Mastering Security Automations

Enhance, Support, and Orchestrate Your Defenses

AuthorAuthor

Filip Stojkovski & Cristian Miron
July 18, 2024 • Estimated Reading Time: 12 minutes

Understanding the Types of Security Automations

As a follow up on our blog posts around SADLC and Unified IR, Detection Eng and Automation process we wanted to share some insights on the next step, so let’s say you got your SOAR or Hyperautomation platform, you have all processes and integrations in place and now you are at the moment ok we start building automations , how do we organise them so we don’t end up with 200+ automations from which 50% are doing same or similar processing.

You might be thinking about automation playbooks for SecOps, DevOps, or security engineering (IAM, guardrails, cloud posture), but there are broader categories as following:

  • Context Enhancement Automations

  • Supportive Task Automations

  • Orchestration Automations

Let’s explore what each type means and how they can enhance your security operations.

Note:You'll find a list of resources for automation ideas at the end.

1. Context Enhancement Automations

Definition: Context Enhancement Automations involve enriching raw security data with additional context. This context, sourced from both internal and external sources, is essential for making informed decisions and improving the overall accuracy of threat detection and response efforts.

Examples:

  • Threat Intelligence Integration: Automatically enriching security alerts with data from threat intelligence feeds. This provides context on indicators of compromise (IoCs), such as known malicious IP addresses, URLs, or file hashes, enabling more accurate threat identification and prioritization.

  • Geo-IP Data Enrichment: Adding geographical information to IP addresses. This helps identify potential threats from specific regions, providing critical insights into the origin of attacks and helping to tailor defensive strategies based on regional threat profiles.

  • User and Entity Behavior Analytics (UEBA): Enhancing logs with user behavior insights. By analyzing normal and anomalous behavior patterns, UEBA helps detect unusual activities that may indicate a security breach, such as unusual login times or access to sensitive data.

  • Host Context Building: Augmenting logs with additional data points that provide context to alerts or specific behaviors. This can include information like user roles, device types, or historical activity patterns, helping analysts quickly understand the potential impact and severity of an alert.

  • Incident History: Enriching alerts with historical context based on similar data points observed in past incidents. This helps in identifying recurring threats and understanding the effectiveness of previous responses, guiding more informed decision-making.

Benefits:

  • Improved Accuracy in Threat Detection: By adding relevant context to raw data, these automations enhance the precision of threat detection mechanisms, reducing the likelihood of false positives and false negatives.

  • Enhanced Context for Faster Decision-Making: With enriched data, security analysts have access to comprehensive information that enables quicker and more accurate assessments of potential threats, leading to faster response times.

  • Reduction of False Positives: Providing additional data points helps differentiate between benign and malicious activities, significantly reducing the number of false positives that analysts need to investigate.

  • Leaner Analytic Rules: Automation allows for simpler and more efficient analytic rules. For example, some query languages may not support complex operations directly, necessitating multiple data iterations. By applying context-enhancement automations, these rules can be simplified, reducing complexity and potential execution errors.

2. Supportive Task Automations

Definition: Supportive Task Automations, also known as Utility Automations or Sub-Playbooks, are essential helpers that support more complex automation workflows. These automations handle routine and repetitive tasks, ensuring that foundational processes run smoothly and efficiently. While they might not be used often as standalone solutions, their true power is realized when combined with enrichment playbooks to build comprehensive end-to-end automation workflows.

Examples:

  • Automated Ticketing: Automatically creating and updating incident tickets in response to security alerts. This ensures that incidents are logged promptly and accurately, facilitating efficient tracking and management of security events. Automated ticketing also helps in maintaining consistent documentation, which is crucial for compliance and auditing purposes.

  • Isolating or Quarantining Suspicious Files: Grabbing suspicious files from endpoints detected by Endpoint Detection and Response (EDR) systems or from email mailboxes. This step is vital in preventing the spread of malware and enabling further analysis in a controlled environment. Automation here reduces the time taken to isolate threats, minimizing potential damage.

  • Malware Sandbox Submissions: Automating the submission of suspicious files to various malware analysis sandboxes and retrieving the analysis results. This allows for quick and thorough examination of potential threats using multiple analysis engines, enhancing the accuracy of threat detection and response.

  • Isolating Cloud Hosts: Automatically isolating specific cloud hosts for analysis and retrieving related configurations or additional logs. This process is crucial when a cloud resource is suspected of being compromised, ensuring that it is contained while further investigation and remediation actions are taken.

  • Updating Block Lists: One of the most common response actions is to update block lists on email protection solutions or firewalls. Automated updates ensure that identified threats are promptly blocked across the network, reducing the risk of repeated attacks from the same sources. This automation also maintains consistency and reduces the likelihood of human error in manual updates.

  • Generating Reports: Automating the generation of recurring reports for managers and various teams. These reports might include security metrics, incident summaries, or compliance status updates. Automated reporting ensures that stakeholders receive timely and accurate information, supporting informed decision-making and strategic planning. It also frees up significant time for security analysts who would otherwise spend hours compiling these reports manually.

Benefits:

  • Increased Efficiency and Productivity: By automating repetitive and time-consuming tasks, security teams can allocate their time and resources to more critical and complex issues.

  • Reduced Risk of Human Error: Automation ensures consistent execution of tasks, minimizing the chances of mistakes that could occur with manual processes.

  • Consistent Execution of Routine Tasks: Automated processes follow predefined protocols, ensuring that tasks are performed the same way every time, leading to reliable and predictable outcomes.

  • Reduction of Tedious Tasks: Offloading mundane tasks to automation tools reduces the operational burden on security teams, improving job satisfaction and allowing analysts to focus on higher-value activities.

  • Reliable and Repeatable Flows for Reporting: Automation ensures that reports are generated consistently and accurately, enhancing the reliability of metrics and supporting better management decisions.

3. Orchestration

Definition: Orchestration Automations involve coordinating and integrating various enrichment and supportive task automations to create comprehensive, end-to-end processes for responding to security incidents. This approach aligns with the principles of the Security Automation Development Lifecycle (SADLC), ensuring that Incident Response (IR) procedures are both efficient and scalable. By orchestrating multiple processes and systems, these automations provide a holistic and integrated response to security threats.

Examples:

  • Phishing Email Handling: Orchestrating the entire lifecycle of a phishing email incident by combining enrichment and supportive task automations:

    • Detection and Reporting: Automating the detection of phishing emails and streamlining the user reporting process.

    • Data Gathering: Automatically gathering Indicators of Compromise (IoCs) and malware samples from reported emails.

    • Analysis: Submitting samples to sandbox environments and cross-checking with threat intelligence feeds to ascertain the threat level.

    • Response: Responding to the reporting user, quarantining the email to prevent further spread, and updating block lists to prevent future occurrences.

    • Remediation: Blocking the IoCs across various security controls and logging all actions for compliance and auditing purposes.

  • Vulnerability Management for Product Teams: Orchestrating an end-to-end automated workflow for vulnerability management by integrating enrichment and supportive tasks:

    • Data Parsing: Automatically parsing scanning data according to team-defined standards.

    • Notification: Sending detailed vulnerability reports to the Vulnerability Management (VM) team.

    • Ticketing: Opening tickets with severity-based classifications and assigning them to the appropriate team queues.

    • Follow-Ups and Escalations: Automating follow-ups for unassigned tickets and escalating issues that remain unresolved after a predefined period.

    • Compliance and Reporting: Generating compliance reports and tracking remediation progress to ensure that vulnerabilities are addressed within required timelines.

  • Internal QA Review: Orchestrating the quality assurance process for closed incidents by integrating enrichment and supportive tasks:

    • Sample Collection: Gathering sample data from previously closed incidents.

    • Assignment and Review: Distributing these samples among team members for review.

    • Data Analysis: Collecting and parsing review data to identify patterns and thresholds for reopening incidents.

    • Training and Procedure Updates: Assigning targeted training to analysts and revising procedures for alert types that consistently fall below quality standards.

  • Resource Permissions Management: Orchestrating the management of resource permissions by combining enrichment and supportive task automations:

    • Permissions Querying: Regularly querying and identifying the permissions set on resources.

    • Usage Analysis: Analyzing the time of last use and identifying dormant permissions.

    • Notification and Action: Notifying users of inactive permissions and automatically removing them unless a veto is requested.

    • Compliance Tracking: Logging all changes and maintaining records for auditing and compliance purposes.

Benefits:

  • Holistic Approach to Threat Management: Orchestration automations provide a unified and integrated response to threats, ensuring that no aspect of the incident response process is overlooked.

  • Significant Reduction in Response Times: Automating end-to-end workflows minimizes manual intervention, leading to faster detection, analysis, and remediation of threats.

  • Enhanced Coordination Between Tools and Teams: Integrating multiple systems and processes ensures seamless communication and coordination across different security tools and teams.

  • Scalability and Consistency: These automations create consistent, repeatable workflows that scale easily with the growth of the enterprise, maintaining a robust security posture regardless of team size or scope expansion.

  • Streamlined Improvements and Updates: Applying improvements or changes to orchestration workflows impacts the entire process, eliminating the need for individual retraining and ensuring uniform application across all team members.

Conclusion

Understanding and effectively implementing various types of security automations is crucial for maintaining a robust defense posture. By categorizing your automations into Context Enhancement, Supportive Task, and Orchestration automations, you can create a structured and efficient approach to managing security operations.

Context Enhancement Automations enrich raw data with vital information, improving the accuracy of threat detection and reducing false positives. These automations provide critical context, enabling faster and more informed decision-making.

Supportive Task Automations handle routine and repetitive tasks, ensuring that foundational processes run smoothly. While not often used as standalone solutions, their real strength lies in supporting more complex workflows, thereby increasing efficiency and reducing the risk of human error.

Orchestration Automations integrate enrichment and supportive tasks to create comprehensive, end-to-end workflows. These automations provide a holistic approach to threat management, significantly reducing response times and enhancing coordination across various security tools and teams. They ensure scalability and consistency, allowing your security operations to grow without compromising effectiveness.

By strategically implementing and organizing these automation types, you can streamline your security processes, enhance your threat detection capabilities, and ensure a faster, more coordinated response to incidents. This structured approach not only improves operational efficiency but also fortifies your overall security posture, making it more resilient against the evolving threats in the cyber world.

Remember, the key to effective automation lies in thoughtful planning and integration. Use these categories as a framework to evaluate your current automations and identify areas for improvement. With the right blend of Context Enhancement, Supportive Task, and Orchestration automations, you can build a security automation strategy that is both comprehensive and adaptable to the future needs of your organization.

For more automation ideas and resources, check out the list provided at the end of this blog. Happy automating!

If you want to get on a call and have a discussion about security automation, you can book paid consultancy here:

Become an Ultimate Supporter of our blog and gain exclusive access to cutting-edge content, while playing a pivotal role in sustaining our community.

By joining the Ultimate Supporter tier, you decide how much you wish to contribute, directly aiding in the maintenance and growth of our website. Your support helps us cover essential costs, ensuring we can continue to deliver top-notch insights and tools for engineers and cybersecurity leaders.

As an added benefit, each Ultimate Supporter will receive a link to the editable versions of the visuals used in our blog posts. This exclusive access allows you to customize and utilize these resources for your own projects and presentations.

Join us today and be part of a movement that drives innovation and security in the digital world. Your contribution, big or small, makes a significant impact. Let's secure the future together!

Resources

Playbook of the Week Archives - Palo Alto Networks Blog

www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week

SOC Automation Explained: 7 Real-World Examples

Explore seven real-world SOC automation examples enabled by D3’s Smart SOAR platform.

d3security.com/blog/soc-automation-examples

How Torq Hyperautomation Simplifies Phishing Analysis for SOC Teams

Discover how Torq Hyperautomation simplifies phishing analysis, boosts SOC team efficiency, and mitigates phishing attacks with advanced automation tools.

torq.io/blog/automated-phishing-analysis

SOC Automation Use Cases: Where to Start - Blink

Security automation is a powerful tool for SOC teams, but it can be tricky to decide where to begin. Here are the top use cases to kickstart your SOC automation.

www.blinkops.com/blog/soc-automation-use-cases

200+ AI & Automation uses cases you can use now.

Struggling to identify suitable AI Use Cases? That's why we created a repository of AI and Automaton

botnirvana.org/bots

Blink Workflow Library: 5K+ DevOps and SecOps Workflows

library.blinkops.com/workflows

Reply

or to participate.