benefits are immense. From consistency to speed, you extract value from automating workflows up to the point where you produce synergy.
Automating workflows and creating such synergy also give back time to the users. This time can be employed to accomplish multiple outcomes. Most likely, you’re able to perform feedback assessments on incidents adequately. As we said in a former article, feedback is one of the steps depicted in various incident response plans.
However, due to the critical situation in which analysts operate today, most don’t have time to enforce this step correctly. Moreover, considering the technical skills needed to improve the existing processes (talking about technical debt), most people resort to minor fixes at the risk of breaking the whole process.
Relying on sound and easy-to-understand automated workflows allows you to version them, and emulate the creativity around a given use case, to improve the process, thanks to the streamlining automation offered in these new automation and orchestration platforms, such as the one Mindflow is providing.
In the end, thanks to automation and orchestration, you can combine creativity and technology with improving existing processes and, ultimately, strengthen your security posture by allowing a more flexible and adaptable architecture.