Security Automation Crash Course: Which Workflows Should I Automate?

What should I automate?

So you’ve got the automation tools that can make your job easier. Now what? Which process should you automate first?

If you’re asking these questions, you’re doing it right. The answer, however, isn’t as straightforward because every organization is different—size, budget, technologies, objectives, priorities, risk tolerances, etc.

But there are a few universal truths. 

In this blog, we’ll guide you through the factors that should impact what you choose to automate—so you make the right decisions for your team and more efficiently combat risk across your organization.

3 Questions: How to choose the workflows to automate

1) Is it a consistent, repeatable process?

First, you’ll want to identify the workflows that you and your teams perform consistently and repeatedly. Detection and response workflows are typically primed for automation. 

Let’s use a theoretical example—phishing response. When an employee receives a phishing email, an analyst gets an alert and performs a set of steps to gather context, assess impact, and help make a decision about what to do next.

An example of a phishing message analysis process might look something like this:

Side note: Having a manual process to fall back on is worth considering. Technology can fail, and when it does, you've still got to respond. If possible, consider making this the first step in your workflow automation selection process if it's not already -- you'll be glad you did.

2) Is data available via an API?

Carrier pigeons are bad for automation. They’re hard to train, prone to errors, and don’t move as fast as we’d like. Instead, ensure that the data you need to perform your workflow is available via an API.

In the example above, we’d want to ensure that the tools we use to gather context, and decorate an alert, have API access. Make this the second requirement in your selection process, no matter how well you can train a pigeon.

Recommended reading: Automation For All: Why We Built Flashpoint Automate

3) Will automation save you time and make your (work) life easier?

What you choose to automate should make your daily work life easier by freeing you up to focus on more meaningful, rewarding work; it should accelerate you. In our example, let’s pretend that we have to respond to 10 of these each day, and it takes us roughly 30 minutes to investigate each time. Here’s a simple calculation to determine the amount of time to manually perform the process:

(# of times per day * # of minutes to manually perform each time) / 60

In this example, that’s five hours per day for just one workflow! There’s all kinds of things we can do with five extra hours – there’s whole energy drinks designed for this block of time! It sounds like this is a good candidate for workflow automation, but let’s take one last thing into consideration before we take action.

Tech debt considerations

Sure, we’re saving five hours per day. Consider two things, though.

1. How long do you think the automated version of your workflow will take to complete every time it runs?
2. How long will it take for you to build and maintain it?

Using our example one last time, we can conservatively estimate that a single “run” of the automated equivalent of the workflow will only take a couple of minutes to complete. We can say this because we chose a repeatable process that uses technologies that have APIs available. 

Building and maintaining an automated workflow does take time and is hard to predict. Attempt to predict it as much as you can and weigh it against the time you’d save. A frequent, repeatable 30 minute process that gets reduced to two minutes, takes a few days to build, and requires a little bit of time periodically is objectively better than one that will take months to build and requires frequent maintenance. Make this the third requirement in your selection process.

Putting it all together

As you repeat this process of selecting workflows to automate, you’ll be able to immediately capture KPIs to help demonstrate performance and general ROI.

Even if you don’t choose Flashpoint Automate as your solution, I hope that at this point you’ve realized that you can create efficiencies for yourself too, and you’ve got a better idea of how to approach selecting the workflows you’ll automate to save you time, money, and resources.

Put automation to work

Cyber, fraud, and physical security teams can automate repeatable and manual processes using Flashpoint Automate, which works in concert with the Flashpoint Intelligence Platform and numerous other tools in your company’s ecosystem. Sign up for a free demo today and see Flashpoint Automate in action.