Skip to content

A Security Automation Playbook for 2023 (Or Any Year)

Amid a severe cybertalent shortage, security executives would be wise to consider how machines can better assist humans, rather than the other way around.


Security automation is far easier said than done.

Consider the experience of the Department of Homeland Security, with its Continuous Diagnostics and Mitigation (CDM) program. Developed in 2012, the program’s goal is to improve the security of federal agencies through the continuous assessment and remediation of systems for threats, vulnerabilities, data leaks, and security tools that fall out of policy compliance.

Because of agency missteps and complexities, the program got off to a slow start. According to a DHS report from the Office of Inspector General, DHS originally hoped to get the first part of the program in place by 2017, but that slipped to 2022. By April 2023, however, civilian federal agencies will be required to perform automated weekly security assessments and conduct an accurate accounting of the security flaws they find.

Compare and prescriptively improve your IT risk metrics against your industry peers.

It’s yet another step the federal government is taking to increase security automation. But faltering progress like this doesn’t have to be the norm with federal agencies—or with companies in the private sector, for that matter. By learning from key industry best practices, organizations can automate security the right way.

[Read also: Why security and automation belong together]

The automation challenge

For years, automating security has been touted as a holy grail. Efforts have included IBM’s attempt to move the industry to the self-healing capabilities of “autonomic” computing, and later the networking industry’s push for the automated healing capabilities of “network access control.” Neither grew in popularity as much as supporters had hoped.

Automation is helping to reduce or eliminate the majority of…repetitive operational tasks, allowing IT teams to spend more time on strategic security initiatives.

Things have improved greatly since those earlier efforts. Large numbers of security processes can be automated, mainly due to increased adoption of new security automation standards, application programming interfaces (APIs) connecting computer programs, and cloud systems. Automation is helping to reduce or eliminate the majority of burdensome and often repetitive operational tasks, allowing IT teams to spend more time on strategic security initiatives. That’s critical given the persistent security skills gap. Indeed, with the ongoing threat from nation-states, ransomware gangs, and other rogue actors, enterprises need cybersecurity help anywhere they can find it.

To address these challenges, experts interviewed by Focal Point confirmed, take the following steps.

Embrace DevSecOps

One of the most straightforward strategies enterprises can adopt is to build security tests into the software development life cycle, a process known as DevSecOps. Software flaws otherwise slip into products and services, where they could be used to attack other systems. Once in production, these vulnerabilities are more costly to fix.

The DevSecOps field has plenty of room for improvement, however. A survey conducted by cryptographic and digital certificates security vendor Venafi found that 97% of senior IT execs agree that software development processes are not secure enough. Additionally, GitLab’s 2022 Global DevSecOps Survey, found that less than half of respondents (42%) implement DevSecOps, although that is an increase from 36% in 2021.

“Application security is an area that definitely should be automated, especially with all of the tools available for automated security checks within the continuous development and delivery pipelines,” says Kenneth Swick, senior security consultant at security services provider NCC Group. “These areas are rife with automation capabilities.”

Manage infrastructure as code

With the trend toward infrastructure as code (IaC), both physical and virtual computing systems can be deployed and managed automatically through predefined, machine-readable definition files rather than physical or manual processes. This helps ensure system and security settings remain unified.

Systems can be automatically reverted to the desired settings when they deviate. And this approach has another advantage: “To the extent organizations can automate and enforce secure workloads through their entire life cycle, they can substantially reduce their attack surface,” says Swick.

[Read also: With converged endpoint management (XEM), enterprises can access real-time data to support end-to-end automation]

NetOps is a related trend. It’s a catch-all phrase for automating network security, management, and performance. Just like IaC, network configurations, performance tolerance, and security are codified and automatically enforced whenever possible.

“In networks, we’re just beginning to see network functions being automated,” says Gary Marks, president at Opengear, a network technology company. Organizations are beginning to adopt approaches like zero-touch provisioning, in which a networked system is deployed and automatically configured and managed.

In its Infrastructure as Code Security Cheat Sheet, the Open Web Application Security Project (OWASP) explains how IaC environments enable exceptional event logging and the “immutable” and continuous monitoring of infrastructure. You build the infrastructure components to an exact set of specifications, without deviations or changes. If a change to a specification is required, a new set of infrastructure is provisioned based on the updated requirements, and the previous infrastructure is taken out of service.

Automate identity

Identity management—ensuring that users, devices, and systems have access to only the resources and data they’re entitled to—consists of authenticating that entities are who and what they purport to be and then authorizing access for those entities. Because authentication and authorization are highly repetitive processes, identity management is an area that features many opportunities to automate. But since enterprises face increasingly complex on-premises and cloud environments and applications, as well as strong regulatory pressure, provisioning resources to users and managing their access levels has grown increasingly challenging.

To the extent organizations can automate and enforce secure workloads through their entire life cycle, they can substantially reduce their attack surface.

Kenneth Swick, senior security consultant, NCC Group

Many identity-related processes are siloed within business units. Therefore, centralizing identity systems, integrating them with human resources systems, and defining access levels and user privileges according to specific job roles (known as role-based access control) can make automating provisioning, ongoing management, and de-provisioning much more straightforward.

“A properly crafted set of security-conscious, automated workflows can potentially replace most organizations’ account management practices and enable the business to self-manage its user base with a pre-agreed acceptable level of risk,” says Jason Sieroty, an enterprise solutions architect at technology solutions provider e360. “The resulting process will be efficient and repeatable, allowing employees to be productive sooner and in a safer manner.”

Adopt a SOAR platform

SOAR—which stands for security orchestration, automation, and response—is a set of security tools and processes that enable security teams to automate aspects of security operations, incident response, and vulnerability management.

A lot of security operations centers use SOAR, and they build automated or partially automated playbooks to respond to incidents.

Scott Crawford, information security research head, 451 Research

For instance, threat intelligence feeds and security alerts can automatically trigger certain incident response “playbooks,” depending on what is detected. SOAR also uses artificial intelligence and machine learning, when possible, to assist security analysts, threat hunters, and security operations teams.

Some activity within the security operations center (SOC) can be automated. SOC teams work on preventing, monitoring, detecting, and responding to security incidents. For instance, when security alerts can be correlated with threat intelligence and vulnerability management data, systems may be able to automatically determine that certain alerts are low-risk, or they can escalate a response when conditions appear more threatening. These basic tasks are typically conducted by so-called “level one” security analysts.

[Read also: Here’s how to quickly scale up a security operations center]

“A lot of level-one analyst activity can be automated,” says Scott Crawford, information security research head at 451 Research, part of S&P Global Market Intelligence. “A lot of security operations centers use SOAR, and they build automated or partially automated playbooks to respond to incidents.”

Overcome obstacles one by one

Of course, automating security isn’t easy, and not every organization, or even most organizations, is mature enough to automate everything. Some challenges include a lack of understanding of internal security policies or insufficient tool standardization.

“Many organizations have very inconsistent approaches to their security program, and the best place for these organizations to start will be first to standardize their security program,” says Swick. “Then identify areas with a high probability of success and break those projects into manageable chunks.”

Crawford adds that in addition to security teams picking areas to automate with a high probability of success, organizations must understand the processes they have in place before attempting to automate. By automating less than optimal or poor processes, “you are very likely going to make your situation worse,” he says. Examples include automatically provisioning users with poorly defined roles, or automatically deploying cloud workloads that aren’t properly configured.

[Read also: Getting cloud workloads right is just the start—enterprises must also protect assets across multi-cloud environments]

Also executives should take advantage of the government’s help. In June 2021, the National Institute of Standards and Technology (NIST), in partnership with private industry, announced the development of the open security controls assessment language (OSCAL)—a multiformat framework that facilitates security automation, continuous assessments, and audits. NIST believes that OSCAL will improve the efficiency, accuracy, and consistency of security assessments and enable continued review and monitoring of capabilities.

Such efforts could eventually help all organizations more readily automate portions of their security efforts. And while security can’t be fully automated, an increasing number of tools and approaches can help increase what can be automated.

When organizations take a close look and automate what they can, they free their staff from mundane tasks and make their security operations much more efficient. As attacks grow in number and sophistication, and security talent remains tight, security pros need all the efficiency they can get.

George V. Hulme

George V. Hulme is an information security and business technology writer. He is a former senior editor at InformationWeek magazine, where he covered the IT security and homeland security beats. His work has appeared in CSO Online, Computerworld and Network Computing.

Tanium Subscription Center

Get Tanium digests straight to your inbox, including the latest thought leadership, industry news and best practices for IT security and operations.