How to Use Cybersecurity Automation in Government
There are numerous ways in which cybersecurity tasks can be automated at government agencies. Here are some examples, but this list is by no means exhaustive.
- Automation can and should be used for tasks that are repeatable, repetitive and happen with a high degree of frequency, according to Bhargava.
“For example, phishing is a good use case for automation because it’s a common attack vector and the process for dealing with suspected phishing emails is relatively consistent from one email to the next,” Bhargava says. “You need to determine where the email originated from, if it is malicious or a false positive, who was impacted by the email, delete all instances of the email, block the offending sender and follow up with the impacted end users. Rinse and repeat for each email.”
He notes that “each of these steps performed manually would involve multiple systems and lots of communications between teams, averaging about 45 minutes for each incident, taking a huge chunk of the security team’s time.”
Automation tools can gather relevant data and present this information in an easily consumable format to the human analyst, Bhargava says, “who then makes the final decision to treat the email as malicious (and thereby spin off a series of automatic remediation actions) or close the incident as a false positive.”
Cybersecurity automation tools can be used to correlate and aggregate logs and threat intelligence feeds, “stitching together incidents to gain context and applying analytics to uncover stealthy attacks and in dealing with incident response cases,” Bhargava says.
Automation tools can be used in incident response cases, such as those involving phishing, endpoint malware infections, vulnerability alert management, threat intelligence management, anomalous user behavior, cloud policy misconfigurations and cloud threats, according to Bhargava.
Anil “Neil” Chaudhry, director of AI implementations at the IT Modernization Centers of Excellence General Services Administration, tells FedTech machine learning tools can enable agencies to train a model and the model can be periodically reinforced to help “identify cybersecurity threats and remediate them at scale.”
“So, it’s a very interesting concept, because now what you have is your cybersecurity workforce in your agency is no longer engaged in administrative firefighting,” he says. “They’re actually focused on emerging threats that are using combinations of technology and social engineering, and working on planning for future attacks and how future intrusions will take place.”
Additional security use cases for automation include security compliance violations, SSL certificate management, remote user access monitoring and Internet of Things security threats, Bhargava says.
An open and extensible Security Orchestration, Automation and Response (SOAR) platform can be used to extend automation beyond security teams to HR case management, network performance monitoring, DevOps processes, employee shift management, identity and password management, and even physical security management, according to Bhargava.
Cybersecurity Automation Tools: What Is a SOAR Platform?
SOAR platforms that “unify security orchestration, automation, case management and threat intelligence management are the amalgamation of three historically distinct technologies,” according to Bhargava.
Those are security incident response platforms (SIRPs), security orchestration and automation (SOA), and threat intelligence platforms (TIPs).