in place. Every organization is different, so automation must be used uniquely by every organization.
            Only a seasoned security team that understands the specific environment can implement automation and
            continually update playbooks. There is no “set it and forget it” strategy.



            Focus on Automation That Enables Business Continuity

            A risk-based approach is often most effective when investing in automation. Enterprises can work with
            peers and stakeholders to think through how business priorities have changed over the last few months
            amid shifting workplace processes. Evaluate key priorities, like the rising importance of securing cloud
            and SaaS applications, as well as any changes to the roles or responsibilities of employees accessing
            sensitive data and from what location. From there, enterprises can determine the biggest risks to the
            business and redouble efforts where it will have the biggest impact.



            Apply Automation to What You Know

            Automation is best used for specific processes that a security team knows and trusts, instead of applying
            it  to  every  source  in  the  environment.  Automation  not  only  requires  intimate  knowledge  of  incident
            response processes, but it also requires insight and access into the integrated systems. For example, if
            you want to trigger a vulnerability scan on a target host, even apparently innocuous steps to gather
            contextual information about hosts become challenging without a deep understanding of the process you
            want to automate, your organization’s policies, and the system you are integrating.



            Get Creative to Streamline Processes

            With IT and security teams stretched increasingly thin, automation is often most effective when used to
            complete routine tasks to free up time for teams to focus on more important business priorities. Try
            looking at automation and its potential uses creatively, beyond just running scripts.

             For  example,  automation  can  be  used  when  differentiating  between  suspicious  insider  events  and
            harmless ones. One way to do this is to use automation to continuously simulate common red team or
            adversary tactics that will quickly identify what risks may be present or gaps in security coverage.  By
            automating these tasks, enterprises can identify where the greatest user risks are and address them by
            tuning alerts or providing employee training.




            Use Automation to Add Context to Data

            Data overload is a persistent problem among security teams, who often rely on disparate tools that collect
            and store data in many different locations. Some teams attempt to solve this problem by funneling all of
            their  data  into  a  single,  searchable  repository.  But  this  method  can  involve  a  lot  of  manual,  time-
            consuming process that defeats the goal of greater efficiency.





            Cyber Defense eMagazine – September 2020 Edition                                                                                                                                                                                                         105
            Copyright © 2020, Cyber Defense Magazine.  All rights reserved worldwide.