How to beat the cyber skills drought with security automation

According to the (ISC)² 2022 Workforce Study, there is a global shortage of 3.4 million security professionals, a 26% increase over 2021, writes Ellen Sundra, Chief Customer Officer, Forescout.

The demand for cybersecurity talent is greater than ever, due to an evolving threat landscape with attacks that are more difficult to detect and defend. This comes as no surprise due to strapped security operations centre (SOC) teams.

SOC teams needn’t despair, however. Many of the routine tasks traditionally handled can now be translated into automated workflows.

The top challenges faced by SOC teams

Beyond the cyber skills shortage, five key challenges have hastened the need to automate any process that can safely be automated. These are:

1. Cyber asset proliferation. The variety and number of connected devices that organisations must manage have boomed in recent years, creating an ever-expanding attack surface. The vast majority are IoT and OT devices, which may be insecure by design and unable to patch.
2. IT/IoT/OT convergence. Industrial digitalisation requires IT/IoT/OT convergence. But without proper segmentation and other controls, an exploited vulnerability on one network could allow a threat actor to gain access and move laterally to other networks.
3. Dynamic threat landscape. Cyberattacks have evolved to include large extortion campaigns by sophisticated ransomware gangs and the use of botnets that cross IT/IoT boundaries.
4. Siloed security tools. Organisations typically have dozens of security products operating independently. Individually, these tools lack sufficient device context or threat intel to coordinate the right response.
5. Alert fatigue. Without sharing device context, siloed security tools also generate too many false positives, leaving security teams to chase them, and then miss real critical threats.

Together, these challenges prolong a SOC team’s mean time to response (MTTR). Otherwise known as, the average time it takes to fully resolve a failure alert.

The benefits of security automation

Security automation helps SOC teams enforce device compliance, reduce the attack surface, detect threats and rapidly respond to incidents. It enables not just the human team but the applications and networks themselves to respond immediately when risks and threats are identified.

Firstly, cybersecurity should start with complete visibility into all connected assets – managed and unmanaged (IT, IoT, OT, IoMT), across cloud, onsite, remote and data centre environments. A security automation platform should be able to gather and share real-time device context with all the other IT and security products in your ecosystem, such as those used for advanced threat detection (ADT); endpoint protection, detection and response (EPP/EDR); vulnerability assessment; and privileged account management. It should also integrate with your configuration management database (CMDB); next-generation firewall (NGFW) and security information and event management system (SIEM).

Next, when all security products share the same device context, their actions can be orchestrated to automate system-wide policy enforcement and accelerate the response. Tasks that are typically performed serially can be automated to occur at once and continuously. For example, the manual process to discover and assess a single device to determine if it needs to be remediated can take up to 45 minutes. In contrast, in less than two minutes an automated security process can simultaneously detect devices upon connection, auto-classify them, assess their posture against security policies, share their context across security products and then orchestrate workflows to apply controls and enforce compliance.

Security automation now extends to an emerging technology category: eXtended detection response (XDR). The ideal XDR solution converts telemetry and logs from across your enterprise and correlates alerts and threat intelligence from multiple sources to produce a small number of high-fidelity incidents for human investigation.

Protect your people

Battling alert fatigue only to perform repetitive, menial tasks can wear down even the most dedicated security professional. Without automated workflows to perform these duties and quickly respond to attacks and breaches, staff may feel powerless against an enemy they can’t see. That doesn’t have to be the case. A security automation platform that continuously shares device context, automates workflows and accelerates responses can give SOC teams more time to focus on tasks that require human intervention.