Is Automation the Solution to Security Overload?

Recent research from ESG shows that security teams are so overwhelmed by the sheer volume of security alerts that 43 percent of teams routinely ignore as much as 75 percent of all alerts[1].  At ServiceNow we’ve been thinking a lot lately about how to automate security incident response to help teams cope better.

That’s why at this year’s Black Hat conference, we surveyed 337 security and IT professionals to better understand how and when to automate security incident response.  What we found provides a roadmap for attacking the challenge of keeping-up with an increasingly overwhelming number of security alerts.

Lots of Talk, Not as Much Action

Security professionals clearly see the value of automating security incident response.  Nearly all (95 percent), say doing so is important.  But that doesn’t always translate into action.  In fact, nearly half (44 percent) handle security incident response in a primarily manual fashion (email, spreadsheets, etc.).

The top reasons security pros cite for their lack of automation is twofold:  First, the various security and IT teams are siloed, making automation more difficult to achieve.  And, second, they simply don’t have the right tools.

Not All Tasks are Easy to Automate

We also asked the professionals to rank which tasks were most able to be automated.  Not surprisingly the pros listed the most basic tasks first:

  • Collecting incidents from multiple products in a single repository
  • Identifying source IPs, file hashes and other IoC’s
  • Querying external threat intelligence sources

Note that these were also the tasks most commonly automated to date by those teams using automation.

In terms of the tasks the teams felt they were least able to automate, the more complex tasks were mentioned the most

  • Resolving the problem
  • Confirming actual threats
  • Determining fixes needed to remedy problems

These were also the bottom three in terms of how often teams have actually automated the task.

Lessons for Security Professionals

When two of five security professionals say they routinely ignore security alerts because they are overwhelmed, you know you have a serious problem.  The professionals we surveyed at Black Hat 2017 see automation as a potential solution to this problem.

As I said above, here at ServiceNow we’ve been working on this precise problem for a while now.  Here are the top three things security teams can do today to get started with automating security incident response.

1 – Start small.  You don’t need to think of automation as being end-to-end.  Instead, look for a couple of mundane tasks that can help eliminate busy work for analysts.  This could be a simple as automating process lookups on a machine – what’s running on the machine?  Is this normal?  You could automate the detonation of malware in a sandbox or automate threat intelligence lookups.  While these are small steps, they can have a big impact on the time an analyst spends in the threat investigation process.

2 – Find more.  After finding success with a few tasks, find more use cases where you can include automation.  But stick to work that is part of the investigation or research process and focus on ordinary, repetitive tasks that will ultimately save an analyst time.

3 – Go active.  Extend automation to low-risk items that are part of the resolution process.  Items like disabling a user account when an account is confirmed to be compromised or adding a block on a firewall when an infected system is communicating with a newly found command and control system.  Or even automatically deleting a newly confirmed phishing email from all mailboxes.  This allows automation to accelerate an organizations time to remediate a security incident and has the added benefit of freeing up security analysts to work on more complex tasks.

You learn more about how Security Operations can help by visiting

[1] SESG Blog Post: Security alert overload threatens to bury security teams