Process automation can become one of the main allies of cybersecurity. On ThreatQuotient are convinced of it, and their Country Manager for Spain, Eutimio Fernández, tells us about the current and future possibilities of automating the online security of companies, without neglecting the main obstacles faced by a company that wants to automate its cybersecurity tasks.
[MCPRO] According to the Report on the automation of Cybersecurity in 2021, practically all the companies surveyed give a high priority to the automation of cybersecurity of their companies, but at the same time, and paradoxically, slightly more than 40% do not trust the results that can be obtained with automation. What do you think this could be due to?
[Eutimio Fernández] Cybersecurity automation is not easy, but let’s say there are two elements to consider. On the one hand, lautomation algorithms or playbooks that run. In this sense, Gartner in its report “Is your Organization Mature Enough for SOAR?” It has already brought to light some conclusions that, among others, told us that the security teams did not have well defined internal processes that made automation fail in many cases. This lack of definition makes the algorithms suboptimal and also the default algorithms must be changed to truly conform to business processes. In short, skills are needed to define these playbooks well and then make efficient those that are already effective through automation.
On the other side is the data. An automation tool has no intelligence to understand the data it is running. Thus, automation will increase noise if the data on which it automates is not correct or will generate work on low priority events over those that are really important. This combination can cause automation to fail and is revealed by the report. Only 8% of companies have automated without problem.
[MCPRO] What steps should be taken in the cybersecurity sector to overcome the distrust that still exists in some companies towards the automation of security and to ensure that it is successful in the future?
[Eutimio Fernández] First, understand the problem and be clear that before jumping to automation we must have well-defined and proven processes. The idea is to streamline processes that are already effective. After, twork on the data before launching it into an automation process. That is to say, ingest them, deduplicate them, normalize them and prioritize them correctly so that it is automated on data that will really bring productivity.
[MCPRO] Why is there an increasing need to automate cybersecurity tasks? Which are the most frequently automated?
[Eutimio Fernández] The information that comes from the different elements of detection and protection is every day higher. Current detection and response solutions send a lot of data to be analyzed, making the volume of data immense and impossible to process with the usual mechanisms.
The resources in the operations centers of the companies must be dedicated to tasks where they really add value. We already know that the resources of professionals with specific cybersecurity knowledge are scarce and they must be dedicated where their knowledge is necessary. This is why the automation of all those tasks that do not require human intelligence is so necessary.
[MCPRO] What are the security tasks that will be more likely to be automated in the medium term? Which ones are more likely to offer options that will make your automation attractive in the future?
[Eutimio Fernández] There are many tasks that can automate, in principle all those that do not require a human decision, and clear and repetitive procedures.
[MCPRO] When the need to automate cybersecurity arises in a company, it must also be clear that it is not a simple process, and that its implementation will not be without difficulties and barriers, what are the main complications and obstacles that it may encounter a company by automating its cybersecurity tasks?
[Eutimio Fernández] The first is the lack of well-defined and structured processes for security operations. It cannot be automated if there are no well-defined processes and we do not have the skills to develop these automatisms.
Another is the lack of integration between the different solutions that these processes involve. Products that are not integrated or that are expensive to integrate greatly slow down automation. This is where the concept of XDR appears, lately closely associated with automation and threat intelligence. Here, CyberIntelligence platforms such as ThreatQ are at the center of this management, helping a lot to accelerate all these operations, facilitating automation and making XDR easy.
[MCPRO] What recommendations or advice would you give to a company that wants to automate its cybersecurity but does not know where to start or what steps it can take to achieve it?
[Eutimio Fernández] Have a partner with experience in this type of environment who knows very well how to implement processes in companies that can automate and manage information so that it flows correctly between processes, products and people.
