With the cybersecurity talent shortage becoming problematic for businesses, more companies are implementing automation in security for repetitive, manual tasks. Organizations are seeking increased efficiency, better predictability and faster decision-making, while helping improve their security posture in the process.
According to a recent ESG report, 19% of enterprises have extensively deployed technologies for security automation and orchestration, while 39% have done so on a limited basis.
In this Ask the Expert, we asked Joe Schreiber, technical director at network security company Tufin Software Technologies Ltd., about the benefits and challenges of implementing automation in security and the CISO role in effective implementation. Schreiber also highlighted the security tasks that are the best candidates for automation and suggested best practices for implementing security automation in the enterprise.
Editor’s note: The following transcript has been edited for clarity and length.
What are the benefits of embracing automation in security? What are some best practices and challenges associated with security automation?
Joe Schreiber: Security teams in particular need to embrace automation because it’s about speed — the speed to remediation and speed to insights. Additionally, one of the benefits that you get from [security] automation is predictability. You push a button and you know what will happen or you believe you know what will happen on the other side, and that’s important for incident response.
Automation is a big investment with a lot of potential upfront costs, whether it’s the labor to write the code or to test it. If you don’t necessarily understand what the long-term benefits of automation are, you might not be ready to make that investment.
A lot of hesitance comes from the implementation standpoint. When you start looking at what can be automated, you may run into legacy devices. There’s still a lot of legacy architecture out there that may not have the ability to automate or, more importantly, be integrated into an orchestrated environment.
When it comes to automating security tasks, the ingestion of data from [security information and event management] platforms has already kind of reached a full automation stage. Secondly, automation is about removing repetition. When I think about what a security administrator or security incident responder does over and over again, it would be things like data augmentation. So, if you’re looking for other sources of data or you’re looking to correlate or enrich your investigations, that’ll be automated. A lot of the malware analysis has been automated already.
Joe Schreibertechnical director, Tufin
There are two factors when it comes to best practices for implementing automation in security. One is the decision to automate. I like to look at it from a value perspective when I start to decide what I’m going to automate. I start with the highest automation value: What will reduce the amount of labor involved in a task and what will increase the predictability of the task? Those are the key elements.
Then, when I move to the actual automation — when I sit down to write code — one fundamental thing that’s important with automation is reusability. If I write something once, I want to be able to reuse that somewhere else. I don’t want to go and write one-off scenarios in my automation platform; I want to write something very generic that can be reused not only by me, but maybe other folks in the organization.
Automation also has a real cross-board component to it; you either need data from someone else or you need to commit actions in someone else’s silo. It’s up to the CISO to really push that path forward for the folks who are doing the security automation and make sure that the entire organization has bought into what everyone is doing, so that they can remove the friction when they go to actually automate things or conduct their automated actions.
Read how Starbucks is implementing automation in security.