- Cyber Security Automation and Orchestration
- Posts
- The Rise of Agentic Process Automation in Cybersecurity
The Rise of Agentic Process Automation in Cybersecurity
ASAP - Why not another buzz word
The Rise of Agentic Process Automation in Cybersecurity
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
In this post, I want to dive into a topic that has caught my attention lately: Agentic Process Automation (APA). For those unfamiliar, APA is an exciting evolution in process automation, typically seen in business operations. However, its potential applications in cybersecurity are incredibly promising.
As cybersecurity professionals, we're always on the lookout for the next big thing to streamline operations, enhance security, and stay ahead of threats. Over the years, we've seen the transition from manual incident response to more sophisticated automated solutions. First came SIEM (Security Information and Event Management), then SOAR (Security Orchestration, Automation, and Response). Each step has brought us closer to more efficient, automated security operations. Now, with the emergence of Agentic Process Automation, we might be on the cusp of another significant leap forward.
APA represents a shift from static, rule-based automation to dynamic, intelligent systems capable of interpreting tasks and making real-time decisions. This is especially relevant for cybersecurity, where threats are constantly evolving, and the ability to adapt quickly is crucial. The integration of AI agents in process automation promises to bring a new level of flexibility and efficiency, potentially transforming how we manage security operations.
Author: Filip Stojkovski
Evolution of SOAR
SOAR technologies first appeared around 2015. Initially, SOAR platforms were somewhat limited, focusing on basic automation and orchestration capabilities to handle minor incidents. However, as the technology matured, it began offering more sophisticated features, including advanced automated playbooks, deeper integrations with other security tools, and enhanced case management functionalities. Despite their early success, SOAR platforms have notable drawbacks:
Complexity of Integration Integrating SOAR platforms with existing security infrastructure can be complex and time-consuming. It requires significant effort to ensure compatibility with various security tools, systems, and processes. Most SOAR solutions advertise integration with 100+ vendors, but often offer limited actions. For more complex tasks, you either need to request the vendor to develop integration—which might take months—or develop it yourself, necessitating a dedicated FTE, most likely a developer, to use their SDK and maintain the integration if the vendor changes the API.
Skill Requirements Despite SOAR’s ability to reduce manual tasks, skilled personnel are still needed to manage and optimize the platform. Security teams must understand both the technical and operational aspects of SOAR to effectively configure automated workflows and maintain the system, which is challenging given the current cybersecurity skills shortage.
Customization and Tuning SOAR platforms often require significant customization to fit an organization's specific needs. This involves creating and refining playbooks, integrating various data sources, and tuning the system to reduce false positives and negatives. The process can be labor-intensive and requires ongoing adjustments as threats evolve and the organization's environment changes.
Scalability Issues While SOAR solutions are designed to scale, some platforms may encounter performance issues as the volume of data and automated tasks increase. Ensuring the SOAR platform remains efficient and responsive at scale can be a significant challenge.
SOAR Consolidation
As SIEM technology advanced, it was inevitable that SOAR capabilities would be integrated. SIEM platforms that consolidate logs and have detection engines would naturally evolve to include case management and automated response and remediation capabilities. Many SOAR platforms have been acquired by cybersecurity companies offering SIEM. For example, Demisto was acquired by Palo Alto, Siemplify by Google/Chronicle, Phantom by Splunk, and Fortinet acquired CyberSponse.
The Birth and Rise of Hyperautomation
Four years later, in 2019, Gartner coined the term Hyperautomation. The idea behind Hyperautomation is that it represents the next generation of SOAR, with several key changes:
Low-Code/No-Code Platforms: These platforms have become easier to adopt, utilizing machine learning (ML), artificial intelligence (AI), and robotic process automation (RPA).
Extended Usage: Hyperautomation extends beyond the SecOps world, integrating with the entire cybersecurity stack, from operations to governance and guardrails. It combines process automation with IT and DevOps automation.
Advanced Technologies: Technologies like natural language processing (NLP) can understand and process unstructured data, while optical character recognition (OCR) automates the reading of documents.
Ease of Building Integrations: One of the biggest advantages is the ease of building new integrations.
Some challenges include:
Stakeholder Buy-In: Extending beyond SecOps requires buy-in from multiple stakeholders, making it harder to decide on a single platform.
Solid Processes Needed: The powerful capabilities of Hyperautomation platforms mean that without solid processes and proper role-based access control (RBAC), you could easily end up with chaotic automation efforts, leading to potential security risks.
Lack of Case Management: Most Hyperautomation platforms do not have out-of-the-box case management capabilities like SOAR did. Separate platforms like Jira, ServiceNow, or Asana are required for this function.
Automated Security Agentic Processes (ASAP)
I played around with the words to come up with a cooler acronym—because let’s be real, who hates acronyms and buzzwords more than the cybersec crowd? 😂
If we consider the 4-5 year cycle of the security automation space, it seems like we’re due for the next-gen Hyperautomation platforms. And just so you know, Gartner recently introduced a term that I find pretty lame: Automated Incident Response (AIR). Seriously, AIR? You can read more about it here.
I don't have the full research paper, so I can't speak to their thought process, but whatever happened to the excitement around Hyperautomation?
source: Gartner /shared by Torq
Now, let's dive into this whole agentic thing. I first saw it posted by Nandan Mullakara and you can find more details on Bot Nirvana.
The third and current phase in the evolution of automation is with AI Agents and what is being termed Agentic Process Automation (APA). APA represents a significant leap forward by leveraging Large Language Models (LLMs) and AI agents to create autonomous, intelligent systems capable of dynamically constructing and executing workflows. Unlike RPA and IA, which rely on predefined rules and human oversight, APA enables AI agents to interpret tasks, make real-time decisions, and continuously adapt workflows based on real-time data. This phase offers high flexibility and adaptability, allowing automation systems to handle complex and dynamic tasks intelligently. APA’s ability to autonomously create your automation workflows and continuously improve based on feedback sets it apart as the most sophisticated form of digital automation so far.
This evolution from RPA to APA marks a shift from static, predefined automation to a more dynamic, intelligent form of automation that can handle complex tasks.
To make things even better, guess what? We have an open-source project for this: ProAgent on GitHub.
source: OpenBMB project
Now, let’s talk about how this might evolve into the cybersec space. Imagine instead of writing an automation yourself, you have an agent or a browser-based plugin monitoring your day-to-day processes. It comes up with suggestions on what you can automate and then builds the automation for you. Need an integration? The agent pulls the API documentation and builds the integration with all actions available. Pretty cool, right? And this is just one use-case. There are already many AI-SOC solutions tackling this problem. For more on that, check out Software Analyst Newsletter
The Potential of Agentic Process Automation
Agentic Process Automation (APA) represents a significant leap forward by leveraging Large Language Models (LLMs) and AI agents to create autonomous, intelligent systems capable of dynamically constructing and executing workflows. Unlike RPA and IA, which rely on predefined rules and human oversight, APA enables AI agents to interpret tasks, make real-time decisions, and continuously adapt workflows based on real-time data. This phase offers high flexibility and adaptability, allowing automation systems to handle complex and dynamic tasks intelligently.
If you are interested in exploring AI agents here are some suggestions by Dylan Williams
Conclusion
So, what do you think? How far are we from having the next-gen Hyperautomation platforms with advanced Gen-AI capabilities? Will Tier 1 SecOps analysis become almost entirely automated, leading to a shift towards SecEng roles rather than analysts? In my opinion, it might take a couple of years to reach the point where these next-gen AI SOC/ASAP platforms are fully integrated. However, the pace of technological advancement suggests that we are on the cusp of significant changes in cybersecurity automation. The evolution from SOAR to Hyperautomation and now to Agentic Process Automation is an exciting journey, promising more intelligent, adaptive, and comprehensive security solutions. Let's keep an eye on these developments and be ready to embrace the future of cybersecurity.
If you want to get on a call and have a discussion about security automation, you can book paid consultancy here:
Become an Ultimate Supporter of our blog and gain exclusive access to cutting-edge content, while playing a pivotal role in sustaining our community.
By joining the Ultimate Supporter tier, you decide how much you wish to contribute, directly aiding in the maintenance and growth of our website. Your support helps us cover essential costs, ensuring we can continue to deliver top-notch insights and tools for engineers and cybersecurity leaders.
As an added benefit, each Ultimate Supporter will receive a link to the editable versions of the visuals used in our blog posts. This exclusive access allows you to customize and utilize these resources for your own projects and presentations.
Reply