Simplify your security operations center

Gain speed, time, and security with a unified automation platform

See what’s inside

Page 1
IT security is a top concern

Page 2
What is security automation?

Page 3
Automation integrates your security
tools, systems, and processes

Page 4
Security automation is a journey

Page 5
Use cases and integrations:
Define your path to security automation

Page 6
Simplify your security operations center
with Red Hat Ansible Automation Platform

Page 7
Automation in action:
Red Hat Ansible Automation Platform
delivers proven business value

Page 8
Ready to simplify your security
operations center?

Simplify your security operations center | Contents

IT security is a top concern

Security is a leading issue for most organizations. In fact, 33% of CEOs are extremely
concerned about cyber threats.1 This apprehension is not unfounded: 32% of organiza- Impacts of ineffective security
tions experienced major cyber attacks in the past two years.2
The number, severity, and cost of
Protecting your organization is a critical — but frequently daunting — task. Security security breaches continue to grow.
teams must assemble, maintain, manage, and adapt complex environments using
multiple tools and services from a variety of often-competing vendors. The quantity
of offerings increases each year, so teams must continually research, assess, and inte- US$3.92 million
grate new products as the security landscape changes. average cost of a data breach
in 20193
Additionally, the number, severity, and cost of security breaches continue to grow.
The likelihood of experiencing a breach within two years is 29.6%, up from 22.6% in
2014.3 The average number of records involved in each data breach increased by
3.9% from 2018 to 2019.3 And the average cost of a data breach rose to US$3.92 279 days
million in 2019.3 average time to identify and
contain a data breach in 20193
Most organizations handle security operations manually. Security-related tasks can be
time-consuming, tedious, and error-prone when human intervention is required. As a
result, security teams are overwhelmed. They face an increasing number of threat alerts
from numerous tools. In reality, 60% of security teams receive more than 5,000 alerts US$1.22 million
daily, and 16% receive more than 100,000 alerts daily.4 savings in costs if a breach can
be identified and contained in
And increasing infrastructure size and complexity make it more difficult to identify
vulnerabilities and verify breaches. Most security tools do not integrate with each 200 days
other, resulting in more manual work for security staff. Correspondingly, incident or less3
investigation and response times are increasing. In 2019, the average time to identify
and contain a data breach was 279 days, up 4.9% from 2018.3 And it’s hard to find
new talent to expand teams and keep up; 39% of organizations reported a shortage
in cyber security skills in 2019.2 Finally, budgets for cyber security activities are limited. 29.6%
Only 33% of organizations report having sufficient funding to achieve a high level of likelihood of experiencing
cyber resilience.5 a breach within two years3

Consequently, typical security teams only review and respond to 48% of the alerts they
receive and only 50% of legitimate threats are remediated.4 This leaves many organiza-
tions vulnerable to attack. 50%
proportion of legitimate threats
that are remediated4
77% of organizations plan to increase automation to simplify
and speed up response times in their security ecosystems.4

1 PWC, “23rd Annual Global CEO Survey: Navigating the rising tide of uncertainty,” 2020. pwc.com/ceosurvey.
2 Harvey Nash and KPMG, “CIO Survey 2019: A Changing Perspective,” 2019. home.kpmg/xx/en/home/insights/2019/06/harvey-nash-kpmg-cio-survey-2019.html.
3 IBM Security, “2019 Cost of a Data Breach Report,” 2019. ibm.com/security/data-breach.
4 Cisco, “Cisco Benchmark Study: Securing What’s Now and What’s Next,” February 2020. cisco.com/c/en/us/products/security/ciso-benchmark-report-2020.html.
5 Ponemon Institute, sponsored by IBM Security, “The Cyber Resilient Organization,” April 2019. ibm.com/account/reg/us-en/signup?formid=urx-37792.

Simplify your security operations center | 1

What is security automation?

Security automation involves automating the manual tasks associated with maintaining
the security posture of your business. It consists of multiple practices, and we have Learn more about security
divided these into four general categories: compliance and hardening
Discover how automation can help
Response and remediation security compliance and hardening
Event-driven activities that involve security analyst by reading these resources:
participation, guidance, or both
• Boost hybrid cloud
Security operations security e-book
Day-to-day process- and policy-driven activities performed
on your security infrastructure by technology teams • Why automate security
and compliance overview
Security compliance
Activities to ensure infrastructure is compliant with security • Red Hat Services: Automate
policies and regulations security and reliability
workflows datasheet
Hardening
Activities to apply custom security policies to infrastructure
with the targeted intent and goals

This e-book focuses on automating response and remediation activities and security operations.

Benefits of automation for security operations, response, and remediation activities

Boost speed and efficiency Increase security at scale Reduce the risk and cost of breaches
Automation streamlines tasks and Applying automation across your Organizations that automate exten-
removes the need for manual interven- security infrastructure increases sively are better able to prevent secu-
tion, speeding security operations and consistency and allows you to take rity incidents and business disruptions.6
allowing staff to refocus on high-value a more holistic approach to security. Fully deploying security automation
initiatives. It can also reduce IT infra- Each staff member can manage more can reduce the average cost of a
structure complexity: 40% of high- tools, devices, and systems, so you breach by 95%.7 As a result, 52% of
automation organizations report can operate at scale. Automation organizations deployed some amount
having the right number of security also reduces the risk of human errors, of security automation and 36% more
solutions and technologies.6 improving accuracy. plan to do so in the next 24 months.7

6 Ponemon Institute, sponsored by IBM Security, “The Cyber Resilient Organization,” April 2019. ibm.com/account/reg/us-en/signup?formid=urx-37792.
7 IBM Security, “2019 Cost of a Data Breach Report,” 2019. ibm.com/security/data-breach.

Simplify your security operations center | 2

Automation integrates your security tools,
systems, and processes

Unite people, processes, and tools with a consistent, flexible platform

An automation platform can serve as an integration layer between your security teams, Automation success =
tools, and processes. A flexible, interoperable platform lets you: people + processes + platform
Maximizing the value of automation
• Connect your security systems, tools, and teams. requires more than just a tool — you
also need to consider your people,
• Collect information from systems and direct it to predefined systems and locations
processes, and platform.
quickly and without manual intervention.
• People are at the core of any
• Change and propagate configurations quickly from centralized interfaces.
business initiative. Participation
• Create, maintain, and access custom automation content related to your security within and across teams lets
tools and processes. staff share ideas and collaborate
more effectively.
• Trigger automated actions across multiple security tools when a threat is detected.
• Processes move projects within
Using a consistent automation platform and language across your organization can also your organization from start
improve communication and collaboration. When every solution in a security portfolio to finish. Clear, documented
is automated through the same language, both analysts and operators can perform processes are essential for
a series of actions across products in a fraction of the time, maximizing the overall effective automation.
efficiency of the security team. And a common framework and language lets security
and IT teams share designs, processes, and ideas more easily both internally and across • An automation platform provides
your organization. the capabilities for building,
running, and managing your
Intrusion detection and automation assets. In contrast
prevention systems (IDPS)
to simple automation tools, an
Security information and Enterprise automation platform gives your
event management (SIEM) firewalls
organization a unified foundation
for creating, deploying, and sharing
consistent automation content and
knowledge at scale.

Read the e-book

Privileged access Secure email

management (PAM) gateways

Endpoint protection Secure web

platforms gateways

Threat intelligence
platforms

Figure 1. An automation platform can connect your security systems, tools, and teams.

Simplify your security operations center | 3

Security automation is a journey

Implementing automation in any aspect of your organization does not happen instantly, and it is not an all-or-nothing proposition.
Security automation is a journey. Each organization will start — and stop — at different points according to their needs. Those needs
will also dictate the path that each organization takes. Even so, no matter where you are in your journey, even small security automation
efforts can deliver benefits.

Assess your security automation maturity level

Most organizations fall into one of three main stages of security automation maturity. Determining your organization’s current stage
will help you adopt the right tools and processes at the right time to make your automation journey more successful.

Opportunistic stage Systematic stage Institutionalized stage

Simplify tasks Centralize processes Orchestrate processes
Complexity

Scale

Figure 2. Stages of security automation maturity

Stage 1: Opportunistic Stage 2: Systematic Stage 3: Institutionalized

This stage focuses on saving time This stage focuses on improving This stage focuses on boosting
by automating security operations. processes and efficiency by adopting collaboration and integrating security
Common goals include standardizing a cohesive set of security operations across your organization. Common
security actions across similar devices tools and services. Common goals goals include creating automated,
and technologies and streamlining include building security processes into programmatic workflows that span all
manual tasks performed across prod- higher-level workflows and centralizing aspects of security and integrating
ucts from different vendors. security response processes. your security and IT technologies.

Read the blog post

Simplify your security operations center | 4

Use cases and integrations

Define your path to security automation

Common, high-level use cases for security automation

Each of these use cases can serve as a starting point for your security automation Integration is essential
journey. The key is to start small and simple, and build over time. Unified automation approaches require
integration between your automation
Investigation enrichment platform and your security technolo-
Investigating security alerts and incidents involves collecting information from a variety gies. Essential integrations include:
of security systems to assess whether a legitimate event has occurred. Information
• Firewalls control traffic flow
is typically gathered through a series of user interfaces, emails, and phone calls. This
between networks, protecting
inefficient process can delay action against threats, leaving your business vulnerable
internet-exposed applications.
and increasing the potential costs associated with a breach. Automation allows you
Automation can speed policy
to programmatically assemble information across your security systems, supporting
and log configuration changes.
on-demand enrichment of triage activities performed through security information
and event management (SIEM) systems. As a result, you can assess — and respond • Intrusion detection and
to — alerts and incidents faster. prevention systems (IDPS)
monitor network traffic for
Threat hunting suspicious activity, issue threat
Threat hunting involves identifying and investigating potential threats to security in a alerts, and block attacks.
proactive fashion. As with incident investigation, staff manually gather and send infor- Automation can simplify rule
mation between many systems. Using automation, you can customize and streamline and log management.
alerts, correlation searches, and signature manipulation to examine potential threats
• Security information and event
faster. You can also automatically create and update SIEM correlation queries and
management systems collect
intrusion detection system (IDS) rules to improve detection. Consequently, you can
and analyze security events
update your organization’s security defenses more frequently and efficiently to better
to help detect and respond
protect your business.
to threats. Automation can
provide programmatic access
Incident response
to data sources.
Incident response involves taking action to stop a breach from continuing. Once a
breach is discovered, security staff must respond quickly and at scale to contain it. • Privileged access management
However, response actions often include multiple manual tasks, slowing remediation (PAM) tools monitor and manage
time and leaving your organization vulnerable for longer. Automation helps you react privileged accounts and access.
faster by codifying actions into repeatable, preapproved playbooks. You can speed Automation streamlines credential
tasks like blocking attacking IP addresses or domains, allowing non-threatening traffic, management.
freezing compromised credentials, and isolating suspicious workloads for further inves-
tigation to minimize the damage associated with the incident. • Endpoint protection systems
monitor and manage devices to
improve their security. Automation
can simplify common endpoint
management tasks.

Learn more

Simplify your security operations center | 5

Simplify your security operations center
with Red Hat Ansible Automation Platform

There are many automation solutions available, but not all include the capabilities
needed for effective security automation. Look for automation platforms that offer: Get help from the experts

• A universal, accessible automation language. A language that is easy to Red Hat can help you successfully
understand and write allows you to document and share information between deploy automation faster.
security team members with different domain expertise.
• Red Hat Services Program:
• An open and unbiased approach. To be effective, your automation platform Automation Adoption provides
must interoperate with your entire security infrastructure and vendor ecosystem. a framework for managing an
organization-wide automation
• A modular and extensible design. A modular platform allows you to deploy adoption journey.
automation in steps. Extensibility helps you accommodate additional and future
security tools from other vendors as needed. • Red Hat Training and Certification
offers hands-on training and
practical certification to help you
Move your security organization forward with Red Hat
use automation more effectively.
A foundation for building and operating automation services at scale, Red Hat®
Ansible® Automation Platform delivers all the tools and features you need to • Red Hat Support works with you
implement security automation. It combines a simple, easy-to-read automation to ensure success on your IT
language with a trusted, composable execution environment and security-focused journey. Award-winning web
sharing and collaboration capabilities. An open foundation allows you to connect and support8 gives you access to
automate almost everything in your security and IT infrastructure, creating a common best practices, documentation,
platform for participation and sharing across your entire organization. Red Hat Ansible updates, and security alerts and
Automation Platform has also delivered proven outcomes in other areas, including IT patches. You can also connect with
and network operations and DevOps. a support engineer or technical
account manager to resolve issues
A supported set of security-focused Ansible collections — including modules, roles, and obtain specialized guidance.
and playbooks — is Included with the platform. These assets coordinate the activity of
multiple classes of security solutions for a more unified response to cyber threats and • Certified partner content
security operations: collections allow you to readily
automate hardware and software
• Chain workflows and playbooks for modular reusability. from a broad selection of vendors.
This trusted, pre-built automation
• Consolidate and centralize logs.
content is available through
• Support local directory services and access controls. Automation Hub and is supported
by both the partner and Red Hat.
• Integrate external apps using RESTful application programming interfaces (APIs).

Red Hat Ansible Automation Platform also includes tools and capabilities to help
you optimize your automation. Automation Analytics provides insight into how your
organization uses automation. Automation Hub lets team members access certified
automation content through a centralized repository. And Content Collections stream-
line the management, distribution, and consumption of automation assets.

8 Red Hat Customer Portal awards & recognition, access.redhat.com/recognition.

Simplify your security operations center | 6

Automation in action

Red Hat Ansible Automation Platform

delivers proven business value

Red Hat Ansible Automation Platform provides a more efficient, streamlined way to automate your security operations center.
Analyst studies of organizations that use Red Hat Ansible Automation Platform demonstrate measurable business value. In fact,
IDC interviewed multiple decision makers about their experiences with Red Hat Ansible Automation Platform and found that each
organization realized significant productivity, agility, and operational benefits through automation.

25% 20% 27%

more efficient and more efficient security more efficient
productive IT security teams9 incident mitigation9 security patching9

“Red Hat Ansible [Automation Platform] is phenomenal for bringing our

IT teams together. The server, security, network, and database teams can
all work on their separate tiers and then use Red Hat Ansible Automation
to create their own playbooks.”9

Read the analyst report

9 IDC White Paper, sponsored by Red Hat. “Red Hat Ansible Automation Improves IT Agility and Time to Market,” June 2019. redhat.com/en/resources/
business-value-red-hat-ansible-automation-analyst-paper.

Simplify your security operations center | 7

Ready to simplify your security
operations center ?
Automation can help you identify and respond to growing security threats faster
and at scale. Red Hat helps you protect your business by connecting your security
teams, tools, and processes with a consistent, collaborative automation platform.

Learn how to automate security with Red Hat Ansible Automation Platform:
red.ht/automate-security

Copyright © 2020 Red Hat, Inc. Red Hat, the Red Hat logo, and Ansible are trademarks or registered trademarks of Red Hat, Inc. or
its subsidiaries in the United States and other countries.

F24343_0720_KVM