This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
There’s been a lot of talk about security automation, but it’s increasingly unclear what is what. For example, a Network World article on security automation last year focused mostly on threat detection, a Gartner report on Intelligent and Automated Security Controls focused on the threat intelligence component, and another recent piece referenced security automation simply as “the automation of cybersecurity controls.”
The fact is, security automation is starting to go beyond prevention and detection technologies, reaching into other important components of IT infrastructure to more reliably protect organizations. Here are four of the newest and most advanced elements you should consider when discussing security automation:
1. Policy execution. As networks have grown significantly more complex, manually managing associated security policies has become nearly impossible. Enter policy execution automation, which refers to the automation of any administrative work required of IT security. A variety of vendors offer tools for automating the management of network security policies, which can help you more easily meet internal or regulatory security requirements. Some also offer automated services for administrative tasks like user onboarding/offboarding and user lifecycle management. Automating the provisioning, deprovisioning and user access can help IT teams gain greater control over data, costs and time, and the companies offering the tools sometimes refer to themselves – or are generically referred to by others – as offering security automation.
2. Alert monitoring and prioritization. Some people view the job of automation through the lens of monitoring and prioritizing alerts. Traditionally, alert monitoring and prioritization was a manual task, and a very tedious one at that. A team of analysts in a security operations center would have to compile alerts and literally stare at monitors all day in order to determine which data points were important. Today, there are methods for automating alert monitoring and prioritization that vary in sophistication. For example, this might include setting rules and thresholds, relying on threat intelligence or implementing more advanced behavioral analytics or machine learning technology.
Setting rules and thresholds is dwindling in its effectiveness, as it relies on manual input from a person to determine which alerts are important and which aren’t. And it also requires regular maintenance of those rules because cybersecurity threats are constantly changing and often hackers know exactly which alerts companies will be looking for. Relying on threat intelligence, on the other hand, is a little more reliable. This form of automation refers to the collection of threat intelligence from multiple sources, and it can help companies know which alerts to look for and which are important. For instance, if a company is able to access and consume multiple intel sources, it would know when a certain type of attack is occurring across the globe. Automated threat intelligence can then help the company prepare to protect itself against that potential, incoming attack before it’s too late.
Sign up for CIO Asia eNewsletters.