Prioritize Your Security Automation Tasks in 4 Steps

As the threat landscape continues to evolve, security environments grow in complexity, and the skills gap widens, security teams need to come up with new ways to increase efficiency and productivity in order to keep up. One such way is through security automation, which empowers security teams to focus on high-impact initiatives by eliminating excess noise, reducing low-brain high-time tasks, and increasing alert fidelity. 

According to Gartner, automating/triaging manual tasks such as log management can reduce or eliminate baseline costs. In theory, automation is the perfect solution to a security team’s greatest nightmares. However, without a careful plan for implementing automation, teams can struggle to get started, or even end up creating more work.

To help your team adopt automation in the most effective and efficient way possible, follow these four steps:

#1: Identify the highest-impact tasks for automation

This may sound simple, but without taking the time to carefully consider what tasks to automate, your team can easily end up with a maintenance nightmare, creating automation scripts that require more upkeep than the actual task itself.

During this step, your goal is to identify what tasks, if automated, would reduce the greatest amount of time, risk, and effort. Perform this step with your team and any other individuals throughout the organization that may be impacted by the automations. In order to focus the conversation, ask questions like, “What is something that we must do every day that requires low-brain power?” or “What procedures are most prone to error?” 

#2: Determine the automation’s expected ROI

After you’ve identified tasks that will reduce your team’s time, effort, and organizational risk, estimate the potential return on investment (ROI) that the automation delivers.

For example, if you automate a task that takes 30 minutes out of the day, you could save 182.5 hours per year. Make it a regular practice to document the expected ROI. Then, decide collectively on which tasks to automate first, based on the efficiency and expected ROI your team gains.

#3: Break the automation tasks into sub-steps

With a solid list of tasks to automate, and some idea of expected ROI, it’s time to document the steps needed to develop and implement the automation. Depending on the type of tasks identified, they may be broken into a few separate automations. For each sub-step, note the goal of each action to determine what requires manual input and what can be 100% automated.

Let’s take a look at an example of automating threat intelligence enrichment:

Sub-step 1: Pull threat intelligence data into a database (Goal: avoid searching against 5+ individual threat intel feeds)

Sub-step 2: De-duplicate and prioritize threat intel feeds (Goal: Increase quality and usability of the threat intel enrichment process)

Sub-step 3: Integrate threat intelligence data into SIEM alerts and other security technologies (Goal: automatically alert on the highest-fidelity IOCs)

Sub-step 4: Enhance threat intel feeds from manual feedback (Goal: tweak IOCs based on findings – increase the severity, etc.)

Through this approach, you can see the impact each sub-step has, and make sure everybody is on the same page with the end goal and what’s required to get there.

#4: Evaluate the impact

In step #2, you determined the expected ROI of each automation. Now, it’s important to evaluate the actual impact to determine if you are meeting the expectations and share these results with the business. Use a project management tool, such as JIRA or ServiceNOW, to document why you chose the automation, the ROI, and the necessary steps to build the automation. This allows teams to revisit automations or turn them off if they don’t provide value. The documentation can function as a “lessons learned” report to help the team create more efficient automations in the future.

Remember to start small, test and document the impact, and involve your team throughout the process. You won’t be able to automate everything, but by following these steps, you will be able to prioritize automations based on what will most significantly improve your team’s efficiency and deliver the highest ROI. 

To learn more about how to get started with security automation, get the white paper: Security Automation Fundamentals: Six Steps to Faster Detection and Response.

Brian Philip Murphy is Chief Architect at ReliaQuest, currently driving technical vision on the GreyMatter platform. As an honors graduate from the University of Limerick in Ireland, he relocated to Silicon Valley in California to start his career. Highlights from his 20-year career include: inventing the first search engine for machine data as the first employee at Splunk, creating the “watcher” alerting component of Elasticsearch for Elastic and driving one of the very early cloud security companies at Loggly (acquired by SolarWinds).