In this week’s Whiteboard Wednesday, Ross Nanopoulos, senior software engineer on the Komand team at Rapid7, walks us through the growing role of security automation in modern cybersecurity programs, including three tell-tale signs that a security or IT operations task can and should be automated.
Want to learn more about how security automation and orchestration work together to maximize and optimize security and IT productivity? Check out our Whiteboard Wednesday on What Is Security Orchestration.
Hi. Welcome to Whiteboard Wednesday. I'm Ross Nanopoulos a Senior Software Engineer on the Komand team here at Rapid7. And today we're going to talk about security automation. Security automation is the process of executing security operations-related tasks without the need for human intervention. Automation spans every aspect of security. On the defensive side, it covers everything from prevention and detection to response or remediation. On the offensive side, red teams and attackers can utilize automation to perform vulnerability assessments or gain a leg up on their targets. Instead of spending time on manual tasks, teams and practitioners are able to utilize that time and focus on more strategic value ad projects, such conducting deeper analysis and implementing proactive security measures. The core benefit of automating security is that it makes practitioners lives easier and allows them to be more efficient at their jobs.Show more Show less
There are three telltale signs that a task should be automated. Number one: Is it routine? It needs to be done on a very regular basis. For example, every day security teams check their inboxes to see if anyone has forwarded any potential phishing emails. Number two: Is it tedious? Does this involve a very specific set of actions that need to get done, which could include seeing if there are any URLs or attachments in those emails, submitting hashes to virus total, detonating any attachments in a sandbox, like Cuckoo? Number three: Is it time intensive? Something that leaves little to no room for higher value and more strategic work. For example, rather than helping developers build security into their development lifecycle, security teams spend their time deleting those fishing emails from all their employees' inboxes.
Sometimes, you may not want to automate everything though. And that's okay. After automating all those tasks I mentioned, an analyst probably still should come in and confirm that it's a phishing email. Great. With automation, we have eliminated most of the tedious work analysts have to do. Now they can click a button, yes or no, and if yes, the automation remediation process kicks off. Otherwise, we can automate the sending of the email to the original user who submitted it and tell them that it was not phishing. This is the key benefit of bringing in orchestration, which Gwen Betts covered in a previous Whiteboard Wednesday. I highly recommend that you go check that out.
Orchestration and automation can work together to empower security teams, offensive and defensive. And allow them to be more effective and focus on analysis and decision making, rather than manual, tedious and time intensive tasks. That's it for this week's Whiteboard Wednesday. We'll talk to you next time.