Orchestration  solutions  are  task  oriented  and  geared  to  take  actions  such  as  isolating  an
               endpoint from the network or opening a ticket in a case management system. They are most
               prominently used for incident response, as well gathering investigative data.


               These  solutions  help  tie  together  the  various  steps  and  moving  pieces  in  an  investigation
               workflow. However, the act of determining whether an alert is a false positive still falls upon the
               analyst. In most customer situations, we see that analysts receive hundreds of alerts a day, and
               typically 90-95% of these will be false positives.  The decision making burden on analysts is still
               tremendously taxing, expensive, and unmanageable.
               We  fundamentally  believe  that  automation  can  help  analysts  tremendously,  not  just  with
               repetitive actions, but more impactfully with key decision making several dozen times a day.


               TYPES OF AUTOMATION

               Orchestration provides only a rudimentary form of automation. To reduce analysts’ workloads
               further, SecOps teams need smarter solutions that apply automation to the more challenging
               aspects of decision making.

               When  evaluating  security  automation  products,  it’s  useful  to  reference  Harvard  Business
               Review’s three main types of automation. The ones that apply to security automation are:
                   ●  Robotic process automation
                   ●  Cognitive automation

               Robotic process automation automates high-volume, low-complexity, and routine tasks. These
               tasks might be physical, such as installing a rivet, or they might be software-based, such as
               transforming a data set according to a set of rules and transferring the output to a file server.

               Cognitive automation addresses complex, non-routine, creative, or exploratory tasks, which can
               involve pattern recognition on large data sets and decision-making based on the results of that
               pattern recognition. Cognitive automation has recently achieved major breakthroughs in areas
               as diverse as language translation (e.g., Google Translate) and vehicle navigation (e.g., self-
               driving cars).



               AUTOMATION AND SECOPS

               How are these various types of automation applied in today’s SecOps offerings?

               The vast majority of automation in SecOps today is robotic process automation. For example,
               when an orchestration product processes a directive to close a specific firewall port or open a
               trouble  ticket,  that’s  robotic  process  automation.  A  well-defined  process  has  been  performed
               quickly and efficiently, but the process itself hasn’t been changed or optimized, and the SecOps
               system itself learns nothing from the experience.

                   56    Cyber Defense eMagazine – November 2017 Edition
                         Copyright © 2017, Cyber Defense Magazine,  All rights reserved worldwide.