This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
In a recent Network World article Jon Oltsik noted that Incident Response (IR) automation is becoming a very hot topic in the info security world. Oltsik called out multiple factors driving demand for IR automation and orchestration, including the manual nature of IR work, the cyber skills shortage and the difficulty of coordinating activity between SecOps and DevOps.
I wholeheartedly agree, but would argue that, while automation is important for IR, it is even more important for threat detection (TD) by several orders of magnitude.
IR automation kicks in when an intrusion has been discovered. The volume of instances where it can be applied is a tiny fraction of the total workload of any SecOps team. As an example, take a financial institution whose SIEM system was kicking out 750 alerts for a single SIEM rule each month. Of those, manual investigations by human analysts resulted in only 2 verified threats that merited an IR.
Automating the resulting IR would save time, but the bulk of that team’s human bandwidth was devoted to triage on those 750 alerts. And, to be clear, their SIEM system had several tens of rules generating comparable volume.
That investigation activity, much of it manual and repetitive in a way similar to IR, is an order of magnitude larger opportunity to save resources through automation.
When you combine the scale of TD work with the cybersecurity skills shortage called out in the article, you have an extremely compelling case for TD automation.
Causality in the SecOps flow
There is linear causality between TD processes and IR processes. When TD is not effective at scale (currently the case for many organizations), then it yields too many false positives, which can cripple IR efforts downstream.
At the same time, a major challenge today is with too many false negatives, incidents that should have been remediated but never even got detected. Automating TD will help discover more of these hidden breaches, hence creating a greater need for faster IR.
Because of this, automation at the TD stage has a greater impact on downstream results and directly impacts IR automation.
Cognitive automation vs robotic process automation
A Harvard Business Review article describes 3 types of automation:
Robotic process automation: Routine tasks, low complexity, wide application scope
- Cognitive automation: Non-routine tasks, decision-supporting, exploratory, hybrid AI/human training, targeted at specific data sets
- Social robotics: training based on human to human interaction, wide application scope
Automating IR falls into the category of low complexity and tends to be rules-based, which puts it in the robotic process automation group.
Sign up for Computerworld eNewsletters.