In this week's edition, we're excited to present an insightful article by Cristian Miron and Andrei Cotaie. They explore the practical application of Enterprise Automation and RPA (Robotic Process Automation) tools in cybersecurity, particularly in contexts where a dedicated SOAR (Security Orchestration, Automation, and Response) solution isn't part of the toolkit. If your IT department has recently invested in these platforms and you're wondering how to leverage them for cybersecurity, today's discussion is tailor-made for you. If our latest visual on the SOAR platform landscape sparked your curiosity about achieving security automation with tools not originally designed for cybersecurity, you're in for a treat. Today, we explore exactly that.

Enterprise Automation and RPA: Born in the realm of business efficiency, enterprise automation tools, alongside RPA, are designed to mimic and automate the repetitive tasks traditionally performed by humans. These tools are agnostic in their applications, capable of spanning across various departments from HR to customer service, and now, extending their reach into cybersecurity. Their strength lies in their versatility and the ability to integrate seamlessly into a wide array of systems, performing tasks that range from data entry to complex process automations.

SOAR: On the other side of the spectrum, SOAR platforms are the bespoke tailors of the cybersecurity world. Crafted with the specific intent of managing and responding to security threats, SOAR tools integrate tightly with an organization's security infrastructure. They automate responses to cyber threats, orchestrate processes among different security tools, and provide teams with streamlined workflows designed to enhance the speed and efficiency of security operations centers (SOCs).

However, there's a compelling case for why these tools, with their distinct philosophies and capabilities, are perfectly suited for certain cybersecurity workflows.

This article aims to explore how Enterprise Automation tools can be a game-changer in the cybersecurity realm, without drawing a line in the sand to say one tool is categorically better than another. Instead, we'll showcase how, in specific scenarios, Enterprise Automation solutions can be incredibly effective.

You might have seen these tools featured in the Security Automation and Orchestration diagram. We've also drawn comparisons between SOAR and RPA/Hyperautomation/Enterprise Automation in our exploration of the cybersecurity landscape:

The Case for Enterprise Automation in Security

The question of when to use Enterprise Automation in cybersecurity is broad, but essentially these are some very good starting points:

• When there's no SOAR solution in play: This is a solid reason, especially for organizations that might not have the budget or specific need for a dedicated SOAR tool but still wish to automate some of their security workflows.

• When SOAR's connectors fall short or are missing for certain applications: This is a common issue with specialized tools like SOAR. They may not have native integrations with every tool or application an organization uses, making enterprise automation tools a versatile backup.

• When quick, decisive action is necessary: Enterprise automation tools can often be deployed more rapidly than SOAR solutions, especially for tasks that haven't been previously automated or scripted within a SOAR platform.

• When simulating human behavior is crucial: RPA and enterprise automation excel in mimicking human interactions with applications, which is beneficial for testing security from a user behavior perspective.

• When your cybersecurity use cases involve tools beyond the traditional security toolkit: This highlights the flexibility of enterprise automation tools, which can integrate across a broader range of applications and systems than SOAR platforms might support.

• When seeking seamless integration with various AI models: While SOAR platforms can integrate with AI, enterprise automation tools might offer more straightforward or flexible integration paths for certain AI and machine learning models, especially those outside the usual scope of cybersecurity tools.

This isn't an exhaustive list, but it's a solid starting point, ripe for expansion as more use cases emerge.

Identifying the Prime Moments for Automation

Exploring the capabilities of Enterprise Automation and RPA in cybersecurity uncovers a wealth of potential applications beyond basic task automation. Here’s a closer look at some of the examples you've mentioned, expanded with additional insights:

• Insider Threat Simulations with RPA: Many tools offer attack and breach simulations, but few can replicate the nuanced behavior of an insider navigating through systems, such as using a web browser to search for specific files in SharePoint. This capability of RPA to mimic human actions can reveal vulnerabilities that traditional security tools might miss, making it a crucial part of your security monitoring toolkit.

• Incident Response Enhanced by Enterprise Automation: When faced with a security incident, the diversity of tools and platforms involved can make response efforts cumbersome, especially if you're relying solely on a SOAR solution. By incorporating enterprise automation tools, you can leverage their flexibility to create dynamic, adaptable incident response workflows. These can include automated GUI interactions, custom scripting, and the ability to integrate with a broader array of platforms. This approach ensures a more comprehensive and efficient response, capable of adapting to various scenarios and including actions like:

  • Dynamically executing different steps based on the incident's specifics;

  • Initiating and managing the investigation process;

  • Automatically setting up the necessary environment for a thorough investigation, including taking and copying snapshots of memory and hard drives;

  • Maintaining a detailed timeline of all actions taken during the incident response;

  • Allowing initiation and participation by any member of the SOC or Incident Response team, ensuring a collaborative and inclusive approach.

• Data Loss Prevention (DLP) Optimization: Traditional DLP solutions can sometimes overwhelm security teams with alerts, many of which may not signify actual threats. By integrating enterprise automation tools, particularly those with AI capabilities, you can refine how alerts are classified and prioritized. This integration allows for the creation of more sophisticated labeling and tagging systems for data, enhancing the overall security posture by focusing efforts on truly sensitive information. Such an approach not only streamlines the DLP process but also adds an extra layer of data classification that can help in distinguishing between critical data sets and those of lesser importance.

If this sparked your interest here you can watch their talk at Defcon where they also share a live demo on how this can be applied.