Security Automation in Information Technology: Sikender Mohsienuddin Mohammad, Surya Lakshmisri
Security Automation in Information Technology: Sikender Mohsienuddin Mohammad, Surya Lakshmisri
Security Automation in Information Technology: Sikender Mohsienuddin Mohammad, Surya Lakshmisri
Abstract comparing the issue to the threat of information from the company
Security automation has been a major issue for many to identify its validity, agree on a course of action, and then
companies in the fight against rising cyber threats enabled by new manually solve the problem – all with possibly millions of signals
cloud network attacks and proliferating the Internet of Things. A and often incomplete information [5]. Moreover, many of them are
recent survey by the threat detection and hunting company Fidelis repetitive. Analysts also waste valuable time on repeated tasks,
Cybersecurity has revealed this trend among 300 CISOs, CIOs, which preclude them from identifying more critical problems.
CTOs, architects, engineers, and analysts studied in a range of Security automation works a great deal for the information
industries. More than half of the professionals analyzed (57 technology team. If an alert appears, it determines instantly
percent) said that their companies are concerned with a lack of whether an action based on previous responses to similar
automation [21]. Cybersecurity automation is one of the incidents-is required, and if so, it can remedy the problem
developments in information technology. Automating human- automatically [2]. Meanwhile, security analysts have a longer
driven, and repeatable processes will focus on the more productive time in which they can focus on strategic planning, threats, and
problem - solving tasks within organizations and individuals. more thorough research, which adds value to the company.
Focusing on these issues will foster innovation and contribute to a Keywords —Security automation, Information security,
more robust organization from a cyber-security point of view. management, security, configurations, cybersecurity, automation,
Automation also adds to the complexity of information systems in information technology, IT security
an organization and as malicious targets grow, cybersecurity I. INTRODUCTION
initiatives must be prepared to implement automated cybersecurity Security automation consists of the machine-based
solutions. As long as the information is available, the implementation of security initiatives capable of programmatically
confidentiality, integrity, and availability of the cybersecurity detecting, analyzing, and remediating cyber attacks by recognizing
programs must be safeguarded [2]. potential threats, triaging, and classifying alerts as they occur and
In most industrial industries, automation is the main then acting on them on a timely basis. Security automation works
force of transition. By 2030, the automation industry is expected effectively for the security team, so they don't have to wear
to completely replace over 800 million workers and technology through any warning anymore manually. Automated security
transforms our way of working and organizing and detects threats in the workplace environment [10]. It also can triage
communicating with others. The almost constant occurrence of potential vulnerabilities and risks by step by step process,
data breaches suggests that it does not stop so that organizations guidelines, and decision-making defined by security professionals
are unable to have long-term reservations regarding security to evaluate the incident and ascertain if it is a serious problem. All
automation concepts and capabilities. Security automation of IT this can occur in seconds without any staff action [3]. Repetitive,
security infrastructure is a priority and keeping information time-consuming tasks are lessened for the security analysts when
systems safe [9]. Automating policy enforcement, warning control, their systems are automated so that they can focus on greater
and prioritization and the preparation of incidences will increase value-adding work. Security automation can also easily identify
the efficiency of businesses and reduce costs significantly. threats. According to the ESG study, IT departments ignore 74%
Through automating the analysis, response, and remediation of of security incidents or alerts – even though security solutions are
threats in its entirety, businesses can replicate the expertise and in place because of its volume. Security automation not only can
reasoning of seasoned cyber experts on an international basis, detect and address these common problems but can also eradicate
ensuring a greater overall degree of protection and compliance human error, including inexperience, fatigue, and carelessness [6].
[7]. That is never the case today. For example, most organizations, Initially, discussions have explored how cybersecurity
due to the huge resources needed for performing audits, only audit systems are designed to automate certain common processes, and
a representative sample of their processes. For example, it is you are likely to have automation tools already put in place in
common practice in an organization to the only audit a few of them many companies. In many company information systems, for
or even to audit the basic security configuration they all need to example, information security products can be already set up for
have if 50,000 laptop computers would be similarly configured. detecting and scanning devices automatically [1]. They can carry
Given the audit tools required, these approaches are out an evaluation based on an organization-approved set of
understandable. security checks. Upon completion of the evaluation,
Methodologies have been developed over the years to vulnerabilities identified may be fixed. When addressing new
safeguard data but the complexity required to ensure security still automation strategies, industry experts typically refer to the
hasn't been changed. Analysts need to manually address threats resources that automate as well as evaluate processes, such as
without security automation. This often involves investigating and security automation and orchestration (SOAR), custom-developed
IJCRT1133434 ElectronicJournal
International copy available at: https://ssrn.com/abstract=3652597
of Creative Research Thoughts (IJCRT) www.ijcrt.org 901
www.ijcrt.org © 2018 IJCRT | Volume 6, Issue 2 June 2018 | ISSN: 2320-2882
applications, robotic process automation (RPA), and personalized about these emerging technologies is to use an intelligent ticketing
applications. SOAR products are purpose-built tools that interlink system that allows businesses to track and organize steps needed
activities and perform specific automated actions with other safety to respond to the evolution of a safety event. Providers in this field
tools in response to defined threats. RPA instruments are a wider help businesses build playbooks for various types of threats, so that
range of automation tools for the automation of a broad range of when every second count, portions of their response can be
processes [12]. In the HR and Finance fields, the use of RPA tools automated [2]. Barak also mentions that workflow is automated to
has increased significantly but cybersecurity teams are also able to ensure that businesses connect with the relevant internal and
leverage them. Custom software and code can automate any form external stakeholders, adhere to legislation for subjects such as
of analysis and are frequently used in the face of a shortage or a privacy alerts, and set up a clearly defined audit trail.
specific problem in an enterprise without a resource outside the 4. Analysis, intervention, and remedy. According to
box tool. All of the above methods communicate with the Barak automating research, action and cyber threat remediation
instruments of an organization, gather data, interpret and act involves using technology to accomplish activities as a competent
automatically or advise a team member to take more action [8]. cyber-analyst. In some ways, the other components of security
What will be expected in this essay is the concept of security automation – politics, priority setting, planning – work to quickly
automation and its significance to the information technology. identify and shut down threats before they affect operations. In
II. LITERATURE REVIEW analysis, action, and restoration there are different aspects of what
A. Elements of security automation a business might automate [2]. For instance, some of these
Barak states that security automation goes beyond prevention, components could only tackle one, while others might concentrate
identification, and other essential components to secure on a certain function, for instance automating the confinement of
organizations more efficiently. Four of the most current and compromised devices. Some businesses use automation and
relevant elements to consider when implementing security artificial intelligence as a cyber analyst to carry out the entire
automation are: process from end to end. All these security technologies unlock
1. Implementation of policies. Despite networks becoming much overcharged safety resources, supporting security teams to
more complex, it has become almost impossible to manually concentrate solely on global but critical tasks, and to focus mostly
handle the security policies involved. Join automated policy on organizational strategies that make their business safer [2].
execution that refers to the automated process of all IT security According to a study done by Metheny, the
administrative work. According to Barak Numerous vendors are implementation of security automation in
offering tools for automating network security policy information technology focuses on the quality of safety checks in
implementation, to help you fulfill domestic or regulatory information systems. Automated CM practices include knowledge
protection requirements more easily. Most also provide automated of the procedures the company may use, including the techniques
systems for administrative tasks such as onboarding / offboarding and technology used to capture and review security information
as well as control of the User Lifecycle [16]. Automation of the more regularly [4]. The enterprise will, therefore, have to
provision, supply, and application security can enable IT, teams, guarantee that the CM plan involved a set of measures and
to gain better control of data, costs and time, and tools offering mechanisms used to effectively respond to collected data.
businesses are often referred to as security automation. Automation may change the nature of safety assignments, but they
2. Prioritization and monitoring of alerts. According to will not be removed soon. Although for certain tasks, other tasks
Barak, many people see the automation role through the control are better left for the citizens, as an additional resource. Metheny
lens and priority warnings. Warning management and priority says that when you decide to automate depends where the benefits
setting was usually a manual task, which was rather repetitive [17]. outweigh the risks. And the level of risk you experience depends
A group of analysts at a Security Centre, to determine the upon the approach you take to the process and the tasks you decide
important data points, would have to compile alarms and look at to automate. Whilst automation tools have come a long way, space
the monitor every day. There are today different methods for for improvement is still open [4]. Decisions remain as to how they
automating alert monitoring and prioritization. For example, rules will grow and how they integrate into the business. The technology
and thresholds may be developed, threatened intelligence may be works fine for easy tasks in its current form but has not been able
used, or advanced conduct analysis or learning machines may be to address complex tasks.
introduced. Haq and Khan mention that given that smartphones can
According to Barak, the establishment of rules and access information from the internet, their security threats for
thresholds is declining ineffectiveness, because it is dependent on sensitive information are increased [2]. Smartphones have in turn
a person's manual effort to assess which warnings are relevant and made access to knowledge simple and quick, as they have become
which are not. And it also demands that these guidelines be personal computers that people move at all times. They suggest
updated periodically, as information security threats tend to evolve that this takes consistent and proactive monitoring to identify
and hackers also know precisely which businesses are searching attack trends and raise awareness for organizations. The oil and
for alerts. In other words, it is a little more reliable to rely on the gas industry, where authors are involved, is no different when it
intelligence of the threat [24]. This type of automation relates to comes to taking cybersecurity measures. It's a cache full of useful
threat information gathering from different sources that can allow and sensitive information, at times. Haq and Khan also mention
companies to determine which alerts they are looking for and that a new study of cybersecurity in the oil and gas sector carried
which ones are relevant. For example, if a company can handle out by Fox-IT and Oil & Gas IQ has revealed some very troubling
networks from different intel sources and utilize them, it could findings [2]. Although oil and gas companies know that they will
know if a certain kind of attack takes place worldwide. Automatic need to take precautions against cyber menaces like Advanced
intelligence of threats will help the organization plan itself before Persistent Threats (APTs) or hacktivism, with 90% agreeing that
the attack is too late to defend itself from this future attack. it is important to respond within hours to a cybersecurity event, the
According to Barak behavioral analysis and machine learning are majority have not taken decisive steps to safeguard
some of the most advanced types of automated warning themselves[2].37 percent claim that they "do not trust" in their
monitoring and priority-control since they don't concentrate on cybersecurity measures and 45 percent claim that they "somewhat
rules and thresholds or "established risks" rather than using the trust." 23 percent suggest that they don't track their network
new technology to know what typical network responses like. regularly and 19 percent don't distinguish their IT (IT) network
3. Planning for incident response. The planning of from their OT (Operational Technology) network. It should
accidents is also known as health automation. One way of thinking therefore not be shocking that the numbers of cyber-attacks against
oil and gas companies registered in 2013 were over 6,500–a 179% to evaluate the providers. Some automation can be implemented
higher than in the past year, as a study by PwC showed [2]. quickly, reducing the time it takes to integrate into your
Numerous computers, especially when used in many locations, but environment with existing solutions significantly. There are
these approaches are very risky. They are based on a generally different implementation approaches; some are easier than others.
wrong assumption that security controls are not changed or Some suppliers make it as simple as possible to replicate an
removed once they have been implemented. In several cases, implementation of the Drag & Drop workflow to start and run your
security checks can be modified [2]. The introduction of new playbooks. Others may need more development backgrounds,
features, improvements to existing features, and restart protection scripting, and coding skills that your operating team may not have.
settings by the default values of software fixes, enhancements, and All the solutions are needed to understand what your processes are
other updates. The introduction of a new application may change and how your analysts can simplify these processes today.
settings for the configuration used by another application,
particularly when components are shared. Any user with the
privilege of administrators can alter, disable, or delete security
controls, particularly when a user believes that security controls
prevent or otherwise irritate the user. Another malware or other
attack part that disables a device [2].
latest Cyber-Security Jobs report states that 3.5 million unfulfilled ways — after all, both collect and use the same information from
cyber-security jobs will be held by 2021; the threats of today are different sources to examine anomalies [19].
simply insufficient by qualified security professionals [5]. To 3. Certificate Management
boost their ability, hackers have turned to automation. We have to Due to Google's demand for encryption, extensive use of
do the same to keep up with them. Your organization will make SSL certificates and keys led to the establishment of many
better decisions from the best data, improve efficiency, and hazardous weak spots. The lack of penetration in the network as
enhance overall safety by selecting the right automation and well as public key infrastructure is one of the greatest challenges
orchestration approach and by using the cases. for security measures — and for the success of a business.
III. DISCUSSION Certificate management systems and certificate detection
More frequent and advanced cyber-attacks are becoming applications help handle more than just web certificates. They can
increasingly difficult to avoid and mitigate. The thousands of alerts help discover all of the network's X.509 digital certificates,
created with different security tools are often not effectively irrespective of brand, type, issuance, date or expiry dates —
handled by security teams [23]. Analysts will need to complete including certificates for signature code, customer certificates, IoT,
manual, repetitive activities to analyze these possible risks. In SSL / TLS and device certificates. A clear example is the Sectigo
addition to the burden of inadequate time and resources, many Certificate Manager (SCM) or the Comodo CA Certificate
businesses simply cannot cope with the amount of safety work. Manager (CCM) [14].
The exponential rise in cyber-attacks has contributed to the 4. Custom Automation Solution Development
emergence of safety automation as a hot subject for organizations The idea of designing custom automation systems is
and safety teams [21}. Security analysts had to battle, evaluate, another category that we should not consider at least. We
and act on all alerts before automation, a technology that recognize that all businesses are different and that organizations in
eventually proved unattainable. The huge number of threats different sectors have different needs [20]. Although some current
required an automated response in the event of a cyber-attack or techniques for cyber-security automation can always be effective,
security violation to be identified and reacted more quickly. it can be advantageous for a specific company to create tailored
Together with automated emergency management, a more solutions that suit your business's needs. It can be handled by your
proactive approach was increasingly required to resolve safety internal development team, but you will most probably like to hand
concerns. Safety automation came from there and provided a it over to a third-party provider.
systems-oriented approach to machines [22]. In effect, it has B. The Need for Continuous Security Management
evolved into safety automation and orchestration, which makes it Security monitoring has historically been largely carried out
possible to link security instruments to workflows. Providers according to strict routines are observed. Modern security fixes
currently sell SOAR solutions that automate responses and must be mounted once a quarter in computers, except for
corrections. Security orchestration, automation, and response emergencies. Computers are subject to authentication in many
solutions. Providers use various and contradictory terminologies organizations perhaps only once every couple of years.
to define their devices [5]. Make sure you know what features a Nevertheless, these timelines are not adequate to meet the security
security automation platform needs before you begin searching for needs of today. Every day new, exploitable software
vendors. vulnerabilities are discovered, several thousand of which are
A. Cybersecurity automation tools and platforms publicly recorded each year [14]. Every year. Given the number of
fixes that need to be implemented within a corporation, companies
Types of process automation and information security applications also have to prioritize the patching to make sure that the most
include: critical vulnerabilities are patched faster than other vulnerabilities.
1. Robotic Process Automation Sometimes for weeks or months less serious vulnerabilities remain
1. Robot process automation typically defined as a unpatched, or never patched at all. We need a way to recognize
process of automating routine tasks utilizing robots — either when new patches are available, to prioritize their installation, and
physical or virtual like application bots. In cybersecurity, this to ensure they are installed quickly and to take support actions such
refers generally to the automated systems' ability to conduct tasks as rebooting of patch installations off hours [25]. Attacks can
like testing, tracking including low-level emergency response. It misconfigure software security or exploit vulnerabilities in
simply involves collecting and compile data, analysis, and security checks. Mitigating attacks aimed at these types of security
detection methods for simple breaches and other limited-cognitive issues often involve the ability of an organization to easily restore
tasks [20]. security checks or device safety settings. In the worst case, a
2. Response and Security Incident and Event company could have to carry out drastic measures immediately,
Management and Security Orchestration Automation-They apply such as removing a service indefinitely to avoid its compromise
to a variety of approaches that leverage your Security Operations [18].
Center 's capabilities and productivity without connecting your You also need to be able to quickly check that the system is
human resources to low-level tasks. This helps simplify three key properly protected as well as to adjust the security status of a
information security activities – protection structure, protection system on request. It takes much time for someone to test all
automation, and safety response – by enhancing the management security elements of a system — that any patch is present and
of risks, vulnerabilities, and security incidents. By nature, SIEM is installed and that the security configuration of all software is
more manual [13]. This bundled solution system includes manual correctly configured, etc [6]. A single device can give its operating
responses to warnings and periodic updates and modifications to system and applications thousands of security settings [11]. There
systems, regulatory sets, and signatures to automate, efficiently, are now far more audit compliance requirements than before.
and accurately identify them [19]. However, the main objective of IV. CONCLUSION
this strategy is to identify known threats and to identify new or It is very dependent on your industry and company how
unknown threats that are less successful. you can support you with security automation. If it's retail,
The use of SOAR internally or externally is a little more healthcare, manufacturing, financial services, the public sector, or
complex and takes certain SIEM warnings and automatically another industry, the resources and processes can rely heavily
responds to them when needed for triage and remediation. This upon. Retailers for instance deal in unpredictable ways with
uses the cognitive tools and methods used for learning from ransomware and phishing attacks. Automation is effective in
current threats through artificial (AI) and machine learning (ML) clearing the deck of repeated attacks and false positives, which will
to help classify new ones. SOAR and SIEM are close in several make security analysts better able to research these cases and find
a long-term solution. It is important to work with an IT team and [11] S. Radack, "Security Content Automation Protocol (SCAP): Helping
organizations maintain and verify the security of their information systems",
other organizational leaders to recognize issues that need to be
September 2010.
addressed before any vendor is considered [12]. Automation is on [12] S. Hanna and D. Waltermire, "Security Automation Webinar: Protecting
the list of priority areas as businesses understand that it eliminates Your Enterprise with Security Automation", May 2013.
risks, makes their networks transparent, and leverages their [13] G. Koschorreck, "Automated audit of compliance and security
controls", 2011 Sixth International Conference on IT Security Incident
security stacks. The reduction of human error is one of the greatest
Management and IT Forensics, 2011.
threats. If an engineer is called upon to perform the same task each [14] P. Dwivedi and S. C. Diana, "Analysis of automation studies in the field of
day, searching for needles in the same haystacks, they eventually information security management", International Journal of Engineering
make a mistake. Many business security technologies and services Research and Development, vol. 6, no. 12, pp. 60-63, 2013.
[15] V. Antonie, R. Bongiomi, A. Borza, P. Bosmajian, D. Duesterhaus, M.
are analyzed to understand automated controls, particularly those
Dransfield, B. Eppinger et al., "Router Security Configuration Guide",
which allow central management operations to be automated. December 2005.
The management of information security is a very [16] W. M. Fitzgerald and S. N. Foley, "Avoiding Inconsistencies in the Security
complicated and ultimately costly problem. Although SMEs do Content Automation Protocol", 2013, [online] Available:
http://www.cs.ucc.ie/~simon/pubs/safeconfig2013.pdf.
not have the financial resources to implement sufficient
[17] M. N. Alsaleh and E. Al-Shaer, "SCAP based configuration analytics for
information management programs, large enterprises are faced comprehensive compliance checking", Configuration Analytics and
with growing uncertainty in their information technology industry. Automation (SAFECONFIG) 2011 4th Symposium on, pp. 1-8, Oct. 31 2011-
Security automation will lower the costs and complexity of safety Nov. 1 2011.
[18] R.P. Lippmann, J.F. Riordan, T.H. Yu, and K.K. Watson, "Continuous
operations without human interaction. Automation is not a
security metrics for prevalent network threats: introduction and first four
scientific joke or a joke. It is embraced by both small and large metrics", MIT-LL, May 2012.
businesses. The cybersecurity department will focus on more [19] R. Struse, comments at 8th Annual Information Technology Security
complex tasks by introducing automation in the framework of an Automation Conference (ITSAC), October 2012.
[20] R. Montesino and S. Fenz, "Information security automation: how far can
enterprise. This means that the machine can perform the mundane,
we go?", 2011 Sixth International Conference on Availability Reliability and
repetitive work, and cybersecurity project managers can work Security (ARES), pp. 280-285.
more critically, creatively and technically to solve issues, improve [21] E. Kogan and E.M. Haber, "Security and usability: Designing secure
the corporate risk positioning and manually examine systems and systems that people can use", Security administration tools and practices,
pp. 357-378, 2005.
data to find out unintended behavior and compromise or defect
[22] A. Kott and C. Arnold, "The promises and challenges of continuous
indicators [15]. For a modern enterprise, this is a losing idea that monitoring and risk scoring", IEEE Security & Privacy, vol. 11, no. 1, pp.
information security automation will lead towards addressing. 90-93, Jan. 2013.
Automation may also assist in addressing small or inefficient [23] H. Holm, T. Sommestad, J. Almroth, and M. Persson, "A quantitative
evaluation of vulnerability scanning", Information Management &Computer
information security teams (with the organization's increasing
Security, vol. 19, no. 4, pp. 231-247, Oct. 2011.
digital footprint). Regardless of human mistakes and the sheer [24] S. Pfleeger and R. Cunningham, "Why measuring security are hard", IEEE
amount of data to handle, a possible threat is unavoidable. The Security & Privacy, vol. 4, pp. 46-54, Mar. 2010.
assumption that teams will catch future cybersecurity incidents [25] A. Malin and G. Van Heule, "Continuous monitoring and cybersecurity for
high-performance computing", Proceedings of the first workshop on
accurately is inherently unrealistic. Automation could be vital to
Changing Landscapes in HPC Security, pp. 9-14, 2013.
safeguard your organization 's reliability and guarantee reliability [26] T. AlSadhan and J.S. Park, "Leveraging information security continuous
in robust and repetitive processes. monitoring for cyber defense", Proceedings of the 10th International
REFERENCES Conference on Cyber Warfare and Security, pp. 401, March 2015.
[1] A.U. Haq and T. S. Khan, “Security in automation: Smartphone might be
the greatest threat,” CFE Media, 2015.Retrieved from:
https://www.controleng.com/articles/security-in-automation-smartphone-
might-be-the-greatest-threat/
[2] E.Barak, “Explaining security automation and its evolving definitions,
“New York, NY: IDG Communications, Inc,2016.Retrieved from:
https://www.networkworld.com/article/3121275/explaining-security-
automation-and-its-evolving-definitions.html
[3] K. Panos, “Security Automation and Threat Information-Sharing
Options,” IEEE Security & Privacy 12,2014,42-51.
[4] M. Metheny, "Continuous monitoring through security automation,
"ScienceDirect, 2017.Retrieved from:
https://www.sciencedirect.com/topics/computer-science/security-
automation
[5] P.Nguyen and A.Graham, “Enhancing Security with Automation and
Orchestration, “Serious Edge,2015.Retrieved from:
https://edge.siriuscom.com/security/enhancing-security-with-automation-
and-orchestration
[6] R. Montesino and S. Fenz, "Automation Possibilities in Information
Security Management," 2011 European Intelligence and Security
Informatics Conference, Athens, 2011, pp. 259-262, DOI:
10.1109/EISIC.2011.39.
[7] T. AlSadhan and J. S. Park, "Enhancing Risk-Based Decisions by
Leveraging Cyber Security Automation," 2016 European Intelligence and
Security Informatics Conference (EISIC), Uppsala, 2016, pp. 164-167, DOI:
10.1109/EISIC.2016.042.
[8] C. N. N. Hlyne, P. Zavarsky, and S. Butakov, "SCAP benchmark for Cisco
router security configuration compliance," 2015 10th International
Conference for Internet Technology and Secured Transactions (ICITST),
London, 2015, pp. 270-276, DOI: 10.1109/ICITST.2015.7412104.
[9] G. B. Peterside, P. Zavarsky, and S. Butakov, "Automated security
configuration checklist for a cisco IPsec VPN router using SCAP 1.2," 2015
10th International Conference for Internet Technology and Secured
Transactions (ICITST), London, 2015, pp. 355-360, DOI:
10.1109/ICITST.2015.7412120.
[10] M. Brunner, C. Sillaber and R. Breu, "Towards Automation in Information
Security Management Systems," 2017 IEEE International Conference on
Software Quality, Reliability and Security (QRS), Prague, 2017, pp. 160-
167, DOI: 10.1109/QRS.2017.26.