How Security Automation Bridges the Intelligence-Action Gap

Understanding action deficit

Threat intelligence can generate invaluable strategic and tactical insights. Far too often, however, this intelligence remains locked in static reports or lost in the stream of feeds and alerting that can inundate and overwhelm intelligence analysts.

It should come as no surprise that a common refrain in the threat intelligence space is that intelligence should be actionable; it should advance investigations and support the decision-making process, bringing the path ahead into clearer focus. 

But for many practitioners, a real gap remains: the space between intelligence and action.

The intelligence-action gap is compounded by the current intelligence analyst workforce shortage and fatigue, which puts a strain on resources, as well as the overarching need to prioritize needle-moving initiatives.

One key to bridging the intelligence-action gap—and alleviating these challenges—is automation. In this article we address how security automation tools can be leveraged to:

• Automate repeatable tasks
• Create and customize incident response workflows
• Build automation workflows without having to rely on additional engineering resources
• Re-allocate time to more complex and human-intensive security incidents

How low-code automation bridges the Intelligence-Action Gap

No coding experience necessary

According to Cybersecurity Ventures, there were 3.5 million unfilled cybersecurity jobs at the end of 2021, and that number is expected to remain the same until 2025. In fact, the U.S. Bureau of Labor Statistics projects that information security analyst will be the 10th fastest growing occupation over the next decade, with a growth rate of 31% (compared to the 4% growth rate average for all occupations).

Low-code automation tools democratize software engineering and custom software development. In other words, security practitioners without any applied knowledge of a coding language could use automation tools to build incident response workflows, even if they aren’t a software engineer.

How to address alert fatigue

Security teams are notoriously understaffed teams without the kinds of resources that could really move the needle. As an example, analysts receive an overwhelming number of alerts from security or incident response tools.

According to research cited by Dark Reading, 40 percent of organizations use 10 to 25 different security solutions, and 30 percent use 26 to 50, resulting in tens of thousands of alerts each day (not to mention the complexities that may arise when using disparate systems).

The overwhelming number of alerts can lead to desensitization. So much so, that IDC estimates that cybersecurity teams at companies with 5,000+ employees wind up ignoring around 23 percent of their alerts, while every alert a cyber threat analyst takes action on costs about 30 minutes of their time; false positives taking even longer.   

This is alarming, overwhelming, and, likely, unmanageable.

The promise of automation and threat intelligence

Automation unlocks the full value of threat intelligence in your security operations by shortening the time, steps, and resources needed to execute swift, effective action at every stage of the threat intelligence lifecycle. 

The best intelligence tools will help security teams build repeatable workflows, freeing up time and resources to address more complex or impactful security issues. 

And with the rise of low-code automation solutions, security and intelligence teams can extend this value even further using codeless playbooks.