Security

Demystifying Security Automation for University IT Teams

Automating tasks can help ease the burden on university cybersecurity teams, but which tasks are safe to offload?

Mike Chapple is an IT professional and associate teaching professor of IT, analytics and operations at the University of Notre Dame.

It’s no secret that cybersecurity teams are stretched very thin these days. Between the cybersecurity skills gap and increasing demands on teams to take on more responsibilities, it’s easy for cybersecurity leaders to feel overwhelmed with the amount of work facing them.

This push for greater efficiency and effectiveness is driving many teams to adopt security strategies that offload much of the mundane work of cybersecurity onto automation technologies, allowing analysts to focus their efforts on work that adds greater value to the organization.

Automating security work can be an intimidating prospect. CISOs may be hesitant to place important cybersecurity tasks in the hands of an algorithm, but doing so offers significant benefits. In addition to saving time by taking work out of the hands of human analysts, automating routine work takes away much of the dull work that bores security team members and allows them to focus on more engaging activities.

Security automation also allows many responses to trigger instantaneously. Your team needs sleep, but security automation platforms operate 24/7 and can respond rapidly, allowing the team to simply verify the work performed by the automation platform rather than working their own way through routine checklists.

Click the banner below to receive exclusive content about security in higher ed.

SOAR Platforms Help Automate Cybersecurity Tasks

Security orchestration, automation and response (SOAR) platforms are driving efforts to automate cybersecurity functions. These systems build on the information-gathering and correlation capabilities of security information and event management (SIEM) technologies by adding on automated response capabilities. When a SOAR platform detects that certain conditions are met, it can immediately trigger a playbook of activities designed to respond to those conditions.

For example, if an endpoint detection and response (EDR) system notifies a SOAR platform that malware was detected on an end-user device, the SOAR platform can automatically kick off a series of actions, including:

Modifying the network configuration to place that system on an isolated VLAN where it cannot communicate with any other devices, containing the damage caused by the infection
Triggering the EDR platform to remediate the malware infection, restoring the system to proper working order
Firing off a vulnerability scan that analyzes the system’s configuration to confirm that it no longer poses a threat to itself or the network
Modifying the network configuration again at the completion of these tasks to restore the system’s normal access

All those actions, which might previously have required hours of effort by cybersecurity professionals, can take place quickly when automated through a SOAR platform.

FIND OUT: This is what it takes to secure the cloud.

The workflows triggered by SOAR playbooks do not need to be strictly sequential in nature, either. The workflow above could be enhanced by adding conditional steps that occur based upon the results of prior steps. For example, Step 3 could be modified to take different actions depending on the results of the vulnerability scan. If the scan reveals that the system is remediated, the workflow could move on to Step 4 and automatically restore normal operations.

If, on the other hand, the scan reveals that the automated remediation was unsuccessful, the system could remain on the quarantined VLAN and the SOAR platform could open a ticket in the organization’s IT service management platform to trigger a human investigation and response.

When Implementing Automation, Start Small

Once you have a SOAR platform in place, you can integrate it with many of your existing security tools to perform a variety of routine tasks. It’s normally a good idea to start small and focus on efforts that have the highest potential payback in terms of time savings and pose the lowest risk to the organization. Let’s take a look at three ways SOAR platforms can quickly add value to an organization.

• Automate malware incident response efforts. We’ve already discussed malware response as a prime example of the effectiveness of SOAR platforms. Given the burden that malware response places on security teams, automating these responses should be a high priority for any SOAR implementation effort.

• Gather information for incident responders. Incident responders spend a lot of time gathering information as they attempt to triage and respond to cybersecurity events. SOAR platforms can automate much of this work by reaching into other systems and information sources to gather the basic facts before passing an event on to a human analyst for investigation. For example, if the SOAR suspects that a system is connecting to a botnet, the system can gather network traffic logs, threat intelligence data, user information and other records to prepare a dossier that analysts can use as they investigate the incident.

• Process phishing messages. Every organization is deluged by phishing messages and most have a standardized workflow when users report these messages to administrators. Cybersecurity analysts might immediately remove the message from the inboxes of other users, add destination systems in links to a Domain Name System blackhole, identify systems that visited the link and run malware scans on them, block future messages from the same source, and perform other related actions. All of these tasks can be automated using SOAR technology.

LEARN MORE: Protect networks with next-generation endpoint security.

These three use cases are just starting points based on the types of automation that will benefit most organizations. As teams roll out SOAR technology, they should think about the pain points that they encounter and identify organization-specific use cases that will deliver the most value to their teams.

Evgeniy Shvets/Stocksy