A slightly better way to implement Security Automation

Tom Tuunainen

Implementation of security automation can be overwhelming, and this has unfortunately remained a barrier to adopt it in many organizations.

A recent survey found that while trust in security automation is rising, the technology itself is the reason for its opposition (ThreatQuotient 2022). Allie Mellen, a Senior Analyst at Forrester Research, asked teams that use Security Orchestration, Automation and Response (SOAR) how many playbooks they use regularly, and two-thirds of the respondents answered 5-10 or less (Hackerxbella 2022).

A SOAR playbook focuses on automating the entire process. So, to implement them you need to define and document complex decision trees for each playbook and bring in Security Operations Center (SOC) analysts with coding skills to customize and standardize the implementation. In addition, process-driven playbooks must be updated manually in order to accommodate to changes in the threat landscape and in the environment as a whole. As the number of SOAR playbooks grows, the complexity escalates, and manual updates simply are no longer viable solutions. Therefore, security teams usually limit their use to a few basic playbooks, and thus they are not necessarily leveraging the full value of the tool. (Cyware 2020.)

Implementation of security automation can be overwhelming, which is why it is better to use a data-driven approach, and break the task down into smaller pieces, instead of using a heavier process-driven approach. This is comparable to what is needed in order to form a great snowball. You start with a solid core and then roll it little by little in order to make it larger. If you try to do too much at once, the ball will fall apart. Similarly, if we begin the implementation process of security automation with the right core architecture and build up over time, we can derive much more value out of the process. (NCSC 2019.)

In order to be successful in the process of implementing security automation, you should prioritize interoperability. Please, use standardized cybersecurity automation platforms and also contemplate if you are going to use open or closed architectures to ensure interoperability with the widest range of security tools and extensibility. For example, when divergent systems and solutions that use different languages can communicate with each other, you will gain a comprehensive understanding of the threats you are facing, and you know what you must defend. With the right architecture, you can automatically combine the right data from the right tools into a central repository and move towards a data-driven approach in order to drive automation of various tasks. (Cynet 2022.) This will also ensure that you have the right foundation in place for working with emerging approaches, such as Extended Detection and Response (XDR), that is able to collect and correlate data across multiple security layers (VMware 2023).

You should also keep in mind that context is the king. At this point, you can start to apply automation to a basic use case, which provides significant value, such as contextualization of data. You can also start to cultivate internal data with threat data from the various sources you subscribe to, such as commercial, government, and industry sources, as well as IT and cybersecurity frameworks. Correlating and combining internal and external data helps to create context that will give insight into what is relevant for your organization. For example, let us say that your CEO has received a spear phishing email that is targeted towards him (Kaspersky Lab 2023). You can now automatically correlate the source IP address with external threat intelligence in order to start to connect the dots and to determine if further analysis or action is needed.

Finally, you choose the right use cases. You can build on the contextualized data in order to expand your implementation of the security automation. By doing so, you are adding discrete tasks that are based on triggers as well as thresholds and that are also defined by the use cases you choose. If we for example process the previous spear phishing example further and move into the territory of XDR, the logical next step would be to apply an automated scoring framework. If the received spear phishing email has indicators that have a high threat score, you can now take prompt action such as e.g. ensuring that the indicators are sent to your Endpoint Detection and Response (EDR) solution for blocking (Aarnes 2021). Alternatively, you can look-up the indicators in your Security Information and Event Management (SIEM) in order to analyze if there are other events related to it (IBM 2023).

Many use cases worldwide show that great value can be derived from security automation. The implementation process has, however, remained a barrier to the adoption of it. However, if organizations do slight adjustments to the implementation process of security automation, e.g. by starting with an open architecture, focusing on getting the right data for analysis, and by applying the automation in smaller pieces, we end up with a more simple and straightforward process. By proceeding in the right way, we can ensure that our actions remain relevant, and we deliver one small bit at a time. Instead of mounting complexity, we are creating value.


Aarnes, A.  2021. What is EDR? CrowdStrike. Available at: https://www.crowdstrike.com/cybersecurity-101/endpoint-security/endpoint-detection-and-response-edr/. Accessed 23 January 2023.

Cynet. 2022. What is Security Automation? Tools, Process and Best Practices. Available at: https://www.cynet.com/incident-response/security-automation-tools-process-and-best-practices/. Accessed 19 January 2023.

Cyware. 2020. What is a SOAR Playbook? Available at: https://cyware.com/educational-guides/security-orchestration-automation-and-response/what-is-a-soar-playbook-dcad. Accessed 19 January 2023.

Hackerxbella. 2022. Teams that use SOAR — how many playbooks do you use *regularly*? Available at: https://twitter.com/hackerxbella/status/1529150542467018754. Accessed 19 January 2023.

IBM. 2023. Why is SIEM important? Available at: https://www.ibm.com/topics/siem. Accessed 23 January 2023.

Kaspersky Lab. 2023. What is Spear Phishing? Available at: https://www.kaspersky.com/resource-center/definitions/spear-phishing. Accessed 23 January 2023.

NCSC. 2019. Taking a data-driven approach to cyber security. National Cyber Security Centre. Available at: https://www.ncsc.gov.uk/blog-post/taking-a-data-driven-approach-to-cyber-security. Accessed 19 January 2023.

ThreatQuotient. 2022. 2022 State of Cybersecurity Automation Adoption. Available at: https://www.threatq.com/documentation/TQ-Automation-Report-22.pdf. Accessed 19 January 2023.

VMware. 2023. What is Extended Detection and Response (XDR)? Available at: https://www.vmware.com/topics/glossary/content/xdr-extended-detection-and-response.html. Accessed 19 January 2023.

Tom Tuunainen
R&D Developer
Centria University of Applied Sciences
Tel. +358 40 681 7207