Best Practices for Automation in Cyber Security

PUBLISHED ON April 1, 2019
LAST UPDATED August 2, 2021


Automation has become a central component to growing and successful businesses. This holds true in the cybersecurity sector as well, specifically with identity and access management, patching, and network change management. No matter the business, the goal of automation remains the same – improving response and task completion times or freeing skilled human labor from mundane tasks. And while automation successfully returns those benefits, among many others, if automation functions are not implemented with a few key considerations, the implications can end up outweighing the benefits.

There are four best practices for IT leaders to consider when implementing automation or reviewing existing automation deployments: 

Stay Actively Involved

Often times, people assume that deploying automation results in a “hands-off” model, requiring little to no human oversight. On the contrary, automation should never truly be automatic. This is especially true when it comes to security. As counterintuitive as that may sound, IT leaders should always institute a degree of human involvement and oversight. This not only helps to maintain control over processes, but also helps to ensure security.

For security, this could take the form of regular analysis of system logs, alert monitoring, and status reports. This level of oversight still frees skilled human workers from executing the majority of tasks manually, but still enables them to take manual action as needed. Regular monitoring can give the security team insights into what actions could introduce a security vulnerability or workflow issue.

Closely Review Third Parties

Conducting business in today’s day and age almost requires granting vendors and other third parties access to internal systems and networks. Certain automation solutions may rely on add-ons or even require management by an external vendor. Inherently, this introduces new security vulnerabilities and increases the likelihood of a security incident. 

This is not to say that companies should adopt a “go-it-alone” attitude either. If third parties will be introduced, it’s best to: 

  • Closely review these vendors for security policies, references/reviews, etc.
  • Replace numerous point solutions with fewer, more comprehensive products

Access Privilege

In general, organizations are fairly diligent about restricting the access employees and contractors have to systems to a necessity basis. The same consideration is not always given to automated systems. The more systems you enable your automated programs to have access to, the more doors for hackers to enter to exploit your systems. If your automated systems have privileged access to do their tasks, that access should be managed and secured appropriately.

Set Guardrails

As stated above, automation can have tremendous benefits for business. But with improper boundaries or instructions, this technology can wreak havoc on a business. 

A great example is with identity management. For example, a change to a group name, executed by an automated system, could remove the access to that system from a large number of people. By setting a limitation, like an approval step that’s required if more than five user deletes are scheduled, can help prevent these instances. 

All in all, automation technology is only growing in prevalence. And as it does, it is important that security leaders are cognizant of the above considerations and take the necessary steps to ensure their deployments are as secure as possible. For additional detail on these topics, you can read the original article, posted on The Enterpriser’s Project.

 On-Demand SANS 12.4 Webinar


About the Author