Without any doubt, automation is growing in importance for security teams. No matter the size and resources - every company is grappling with the fact that attacks now happen in hours, but it takes most organizations more than four days to resolve security issues.
Automation is needed to keep pace, but “automation” is a loaded term. Automation can be used throughout different phases of a security program, but where it is most relevant is the response (or remediate) phase.
Two primary types of remediation approaches today can help security teams respond faster: assistive and automatic remediation.
Here's how they differ and what to consider when for your processes, people, and technology.
Assistive Remediation
Assistive remediation means that a system provides recommendations, guidance, or some level of workflow automation - but some level of human intervention and decision-making is still required. Today, most Security, IT, and DevOps teams prefer assistive remediation for a multitude of reasons:
- Complexity: many security issues are complex and require a human to decide what actions to take, and how to take them
- Risk: while security systems may possess security findings across the entire environment, they often lack the business context behind them. This means that the risk associated with automatically remediating a security issue outweighs the benefit, as unintended consequences can result in outages and integrity issues. For example, attempting to auto-remediate vulnerabilities found in applications may cause code bases and dependencies to break, creating several issues.
- Incomplete resolution: in many systems, automatic remediation scripts or actions may not be applied at the root cause that introduces the security issue in the first place. This means the same security issues are bound to recur, resulting in no meaningful risk reduction or efficiency gains.
Automatic Remediation
Automatic remediation uses predefined logic, scripts, or algorithms to resolve issues. When an issue is detected, a system automatically performs a remedial action without any human intervention.
Today, technologies such as SOAR platforms use automatic response actions for simple and repetitive tasks:
- Quarantine devices that are detected with malicious files
- Quarantine suspicious phishing emails
- Autocorrect simple misconfigurations, such as firewall rules encryption settings and more
At the cloud infrastructure level, the use of infrastructure as code (IaC) and CNAPP platforms make it possible to automatically remediate misconfigurations, such as:
- Unencrypted or publicly accessible storage buckets
- Publicly exposed VMs/EC2s
- Security Groups that allow inbound network traffic
However, at the application level, automatic remediation often is confined to automatic code fixes. Even with complex CI/CD workflows, automated code changes without any human intervention becomes a risky proposition today.
Rising use of Generative AI makes automatic remediation at the application level a more reliable and realistic possibility, yet today security and development teams often don’t have enough trust in deploying automated remediation.
Conclusion:
In the long term, automatic remediation presents an ideal solution that finally keepspace with attacks. For some teams, experimenting with automatic remediation in a limited scope on non-critical systems makes sense.
However today, assistive remediation offers the majority of today’s Security and Development teams significant efficiency gains with little to no risk associated. Even by automatically identifying a root cause, suggesting a fix, and automating the response workflow, teams can reduce their mean-time-to-remediate by 77% or more.
See the Dazz approach to Remediation - sign up for a personal demo today.
