That kind of granular thinking should not be limited to simply security alerts, either. Leaders should make a concerted effort to understand how staffers currently work through particular functions like creating shift turnover reports, generating metrics for management, or assigning tasks to various team members.
Once you have gathered as much information as possible about existing processes, you can work backward to determine which operations, if automated, would free up the most time for the experts on staff. Some of the repetitive tasks a solution should automate include:
- Alert classification
- False positive identification
- Additional Information gathering of contextual information
- Initial investigation and triage
- Ticket generation
- Email notification
- Report generation
Knowing what functions to automate is a great first step toward transforming information security operations. The next step is to identify and ultimately onboard a tool that allows the organization to execute that process automation.
First and foremost, a solution must be able to solve the issues of an organization's specific use case. That may sound obvious, but for organizations with complex, proprietary processes, it is not a simple requirement. The tool has to be flexible enough to meet those use cases, as well as the processes that don't have a name — the ad hoc processes that are unique to that organization.
It is also important to determine what level of automation is provided out of the box. One of the cumbersome obstacles that organizations want to avoid is being forced to go back to their vendors every time they want to add a process, report or mitigation. A true enablement tool allows companies to implement new processes, reports, notification and mitigations themselves.
There is some value in pre-canned solutions but, ultimately, an organization needs a tool that can go beyond offering the automations a vendor thinks the organization will need, to enabling the specific operations it actually requires.
Imagining a Better Future
What automation tools can't do is replace human expertise. They won't be able to perform all the functions of an expert security analyst's job. But what they can do is free up time for such experts, by eliminating the repetitive tasks that consume their days. That is critical being that attacks are changing and continuing to become more complex. And the most effective means we have of identifying the anomalous behaviors that signal these new kinds of attacks is allowing analyst to be creative and spend some of their time hunting for new attacks, rather than completing repetitive low value tasks.
Once these experts figure out how to identify and thwart these new types of attacks, they may be able to recreate the process and automate it — but only if they have the time to search for anomalies in the first place.
Sign up for Computerworld eNewsletters.