Sep 1, 2022
Hugo
David
The state of security operations today
No matter what cybersecurity reports you've been reading these past few years, there's a leitmotiv regarding Security Operations teams (and also that automation and orchestration are among the top 3 challenges for about 5 years straight!). It is quite pessimistic to start our article like that, but the fact of resorting to these reports is that they're trapped, curbed by the immensity of work they must perform. We've been talking about the challenges they're facing on various occasions. The years are passing, and these challenges only grow stronger.
Ultimately, these challenges imply a series of consequences, among which is the lack of process improvement. Being continuously overworked doesn't allow analysts much free time to perform other tasks. They end up in a challenging reactive stance, putting out fires here and there. The issue is that being positioned on the receiving hand is exhausting when doing things manually.
A good comparison would be a game of tennis. Being at the bottom of the court requires more effort than your adversary, who can distribute their shots and concretely suppress you, making you run from one side to the other, chasing your shots.
A player in such a position finds it challenging to elaborate their game. They can only return shots. In cybersecurity, the same thing is happening to analysts. Of course, by default, you're responding to the incidents; you're in a reactive stance. However, when your process isn't optimized, there's a risk that you end up running after new alerts and don't have the time to perform feedback and look at what should be changed in a workflow to investigate the origin of the alert.
There is no time to start advanced processes to assess coherence. Why? Because it needs time. You have to step back and think about what's currently in shape, determine caveats or better ways to solve an issue, and improve from there. You can't do that between two alerts on the side of a table, as we could say.
This leads us to the observation that there isn't room for improvement in today's processes. Ultimately, it suppresses creativity, which is seen as a risk because, if unproperly done, it can leave loopholes or create new ones, and there's not enough time to do it well.
This puts the security teams in an unsustainable position because they're doomed to stay in a static environment, whereas the broader landscape is shifting rapidly. They're not suited for adaptability and, thus, are condemned for more risks.
Ultimately, it generates unexploited potential at multiple levels: technologically and humanely. Thus, there is a need to discover a new way to look at SecOps, one in which adaptability is allowed and fostered among the teams.
More and more companies are heading towards Automation and Orchestration as a solution, as it frees up time for analysts and allows processes to be adaptable, streamlining their automation.
Adopting automation and orchestration in your enterprise
We have already learned that automation and orchestration deliver value in terms of skills shortages. Here, we're focusing on fostering the improvement of your processes.
Adopting Automation and Orchestration means restructuring your processes, from their understanding to their use as a coherent stack—structuration, cohesion, and knowledge of your tools to extract the maximum value from them.
It is about defining your processes and your policies.
You will tell me that you have already done this and that processes are already in place. Sure, but the fact is that when you substantially change a condition in an environment, you have to reassess other conditions regarding the newly changed environment and make changes accordingly.
How are you going to tackle this risk according to this new environment? What tools do you have at your disposal, how are they linked, and what is the most efficient way of managing the risk?
In short, adopting an Automation and Orchestration tool changes the way you work —it becomes the backbone on which processes are built and scaled.
Thus, it redesigns how tools work together to resolve use cases. Doing this brings coherence to the whole architecture and cyber stack and answers the tool sprawl issue, as we said in one of our first articles published on this blog.
But in what way is this advocating for more adaptability in the process and, ultimately, more creativity?
As we said, automation goes with orchestration. Orchestrating your tools in newly designed workflows eventually leads to redesigning these processes on your automation platform. This is where the ability to create in an accessible way and make it understandable in a pictural way comes into play.
New automation platforms are focusing on this as opposed to traditional platforms. It is fundamental because it allows other team members to understand what one has done in minutes without requiring endless explanations.
By doing this, you're also making sound connections between your tools. It helps you increase the usage of every tool and determine which ones you need and which are superfluous.
Ultimately, you can connect your tech stack and understand each tool's usage from a high-level perspective. Using automation and orchestration
All the points describe an "Automation journey" journey that will ultimately ease the concrete adoption of automation in your enterprise as a de facto process.
As in any journey, you have to prepare and create a plan. What do you want to achieve with automation? What is your starting point? From point A to point B, you do not want to implement automation without proper preparation because automation will structurally reform your processes and the way you work.
Automation journey: from adoption to synergy
Let's get to the actual journey. The ways to take advantage of Automation and Orchestration capabilities are infinite, but everyone starts somewhere. That's you getting your hands on the tool and starting the process of implementing it into your organization.
Starting low to slowly achieving great results, as in anything bringing real change. To achieve structural improvements, you have to enforce structural changes. Automating a few use cases from the get-go doesn't carry the real value potentially attainable by automation and orchestration.
An automation and orchestration tool is about discovering a new way to achieve existing tasks. Combining automation and orchestration produces an effect more significant than their simple accumulation. You're creating a unique effect that is called synergy. Redesign existing processes to extract the most value from every one of them.
Synergy comes out of work. It requires apprenticeship and dedication, as in any training.
Define and design them first. Pragmatic thinking. What are my needs, what do I need to protect, and how? Collaboration in the reflection:
Onboarding, gaining knowledge of the automation platform
Re-discovering your environment by designing templates or importing out-of-the-box ones (harnessing the full potential of your tools)
Answer your basic needs, leave place for humans in the process
Slowly increase and reduce the need for humans in processes and start designing end-to-end workflows for various use cases, potentially outside the starting perimeter.
Start flying independently by creating complex playbooks from scratch and covering more use cases.
Then, imagine more complex ones from scratch, where the human element is reduced to the strictly necessary, such as cognitive decisions, thus increasing the coverage of use cases.
Mindflow, the relation between automation and creativity
The end game of automation and orchestration is multiple. Automation and orchestration benefits are immense. From consistency to speed, you extract value from automating workflows until you produce synergy.
Automating workflows and creating such synergy also give back time to the users. This time can be employed to accomplish multiple outcomes. You're most likely able to perform feedback assessments on incidents adequately. As we said in a former article, feedback is one of the steps depicted in various incident response plans.
However, due to the critical situation in which analysts operate today, most don't have time to enforce this step correctly. Moreover, considering the technical skills needed to improve the existing processes (talking about technical debt), most people resort to minor fixes at the risk of breaking the whole process.
Relying on sound and easy-to-understand automated workflows allows you to version them and emulate the creativity around a given use case to improve the process, thanks to the streamlining automation offered in these new automation and orchestration platforms, such as the one Mindflow provides.
Ultimately, thanks to automation and orchestration, you can combine creativity and technology to improve existing processes and strengthen your security posture by allowing a more flexible and adaptable architecture.
