Security automation tools help IT teams focus on what's important, rather than what's available. Most security teams today are drowning in alerts, and each alert represents a potential security incident that requires investigation and remediation. The problem is there is never enough time to investigate every security alert sufficiently, so security practitioners continue to drown while they try to battle against the ocean daily.
The premise of security automation is to investigate alerts, correlate a single alert across multiple alerts and then notify a human defender of the results of the investigation. While this is work that people can do, using automation is more effective, as computers don't get tired, don't get frustrated and don't sleep.
By using a security automation tool to process inbound alerts, security teams don't have to hunt down every piece of browser-based malware or even review every log entry. For example, consider an automated SSH login attack framework that sends five bad login attempts in five minutes. Security automation tools would see this pattern and could block the attack automatically or require human approval to block the attack. It might also check the remote attacker address against a list of known bad IP addresses, or even submit the attacker's address to a database of threat intelligence.
But, either way, it's going to stop the attack faster than a person, and it won't feel frustrated that this is similar event No. 39 of 700 it'll see that day.
A security automation tool allows people to focus on the more interesting threats -- those alerts that have passed a threshold that the automation algorithms can't sufficiently remediate, or where closing the threat might alert the adversary to a forensic investigation. This is the type of work that security teams enjoy -- actively hunting for adversaries and ethically engaging before cleaning up the damages and closing any observed vulnerabilities that were exploited.
Events like this should be few and far between in organizations with a sufficient level of security automation. And they should be noteworthy, because they represent an actual threat, rather than a threat actor of opportunity with a commercially available piece of malware.
Have a question for one of our experts? Submit it now. All questions are anonymous.