Build an Automation Roadmap to Streamline Security Processes

You can't defend against today's automated attacks with slow and manual processes.

Analyst Perspective

An automation roadmap that only contains initiatives for processes that should be automated is just a wish list

Information security practitioners are burnt out. In a Tines study, 71% conceded this, with 62% of those attributing burnout to spending over half their time on tedious manual work. That tedious manual work, which probably has to be done to meet compliance regulations, isn't being done with the speed and accuracy needed for effective protection and defense – not when we know the attackers themselves are increasingly making use of advanced automation tools powered by AI. The engineers and operations staff knows this, and it only fuels their disengagement.

But implementing automation for security processes itself is hard. It's hard to streamline processes with automation when each of the 50 technology tools that the average enterprise uses for cyber defense doesn't integrate nicely with any other. SOAR platforms that claim to solve this problem are difficult to justify to leadership and may not demonstrate an ROI without adequate staff training.

An automation roadmap that contains initiatives for processes that should be automated is just a wish list – no one above the shop floor cares about the automation of those tasks. The automation roadmap you build using our research is multi-faceted: it includes initiatives that make automation more suitable for some processes, more valuable and less risky for others, and more feasible in some cases. In this way, not only are you automating what you can and should – but also identifying and removing the barriers that are preventing automation from happening at all. This momentum leads more quickly to gains like improved MTTD on alerts and MTTR on investigations.

But the biggest gain you get from this continuous improvement plan is increased staff engagement and retention. Keep those practitioners happy – let them take care of the rest.

Fred Chagnon
Principal Research Director, Security & Privacy
Info-Tech Research Group

Executive Summary

Info-Tech Insight

Focus automation on eliminating the toil and enhancing everything else. Full autonomization is the goal for commodity security processes. In all other areas, automation augmented by staff for oversight and orchestration will effectively balance any risks that automation itself may pose with the benefits of its implementation.

With cyberattacks on the rise, security staff are struggling to get the job done

Information security practitioners face several challenges impeding them from protecting your organization effectively

Too many alerts

Seventy-five percent of organizations indicate they spend equal or more time on false positives as they do on actual attacks. Forty-six percent agreed that false positive alerts accounted for just as much downtime as actual attacks. (Source: ESG, 2021; n=500)

Too many siloed technology tools

Sixty-four percent of SOC teams are challenged with pivoting from one tool to the next. (Source: Splunk, State of Security 2023). The average enterprise has upward of 50 security tools deployed, making them eight percent lower in their ability to detect an attack, and seven percent lower in their ability to respond. (Source: IBM Security)

Too many manual processes

When asked what the most frustrating aspect of their job is, just over 50% of security analysts said they spend too much time doing manual work. (Source: Tines)

Too much grunt work

Information security professionals train and certify in the ability to do valuable work such as threat hunting and incident repose. However, in a survey, 78% say they are considering a new role because their current function contains too much mind-numbing manual work. (Source: Splunk, State of Security 2023)

Left unaddressed, these challenges will spiral into issues that impact business

"Leaders need to realize that their security staff have scarce skills, and they need to treat staff burnout due to toil like it's an employee safety problem."

Karl Galbraith
Cybersecurity Consultant, vCISO
Galbraith & Associates Inc.

Automation should be the answer, but it comes with its own set of challenges to overcome

Modern tools aren't used effectively

• Undocumented processes, or those requiring manual hand-off, stand in the way of making effective use of modern automation platforms.
• Staff training on the effective use of these tools is also commonly expressed as a barrier to using them to their fullest extent.

Costs of automation are exceedingly high

• Implementing security automation requires time and money, and it is difficult to justify the costs without an immediate return.
• High-performing teams struggle to make the case if management feels they are doing "fine" without the aid of automation.

Organizational Resistance

• Management believes the team is performing well enough without the need for augmentation or technological aid.
• Other stakeholders do not wish to adapt their processes to support the implementation of automation.
• An organizational culture that feels threatened by automation.

"Many automation tools, such as SOAR1, suffer from a catch-22 irony: you know that automation will save you huge amounts of time, but it's difficult to implement and requires skills you don't necessarily have in-house. Essentially, you can't afford the tools that will save you money." — Willy Leichter, VP of Marketing, Cyware

1. SOAR: Security Orchestration Automation and Response: Refers to the suites of tools that organizations can use to automate a variety of security processes within their environment .

The security automation imperative

Your manual security processes don't stand a chance against today's automated and increasingly AI-powered attacks.

AI-enabled attacks

An attack where AI is used to assist in the process (e.g. deepfakes and AI-assisted inference attacks).

AI-powered attacks

An attack that is crafted and launched by AI itself. Trained via machine learning and therefore much stealthier, quicker to execute at scale, and more effective than traditional malware.

• Polymorphic malware is capable of adapting its own code to avoid detection and increase its effectiveness.
• Adaptive malware whose behavior is influenced by streams of continuously updated data.

"As businesses adopt AI to defend their networks, cyber actors will adopt the same AI to attack them more effectively.

In the future, defending against global cybercrime will be a never-ending arms race where no team has a clear advantage unless it comes in the form of human expertise, creative thinking and the ability to adapt rapidly."
— Ray Steen, Chief Security Officer, MainSpring

Build an Automation Roadmap to Streamline Security Processes

Your automation roadmap will contain diverse initiatives

Implementing automation is the end goal, but your roadmap will also contain initiatives that address critical prerequisites to this goal

Our approach puts the checkpoints in the right order to ensure an actionable automation roadmap

Phase 1: Security Automation Maturity Assessment
Start by examining the current state of all your security processes, from ad-hoc to fully autonomized.

Phase 2: Suitability, Value, and Risk Assessment
Before diving into the details, assess whether the processes are even suitable for further automation and whether the value would outweigh any risks posed.

Phase 3: Feasibility Assessment
Assess the presence of show-stopping prerequisites such as technology underpinnings, training, or incurred costs.

Phase 4: Present the Roadmap
Prioritize and order the initiatives into their respective waves and present the roadmap to your stakeholders.