Manual processes are the bane of understaffed security teams. They often require communicating with other departments, asking for information, suggesting corrective steps, and following up on action items. Lack of cooperation, busy employees, different priorities, clashing engineering opinions, and other such organizational problems can all become blockers that compromise your company’s security.
Automated security workflows are a much better approach, bringing an impressive set of security and organizational benefits, which underfunded and short-staffed security teams can particularly benefit from. In this article, we help you understand automated security workflows, their benefits, their uses in different security areas, a set of best practices for them, and solutions to implement them.
What Are Automated Security Workflows?
In an automated security workflow, a sequence of actions is preset and automatically executed to identify and address cybersecurity threats.
The focus in an automated security workflow is not so much on security automation but the automation of workflow steps and on security orchestration, i.e., coordinating corrective actions by all affected departments and their employees.
As you automate your security workflow, the interactions between the system, employees, and the user experiences takes precedence over backend security automation concerns. After all, the effectiveness of a security policy depends on their participation and cooperation.
Automated security workflow capabilities are generally offered by the category of security tools called Security Orchestration, Automation, and Response (SOAR) solutions.
Sample Automated Security Workflow
To give you a better idea of how it can work, let’s take a look at an example of an automated security workflow. Let’s say your company uses Google Drive for creating, storing, and sharing dozens of new documents everyday.
Ideally, every document’s permissions should be set tightly based on the principle of least privilege. However, enforcing security policies on each document manually is impractical and inefficient for any security team.
Instead, you can set up an automated workflow that scans all documents every few hours and enforces permission policies. Here’s how it could work:
Workflow 1: When a policy violation is detected on a Google Doc, the workflow gives the document owner a gentle reminder over Slack about the risks of poor permissions.
Workflow 2: If an employee needs to allow an outsider to access a document, they simply type a special keyword on Slack and provide document details.
- The resulting workflow changes permissions for a period of time and automatically reverts it later.
Workflow 3: A third automated workflow, responsible for incident management, monitors your intrusion detection system (IDS).
- When the IDS detects a suspicious attempt to access a document from outside, the workflow automatically creates an incident report.
- The workflow automatically pulls in threat intelligence for that IP address and assigns the incident to one of your security analysts for corrective steps.
Basic Use Cases for Automated Security Workflows
If you're a new venture, your security operations center (SOC) is probably focusing on just the basics right now — incident management for attacks like phishing and malware, enterprise firewall for network security, a ticketing system for tracking, and communications.
Here are some of the basic use cases for automated security workflows:
Incident Management
Automated workflows for incident management and threat detection improve the effectiveness of remediation and stakeholder participation.
Any employee can use common communications tools like Slack or Discord to notify the security system about a suspicious mail or file or access attempt.
The system acts on it by automatically opening an incident response workflow for a security analyst to review. With a single click, the security analyst can:
- Initiate an automated workflow that quarantines the suspicious file in a sandboxing service
- Have its indicators of compromise (IoC) analyzed
- Learn about its network origins from global databases
- Automatically update the enterprise and application firewalls' rules to block those network sources
- Send a thank-you notification to the employee with tips for future occurrences
Ticketing System Integration
A ticketing system receives suspicious incident reports and tracks them from the first report to remediation. A good automated security workflow solution integrates with your ticketing system to update tickets automatically as different stakeholders address tasks in the workflow. The chore of manually updating tickets is taken off your security analysts' shoulders.
Communications and Interactions
A good automated security workflow solution integrates with your company's communication tools like Slack, Discord, or Teams. Employees can use these channels to send special keywords like "/securityalert" with necessary details. The workflow solution monitors these systems and automatically initiates incident response workflows. They should integrate with task assignment solutions like PagerDuty and OpsGenie for carrying out remediation steps.