When designing and implementing security automation workflows, there are a number of steps that should be followed to ensure effectiveness, accuracy, and adherence to best practices. Security automation can become complex, so it’s critical that you create a solid foundation prior to automating your first workflow.  

At Phoenix Cyber, we’ve created a list of six steps that should be followed when using a security automation, orchestration and response (SOAR) platform to implement security automation workflows: 

1. Establish a standard operating procedure (SOP). Collaborating with your management and security analysts to create an SOP that accurately reflects the current practices in your security operations center (SOC) is crucial. This not only ensures that the output is functional and effective, but also establishes a sense of ownership and commitment from all team members.
2. Standardize data collection and process outputs. In this phase, we utilize our SOP to pinpoint vital data points. These data points are then used to create a model for standardizing the data. This model is important to bring together various security tools and establish a flexible orchestration system. It enables us to efficiently incorporate the necessary data for the initial and any future orchestrations.
3. Assign process workflows to the most qualified owner. To have a comprehensive security process and shorten development cycles, you must identify ownership throughout the entire security workflow cycle. This ownership should not just be limited to security analysts and SOC managers, but also include security engineers and threat hunters. By identifying all pieces of the security automation workflow that involve analysts, threat hunters, engineers, and management, everyone can be involved in the process and ensure a seamless workflow.
4. Create a modular, templated application framework. At Phoenix Cyber, we have created a structural framework that enables the development and implementation of diverse security automations. Our approach involves componentizing crucial workflow steps, while ensuring the integrity of critical data through standardized data structures as it moves across multiple workflows and applications. This allows for the creation of flexible workflows that can be easily modified and reintegrated into the workflow procedures as needed.
5. Implement a single pane of glass curation. Leverage insights from your threat hunters, management staff, and security analysts to curate the data that is being ingested and present it in a meaningful way that highlights important key factors and is easy to consume by all who use the system.
6. Automate and document the development lifecycle. You can use the automation framework’s benefits for future development and deployment cycles. This enables you to track and monitor progress and gain insights into data storage and consumption as it moves between development, staging, and production environments.

These six principles are the core tenants to a successful development lifecycle necessary for designing and creating security automation workflows. By following these steps, organizations can ensure that their workflows are implemented in a structured, systematic, and secure manner, leading to improved efficiency, effectiveness, and resilience in security operations.  

For more information, watch our Security Automation Engineering Principles video, where we dig deeper into implementing each step of the development lifecycle.