Security Automation is Real. Science Fiction is Not.

Figure 1. Maturity Model for Organizations’ Automation Journey
  • Careful thinking and planning
  • Thoroughly documented processes
  • An initial setup of the automation
  • A never-ending ongoing phase of continuous improvement and modifications to accommodate the expected environment and process changes
  • Tools, and bi-directional integrations between tools
  • What will we automate (the entire SOC, some alerts only, investigation timelines, etc.) — what is the scope of the automation
  • When will we invoke automated resolution — what are the trigger points for the automation
  • Who will decide that automated resolution needs to be performed — specifically, will the decisions be made by humans, or by the tools
  • How will processes be automated — specifically, will automation be done via static playbooks or other means
  • What are the feedback loops and continuous improvement processes — what is the lifecycle of the automation
  • What is the ownership and operating structure — what is the responsible, accountable, consulted, informed (RACI) matrix

To Automate Or To Not Automate

The Five Phases in the Automation Journey

Phase 0 — Absent

Phase 1 — Ad-hoc

Phase 2 — Assisted

Phase 3 — Augmented

Phase 4 — Automated

Phase 5 — Autonomic

Characteristics of the Automation Phases

Figure 2. Main characteristics of the 5 phases in organizations’ automation Journey




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Gorka Sadowski

Gorka Sadowski

Cybersecurity expert and Chief Strategy Officer at Exabeam. Former Gartner analyst driving SIEM and SOC research and builder of the Splunk security ecosystem.