Based
on
the
current
global
macroeconomics
construct,
there
is
little
sign
that
budgets
will
rise
during
H1
2021.
That
said,
ever
increasingly
complex
automated
attackers
are
identifying
new
vulnerabilities
and
activating
new
enterprise
breaches.
Automating
enterprise
cyber
security
and
cyber
artificial
intelligence
(AI)
have,
for
many,
seemed
desirable
rather
than
mandatory
but
this
will
simply
not
be
the
case
moving
forward.
Cyber
security
executives
are
now
separating
the
wheat
from
the
chaff
in
the
automation
solution
search.
Finding
a
provider
with
demonstrable
results
is
a
must.
CISOs
are
taking
a
collaborative
proactive
stance
in
responding
to
the
current
and
conceiving
of
the
coming
threat
landscape.
Automation
imperatives
The
universal
imperative
is
reducing
business
risk
by
ensuring
cyber
security
executives
are
spending
time
actually
securing
the
enterprise.
Automation
offers
the
promises
of
increasing
efficiencies
and
reducing
costs
across
the
enterprise.
With
an
influx
of
threat
intelligence
technologies
and
feeds
available
to
the
organization,
it
is
quite
easy
to
get
bogged
down
in
non-actionable
information.
The
key
is
to
focus
cyber
security
humans
on
only
high-impact
actionable
information.
Thus,
automation
should
be
responsible
for
collecting
data,
correlating
information,
identify
meaning
and
suggesting
proper
actions.
Focus
Cyber
Security
Hub
reserach
has
found that
two
in
five
executives
list
SIEM
and
SOAR
automation
technologies
as
solutions
that
have
been
the
biggest
priorities
in
the
last
6
months:
28
SIEM
+
11
SOAR
=
39
percent
(61
percent
other)
Roughly
three
in
ten
in
the
Cyber
Security
Hub
community
have
taken
advantage
of
Security
Information
and
Event
Management
(SIEM)
to
date.
However,
current
detractors
of
the
technology
note
that
SIEM
systems
only
shed
unnecessarily
detailed
information
on
the
issue
without
solving
the
problem.
This
means
that
cyber
security
analysts
now
have
to
wade
through
volumes
of
white
noise
as
opposed
to
focusing
on
actionable
information.
SIEM
VS.
SOAR
Many
see
SIEM
technology
as
a
precursor
to
Security
Orchestration,
Automation
and
Response
(SOAR)
systems.
The
“And
Response”
part
of
SOAR
suggests
the
automation
of
responses.
That
is
the
goal;
gaining
actual
intelligence
from
information
to
orchestrate
automatic
remediation.
Unfortunately,
the
true
effectiveness
of
SOAR
technologies
is
still
conceptual
for
a
large
part
of
the
industry.
While
SIEM
and
SOAR
technologies
are
in
focus,
there
is
a
suggestion
from
the
cyber
security
community
that
the
technologies
themselves
could
stand
to
be
improved.
DBS
Bank’s
VP
Information
Securty,
Santosh
Kamane
shares:
“Automation
right
now
is
meant
to
find
out:
‘where
are
these
violations
to
my
policies?
Who
is
violating
my
standards?’
There
could
be
hundreds
of
logs
created
from
the
tools,
but
the
tools
are
not
very
easy
to
read,
or
easy
to
understand
as
they
are
very
technical.”
7
Security
Policy
Automation
Questions
-
Does
it
improve
people
or
process
efficiency? -
How
can
it
be
measured? -
Does
it
result
in
greater
consistency? -
Can
it
be
quantified? -
How
does
it
reduce
risk? -
Are
research
skills
aligned
to
achieve
the
defined
objectives? -
Does
it
save
the
company
money?
Tim
Woods,
FireMon
Promise
vs.
actualization
Beyond
the
industry
looking
for
improvements
in
the
technology,
executives
would
also
like
to
see
more
accuracy
in
the
messaging
around
solutions.
“A
lot
of
vendors
at
the
moment
have
marketing
around
AI
and
machine
learning
and
how
those
fits
into
the
automation
piece.
I
think
some
companies
are
doing
good
things
in
this
space,
but
there
is
still
a
way
to
go
as
far
as
automated
responses
to
threats,”
notes
CISO
at
Horizon
Power,
Jeff
Campbell.
He
suggests
that
where
automation
solutions
are
concerned,
there
is
an
industry
disconnect
between
solution
promise
and
solution
actualization.
Resourcing
There
are
executives
at
very
large
institutions
that
are
confident
in
the
results
of
SOAR
technologies
and
capable
of
resourcing
those
solutions
from
an
internal-
already
employed-
analyst
perspective.
Thus,
those
executives
are
very
pleased
with
the
solutions
they
have
acquired.
For
others
a
key
focus
may
necessarily
be
on
a
more
direct
Phishing
Protection
or
Email
Filtering
solution
based
on
the
lack
of
elasticity
in
current
staffing
numbers
and
a
shortage
of
the
specific
skills
needed
for
automation
technologies
within
the
current
staff.
“A
lot
of
vendors
at
the
moment
have
marketing
around
AI
and
machine
learning
and
how
those
fits
into
the
automation
piece.
I
think
some
companies
are
doing
good
things
in
this
space,
but
there’s
still
a
way
to
go
as
far
as
automated
responses
to
threats.”
Jeff
Campbell,
CISO,
Horizon
Power
Automation
inhibitors
There
are
innumerable
inhibitors
to
cyber
security
automation.
Processes
are
never
perfect.
A
human
though,
can
institute
a
workaround
for
a
process
and
potentially
catch
vulnerabilities
when
those
processes
run
at
human
speed.
When
automating
a
broken
process,
the
results
of
that
broken
process
are
realized
much
more
quickly.
That
means
unfound
and
potentially
exponential
vulnerabilities
can
be
exposed
and
not
realized
until
a
breach
occurs.
The
issue
of
automation
itself
is
just
one
inhibitor.
A
lack
of
standardization
around
automation
processes
and
solutions
means
global
cyber
security
executives
are
not
singing
off
of
the
same
hymn
sheet
thus
laying
the
groundwork
for
further
vulnerabilities.
While
standardization
is
a
goal,
so
is
customization.
The
complexity
of
cyber
security
systems
demands
a
fair
amount
of
customization
around
automation
technologies.
Customization
of
technologies
exposes
weaknesses
as
well
as
lengthens
the
time
and
cost
associated
with
implementation.
Lack
of
standardization
The
move
to
a
primarily
distributed
workforce
has
destabilized
any
standardization.
While
cyber
security
executives
have
undertaken
a
herculean
feat
to
optimize
remote
environments,
work
still
needs
to
be
completed.
Thus,
compatibility
of
legacy
systems
with
newer
off
premise
tools
is
not
ideal.
Without
optimal
compatibility
and
interoperability
of
systems-standardization
is
challenging.
Without
standardization,
rules-based
automation
is
difficult.
Difficulty
with
customization
“Finding
a
technology
that
understands
your
environment,
understands
what
normal
is,
identifies
that
anomalous
behavior,
and
then
executes
an
automated
response
to
that
anomalous
behavior
is
elusive.”
Jeff
Campbell,
CISO,
Horizon
Power
Time
One
of
the
key
promises
of
automation
is
to
save
cyber
security
teams
time.
However,
systems
that
work
for
a
particular
environment
need
to
be
found,
proven
to
work
within
your
environment,
rolled
out,
fully
implemented,
tweaked
and
resourced.
Even
in
ideal
circumstances,
where
there
are
no
other
impediments
to
the
project,
this
is
at
least
a
six-month
process.
Skill
The
search
for
and
rollout
of
an
automation
tool
is
simply
the
foundation
of
automated
insights
informing
cogent
security
decisions
within
the
enterprise.
CISOs
are
realizing
that
no
matter
how
much
a
technology
partner
points
to
the
low-code
or
no
code
nature
of
the
technology,
internal
scripting
and
coding
must
occur
to
get
the
most
out
of
automation
systems.
“There
are
organizations
right
now
that
are
using
a
threat
hunting
methodology
to
find
and
evict
threat
actors
before
they
actually
have
a
long-standing
persistence.
The
trick
is
to
do
it
manually
once,
then
automate.
You
can
then
focus
on
new
types
of
threat
hunting
or
playbooks,
thereby
making
your
staff
way
more
effective
without
necessarily
increasing
your
staff
or
risk.”Kayne
McGladrey,
IEEE
Cost
Even
though
the
promise
of
saving
money
through
efficiencies
warrants
action
and
potential
spend,
the
actual
spend
is
hard
to
outlay
for
many
at
this
moment.
Five
questions
to
help
gain
certainty
from
automation:
-
What
is
the
provider
going
to
do
to
guarantee
ROI? -
What
does
the
internal
team
need
to
do
to
guarantee
ROI? -
Can
the
provider
cite
real
world
evidence
of
achieve
ROI? -
What
is
the
true
investment
on
security
dollars? -
Where
will
return
be
seen
(consistency,
efficiency,
improved
posture,
improved
security)?
Tim
Woods,
FireMon
Automation
controls
With
automation
responsible
for
collecting
data,
correlating
information,
identify
meaning
and
suggesting
proper
actions,
the
question
becomes
what
other
controls
can
be
automated.
When
asked,
the
Cyber
Security
Hub
community
provided
a
myriad
of
opportunities
where
automation
can
accomplish
the
principle
of
increasing
efficiencies
and
reducing
costs
within
cyber
security.
These
include:
-
Identifying
vulnerabilities -
Running
penetration
testing -
Engaging
an
ethical
hacker,
to
run
automated
tools
and
manual
scripts -
Finding
the
remediation -
Expediting
the
reporting -
Finding
patterns
in
the
trending
data -
Engaging
data
analytics
to
build
something
meaningful
out
of
your
logs -
And
acquiring
analysis
of
enterprise
behavioral
patterns
Santosh
Kamane,
DBS
Bank
Remediation
and
workflows
“Remediation,
with
the
caveat
that
it
works
well
in
the
IT
space
but
not
so
well
in
the
OT
space.
Within
OT,
it’s
all
about
availability.
Apart
from
remediation,
automation
can
assist
workflows
around
incident
management
and
automating
some
of
those
workflows.
Automation
can
integrate
into
a
ticketing
system,
which
will
then
raise
an
alert
with
your
SOC
team
to
action.
So,
identifying
your
use
cases,
building
a
workflow
around
the
use
case
and
automating
the
workflow.”
Jeff
Campbell,
Horizon
Power
Multiple
technical
controls
can
be
automated
including:
-
The
traditional
process
around
identity
and
access
management -
Data
loss
prevention
(DLP) -
Threat
hunting
and
response -
Ingestion
of
threat
intelligence
feeds -
Endpoint
Detection
Response
(EDR)
Kayne
McGladrey,
IEEE
Security
at
the
Speed
of
Change
“The
reality
of
today’s
problem
is
that
business
is
moving
faster
than
our
ability
to
secure
it.
The
controls
that
we
are
putting
in
place
just
are
not
honoring
the
speed
of
business.
To
get
ahead
of
this,
we
need
to
think
about
how
we
will
automate
firewall
operations
and
network
security
policy
enforcement.”
Tim
Woods,
FireMon
Automation
talent
The
goal
of
automation
is
to
reduce
the
burden
on
the
people
who
have
less
time
to
execute
more
and
more
tasks.
However,
automation
is
most
valuable
when
the
in-house
team
is
responsible
for
coding
ensuring
seamless
integration
and
interoperability
of
all
of
your
systems.
The
abundance
of
talent
needed
in
DevSecOps
foreshadows
and
overlaps
with
the
abundance
of
talent
needed
in
automation.
Also
read:
DevSecOps
report
Different
skillsets
Automation,
particularly
in
the
AI
and
machine
learning
(ML)
space,
requires
a
good
understanding
of
mathematics
and
algorithms
that
support
mathematical
response
to
anomalies.
So,
finding
good
mathematics
people
that
understand
the
computer
science
domain
will
always
be
a
challenge,
because
there
are
very
few
individuals
that
actually
have
a
real,
really
deep
passion
for
mathematics.
Jeff
Campbell,
Horizon
Power
Platform
vs.
defense-in-depth
The
advantage
of
going
with
a
platform-based
solution
is
that
it
does
90
percent
of
what
you
need
and
typically
all
of
the
tooling
is
integrated.
That
reduces
implementation
time
and
reduces
the
amount
of
learning
time.
Every
time
we
bring
in
a
new
tool
into
the
organization…learning
it
takes
time
away
from
daily
duties.
You
cannot
just
learn
a
tool
while
you
are
fighting
a
fire.
That
is
not
how
the
world
works.
Kayne
McGladrey,
IEEE
Finite
time
and
talent
can
be
expanded
Whether
you
look
at
a
number
that
says
69
percent
of
organizations
have
understaffed
security
teams
or
350,000
unfilled
positions
in
the
industry,
it
is
clear
that
the
resources
that
we
have
are
getting
stretched
too
thin.
As
an
industry,
we
are
making
compromises
in
our
security
profile,
and
when
we
make
compromises,
bad
things
happen.
Tim
Woods,
FireMon
Expanding
current
skillsets
The
current
talent
issues
within
the
cber
security
industry
are
certainly
around
coding
and
scripting.
While
some
solutions
will
be
upfront
and
honest
about
those
kinds
of
requirements,
I
think
there
are
a
lot
of
solutions
out
there
that
try
and
minimize
the
coding
needed
to
be
done
within
‘low-code.’
They
say
that
they
have
already
built
the
integrations
and
you
do
not
need
to
be
expert
in
coding.
From
my
understanding,
you
need
to
have
those
skillsets
to
really
be
successful
in
this
space.
You
can
do
some
of
the
basics,
and
certainly
that
should
not
stop
people
from
moving
ahead.
But,
if
you
are
truly
looking
to
automate
a
lot
of
the
workflows
you
have
in
place,
then
you
really
need
to
have
those
skillsets.
That
is
typically
not
something
that
you
will
see
within
a
standard
operational
team.
Iain
Lumsden,
Denver
Health
Current
automation
budget
Bolstering
security
around
the
infinite
perimeter,
while
part
of
short-
and
long-term
budgets
before
the
pandemic,
is
now
a
more
acute
line
item
in
the
budget.
We
asked
the
Cyber
Security
Hub
community
about
where
current
funds
are
going
along
with
what’s
in
the
way
of
automation.
Distributed
workforce
support
and
monitoring
Definitely,
there
is
more
focus
on
remote
work
because
that
is
where
we
see
most
of
the
threats.
How
do
you
monitor
all
of
the
remote
work
activities?
How
do
you
continue
to
get
a
handle
on
the
behavior
patterns?
We
must
ensure
that
everything
that
happens
remotely
happens
under
our
control.
The
second
thing
would
be
zero
trust
architecture.
How
do
you
build
a
true
zero
trust
network?
The
third
thing
would
be
technically
developing
yourself
to
mitigate
any
vulnerabilities
in
any
of
these
areas,
especially
the
open
source.
Santosh
Kamane,
DBS
Bank
IAM
and
PAM
Automation
would
play
a
really
nice
part
for
Identity
and
Access
Management
(IAM)
and
particularly
around
Privilege
Access
Management
(PAM)
and
dynamic
allocation
of
roles
and
responsibilities
based
on
movement
of
identities
within
an
organization’s
structure.
I
think
IAM
and
PAM
need
to
come
together
around
automation
threat
intelligence.
Secondly,
we
have
so
many
threat
feeds
now.
Automating
some
of
the
responses
to
some
of
the
threat
feeds
so
we
only
surface
the
ones
on
which
my
analysts
need
to
focus
would
be
largely
beneficial.
The
ultimate
goal
would
be
adding
Security
Operations
Center
(SOC)
automation
and
developing
the
orchestration
behind
the
SOC
response.
Number
three
is
a
tie
between
automating
some
of
the
threat
around
mail
gateways
and
the
way
they
respond
to
phishing
attempts
and
endpoint
and
the
Automated
Detection
and
Response
(ADR)
component
of
endpoint.
Jeff
Campbell,
Horizon
Power
Cloud
evolution
Cloud
is
still
a
huge
one
for
us.
From
a
cloud
access
security
broker
(CASB)
perspective,
this
is
something
that
we
are
looking
to
mature
and
grow.
I
think
data
loss
prevention
is
another
one,
especially
with
the
changing
barriers
when
it
comes
to
cloud.
We
have
been
very
centric
on-premises
and
we
have
great
controls
there,
but
changing
and
adapting
from
there
is
the
goal.
Finally,
tying
identity
and
access
management
into
those
different
systems.
I
think
automation
certainly
has
a
place
in
that
as
well.
Iain
Lumsden,
Denver
Health
Also
read:
CISO
startegies
for
threat
prevention
FireMons’
Woods
notes
that
while
budgets
are
tight,
cyber
security
executives
are
going
to
have
to
find
a
way
to
invest
in
some
sort
of
automation
to
simply
keep
pace
with
change.
Future
automation
budget
Ever
increasingly
complex
automated
attackers
are
identifying
new
vulnerabilities
and
activating
new
enterprise
breaches.
Cyber
security
executives
are
thus
in
a
position
where
it
is
imperative
that
automation
is
introduced
to
operations
but
a
dearth
of
monetary
resources
with
which
to
execute.
We
asked
the
Cyber
Security
Hub
community
how
to
best
to
spend
limited
resources
available
on
automation
or
what
how
they
might
spend
newly
found
funds.
Proof
of
concept
(POC)
use
case
We
tested
a
solution
that
captured
11
percent
more
spam
than
our
existing
solution.
The
solution
flagged
detonating
malware
loads
for
suspected
phishing
emails,
identified
them
in
the
background
without
the
user
even
knowing
would
detonate
the
message
and
found
out
what
the
payload.
It
then
took
actions
around
that
based
on
the
intelligence
that
it
now
had.
Jeff
Campbell,
Horizon
Power
Automated
action
workflows
Automated
action
workflows.
Workflows
that
take
an
automatic
action
or
will
notify
an
analyst
who
has
to
approve
that
block
before
it
takes
place.
Iain
Lumsden,
Denver
Health
SOAR
Framework
I
would
definitely
use
found
funds
to
build
my
preventative
controls
to
mitigate
risk.
I
would
begin
to
customize
SOAR.
SOAR
is
more
about
taking
your
vulnerability
management
to
next
level
and
then
creating
the
playbooks
on
this.
Then,
I
would
automated
the
remediation,
going
beyond
information
security
and
relies
on
multiple
business
units
working
together.
This
is
where
I
would
focus
more
on
how
I
can
build
that
robust
SOAR
framework.
Santosh
Kamane,
DBS
Bank
SOAR
and
threat
hunting
SOAR
or
threat
hunting.
I
say
SOAR
because
that
ingest
process
means
your
analysts
are
focusing
their
limited
time
and
attention
on
those
events
that
are
most
interesting
and
possibly
the
most
dangerous.
I
would
also
invest
in
the
automation
of
threat
hunting
because
it
is
a
force
multiplier.
Running
a
threat
hunt
once
is
no
good
because
if
it
you
run
one
on
Thursday
and
not
on
Friday,
you
do
not
have
good
sense
of
what
has
changed
in
the
past
24
hours.
In
our
world
of
persistent
engagement
and/or
defending
forward,
it
is
so
necessary
to
have
that
continuous
ability
to
detect
and
evict.
Kayne
McGladrey,
IEEE
Three
principles
of
budgeting
Focus
on
better
security
hygiene
Extend
visibility
across
your
hybrid
real
estate
Engage
proactive
compliance
Tim
Woods,
FireMon
How
do
you
conduct
change
management
initiatives
in
your
company?
Let
us
know
in
the
comments
below.
About Author
