In my 15 years as a security practitioner, both working on incident response and overseeing security teams, I saw a major problem: there's too much work and not enough staff. More specifically, I saw overworked staff doing repetitive, mundane tasks leading not only to burnout but to human error that could cost a company millions.
What we needed was a way to get security teams away from those monotonous tasks and focus on projects that could add value to the company and put their skills to better use.
The solution? No-code automation, which gives frontline security analysts the ability to automate processes like phishing attack responses, suspicious logins, and even employee onboarding and offboarding with a few drag-and-drop actions.
While there are no silver bullets in cybersecurity, no-code automation has the potential to save teams days and weeks of work, free up security practitioners for high-impact projects, and improve total productivity.
We wrote this guide to serve as the ultimate resource that will teach you everything you need to know about what no-code automation is, why it is a critical skill that those who are at the forefront of security operations will adopt, and how to bring the power of no-code automation to your security team.
What is no-code automation?
Today's frontline security teams need automation to handle complex workflows and organizational-specific requirements, often resulting in the need to introduce coding and scripting to solve those needs.
Security analysts, however, don't necessarily have coding skills, requiring them to call in developers, which can take weeks or months to create integrations and deploy automations. If an analyst needs an update or addition, they need to get developers involved all over again.
And don’t even get me started on the change management process this can involve.
Why can't security analysts have the tools to build their own automations quickly and simply, without needing to know code and get another party involved? They can.
With no-code automation, which provides both the power of automation and the accessibility of being able to build it themselves. Analysts are able to simply drag-and-drop Actions into a workflow, wire them together, enter the parameters, test it, and set it loose, taking monotonous tasks from time-consuming efforts to truly hands-off processes that will only loop them in when their judgment is required.
The evolution of
no-code security automation
Automation evolves to fit people’s needs better. As I see it, three phases of security automation have gotten us to the easily adoptable and accessible no-code automation we have today.
Automation as a feature
Security automation started as a feature of larger software solutions, like RSA Archer or other legacy security tools that would automate the collection of artifacts and make them available in a single dashboard. However, it allowed for little customization for organization-specific needs, meaning that automation wasn't available across all workflows, but only for what the tool’s features allowed.
Emergence of SOAR tools
As the requirements of security teams grew in sophistication, so did the number of technologies and solutions needed. Yet with increased tools came an increase in alerts, which quickly overwhelmed the SecOps team. Our recent report on the “Voice of the SOC Analyst” found that 60% of analysts say they have more work than ever these days, and the number one most frustrating aspect of the job is “spending time on manual work” like tracking down alerts. First-generation SOAR tools addressed these needs; however, building workflows capable of handling the variety of tools and use cases modern security teams need to automate proved impossible and costly for the average frontline security team.
Development of no-code automation
What is needed as we look to the future is no-code automation, offered through lightweight and flexible platforms designed to focus on workflow exclusively. No-code interfaces remove the barrier of having to know how to write scripts or relying on developers to do so by offering simple yet robust actions that an analyst can drag and drop into sequences and wire together.
With just a few building blocks, analysts are able to construct very powerful automation streams from the simple to the complex. Since they’re typically cloud-first, no-code platforms can be deployed in seconds, and analyst ramp-up takes just a few hours. Suddenly, automation is efficient, accessible, affordable, and just makes sense.
Five benefits of no-code automation for security teams
Faster time to value
With no-code automation, processes that typically took days or weeks to complete can be reduced to minutes or even seconds, thus significantly increasing time to value. No-code automation also reduces project management needs, communication burdens, unnecessary feedback loops, and other extra steps that can be condensed with automated workflows. And with businesses getting hit by a cyber attack every 11 seconds, increasing speed within the SOC is crucial.
Significantly improved retention
Our recent report on the “Voice of the SOC Analyst” found that 71% of analysts feel very or somewhat burned out at work, and the number one most frustrating aspect of the job is “spending time on manual work.”
No one wants to do boring and menial work, and analysts who burn out through mind-numbing toil simply leave their jobs. Another benefit of no-code automation is higher retention rates because when low-level tasks are automated, security practitioners can really focus on what they're practitioners of: increasing the security posture of their organization, deploying new technology, improving awareness training, and other high impact, high value, and more interesting work.
Mundane work isn’t just bad for humans — humans are bad at it, too. Hours of menial, repetitive work increases the likelihood of error, which increases the chances of an incident.
One study found that upwards of 49% of human error at work is due to stress, repetition, or fatigue. However, automated workflows function deterministically and consistently, reducing false positives and false negatives. No-code automation also reduces error because the analysts who know the workflows the best are the ones actually building and maintaining the automation.
By reducing the need to rely on other teams when trying to automate a workflow, teams using no-code can automate much more than they initially set out to. For example, a team member may build a Slack-based chatbot that automates aspects of team process and collaboration, not just the threat intelligence workflow.
In other words, an automation process an analyst builds for a specific purpose might have other applications beyond what they were thinking of when they created it.
I’ve witnessed many security teams with access to no-code automation repeatedly have that light-bulb moment and realize, ‘We could automate this!’ and immediately start building the new workflow, allowing for more innovation and quicker application.
Another benefit is creating a calm and well-functioning team which, when an incident eventually occurs, beats a stressed, overworked team every time.
In damage-control moments, minutes and even seconds count enormously, and already having robust automation in place frees your team to turn their full attention to incident response. They can also collect information and context about an incident in seconds, and know when to alert a human for more critical decision-making.
Next, we’ll explore how you can unlock these benefits and many more by adopting a no-code automation program.
How No-Code Automation Saves OpenTable’s Security Team 40 Hours of Work per Week
OpenTable’s security team keeps the company’s staff safe online. The team’s workload is increased by handling the security of the company’s web apps, too. Internal company security is something that became more important than ever in the spring of 2020, when employees started working from home due to the coronavirus pandemic. The security team needed a tool to cut down the amount of time they spent on every incident. Before using Tines, they used to spend a lot of time handling incident response, looking at alerts, making sure that OpenTable wasn’t under attack or didn’t have malware in its systems. Each alert would take between 30 and 90 minutes to handle, and if they got too many, it would create a backlog, delaying the rest of their workload.
The impact of Tines no-code security automation platform
According to Joel Perez-Sanchez, Security Engineer, OpenTable: “Tines has helped us do more with a small team during a difficult period for the whole restaurant trade. The pandemic changed the dynamic of the threat field, because suddenly everyone was working remotely. Working from home opens businesses up to additional threats, as security teams are less able to monitor activity of employees’ home networks. This put more demands on the team, as we had to rapidly rethink our approach to keeping the company safe.
“Whether it’s EDR, traffic behavior analysis, firewall management, IDS, phishing simulations or anything else we use, Tines is very easy to plug into everything, get the alerts we want, and have it process them. That takes hours off our work. Even preparing the incident tickets used to take 30 minutes sometimes, and now Tines does that for us really well, without us having to lift a finger.
“For example, I’ve set it up so when a user reports a phishing email, Tines will go in and scrape all the data we need, check with VirusTotal, URLhaus, and Urlscan, and others, and then present all that information to us in our ticketing system.
“After just a short period using Tines, we found it saved us 40 hours of work per week. It essentially saves us the workload of one person. And during uncertain times, that’s more important than ever.”
Evaluate your options
As you begin searching for the right platform, look for vendors who have experience in solving your specific use cases. For example, if you spend most of your time following up on suspicious logins, and they don't make any mention of how to automate that use case, take a look elsewhere.
Additionally, ask how the platform integrates with your in-house APIs. Legacy automation platforms typically feature pre-baked integration, but only for a limited number of popular tools. Seek out a platform that has the ability to integrate with all of your organization’s tools, no matter how niche or custom they may be.
Run a POC process
When it comes time to demo, don't pick a simplified workflow, but ask the vendor to run a more complex one that more closely mimics what types of tasks you want to automate in the future — a good vendor will be excited by the challenge!
Platforms should be robust enough to automate complex, lengthy workflows, yet many of the automation platforms that sell themselves as “powerful” have surprisingly low operational limits. Leverage free community editions and trials to put platforms to the test.
Purchase the best tool for the best price
As you explore options, consider the pricing model (e.g., data ingestion or storage rates) and not just the price tag to get started. And be sure to ask how pricing will change as usage increases, as many security vendors often make their pricing opaque.
Committing to no-code automation means scaling the number, size, and throughput of workflows, and with increased usage, you need to know what to expect to pay. You want a model that will encourage as many team members as possible to be involved, without worrying about hitting a data cap or a user license limit.
Build workflows iteratively
Once you have your no-code automation platform up and running, the best approach is to start small with prototypes and MVPs, and then keep evolving the complexity.
Deploy the simplest usable version to production first, and then expand workflows little by little to cover edge-and-corner cases. This also allows analysts to become more creative with their automation, building more sophisticated processes as they go.
Deployment is only the beginning
Because of the accessibility of no-code automation, security analysts can keep maintaining and evolving their workflows in production, and iterating those workflows as their company’s processes and threats continuously change. One thing to remember is not to price the maintenance of automation at zero. Even if it’s built flawlessly the first time around — which is rare — external context will always change, necessitating future iteration.
Following these five steps can give you a clear path to success with your no-code automation program. Next, we’ll take a look at the common misconceptions we’ve seen security organizations face as they bring the power of no-code automation to their team.
“I could just write a script to do this.”
You could just write a script — if you know how to. But security practitioners often don't have that skill, meaning they have to outsource their automation creation to others. Additionally, the easy part with code is writing it the first time. The hard part is the deployment, security upgrades, maintenance, versioning, and downtime that comes afterward; this is especially challenging when associated team members move on to other organizations. No-code automation keeps workflow automation within the security team, and is as easy as dragging-and-dropping actions into a storyline. Technical users who do know code can instead focus on the output of the overall workflow — rather than the process of coding it.
“This isn’t powerful enough for our workflow.”
No-code automation platforms provide the building blocks — the right building blocks — to security teams, who can then architect the workflows that they need, from simple login confirmations to complex, all-encompassing vulnerability management.
Just like how you can build almost anything out of a small number of LEGO® bricks, the same is true for no-code automation; there's no ceiling to how complex a workflow or how many steps can be automated — the only limit really is imagination.
Additionally, with nearly a quarter of organizations saying they’re bogged down in menial tasks, and with half of analysts indicating that time spent on mundane work is what they dislike about their jobs, automation is more necessary than ever.
“Automation means replacing team members.”
From what I've seen, this very rarely happens in practice.
First, there is always more work to do and bigger problems to solve; cybersecurity is an ever-changing field that requires constant attention and improvement. Those who are automating their tasks then gain that as a new skill, and can continue to make those processes more efficient and effective.
What also happens is that when analysts begin to automate their repetitive, manual tasks, it frees them up to focus their skills and attention on high-impact work like improving the organization's security approach, rolling out new technology, or providing outreach and training to other teams.
Additionally, because of no-code automation’s ease of use, analysts can maintain and evolve their own workflows, which is especially beneficial as processes, tools and threats continue to evolve.
Automation simply unlocks the potential of team members – and team members who are engaged in and excited by their work stick around.
Security teams are already short-staffed as it is — our recent report on the “Voice of the SOC Analyst” found that the number one thing preventing teams from doing their best work is “lack of people” — so taking menial tasks off of an analyst’s plate frees them up to fill the gaps of understaffing.
“Automation will implement rash decisions during remediation.”
Automation isn't necessarily all or nothing, as many may assume. Instead, good automation platforms make it easy to put a human in the loop for important decisions.
Instead of automating black and white remediation actions like blocking an account after a suspicious login, ask the affected user or an analyst for their input first. This can easily be facilitated through automated Slack messages or chatbots — "Did you recently log in from a certain location?" — and automating the rest of the workflow based on their response — whether it was, "Yes, it was me" or "No it wasn't”.
“No-code automation platforms should have built-in case management.”
Many security teams have used bundled SOAR platforms that include automation as a feature, and also offer other organizational tools like case management or chat. But we've reached a point where teams are turning away from multi-product platforms towards laser-focused tools that provide best-in-class solutions, like JIRA, Slack, and others.
Why would it be any different with a no-code platform that solely focuses on automation? The power of best-in-class workflow automation platforms is that they can fuse all the individual tools an organization uses — custom and off-the-shelf — to maximize its data and resources.
Being mindful of these common misconceptions can streamline your security team’s ability to get a high-impact no-code automation program up and running. Next, we’ll explore the best practices that can improve your chances of success.
How Sophos Uses No-Code Security Automation to Keep Employees and Data Around the World Safe
The internal security team at Sophos uses a wide range of products to deliver a comprehensive service that keeps the company and its employees safe from cybersecurity threats. Making all of these products work together can be a huge task in such a large organization. This means they needed a way of simplifying the creation of complex workflows that orchestrate between many products.
The impact of Tines no-code security automation platform
According to Tom Sage, Senior Security Engineer, Sophos: "Tines’s component-based approach is a major part of its appeal to us. It means we don’t have to reinvent the wheel every time we want to automate something new. Components we’ve already built can be put to use in new contexts multiple times with no additional effort.
“In all, we’ve automated more than 20 use cases in Tines. These include push notifications that check with users that they created an account. For example, if a user account goes from ‘disabled’ to ‘enabled’ we can automatically prompt the user to confirm they authorized this. And we use Tines to correlate company admin accounts to email accounts to provide two-factor authentication prompts to the right users at the right time.
“We also have workflows that correlate data from different services to alert us when a user is added to a privileged group that gives them lots of rights on the network, or when a new host is discovered on the perimeter of the network. And if there’s something we can’t do in Tines, their responsive, helpful support team is there to quickly set us on the right path. That’s not something we could say about the previous automation product we used!”
Your no-code automation workflows should be understandable to the other humans on your team. A great way to achieve this is by leaving sticky notes beside each step of your automated workflow to provide your colleagues with more context.
As you automate more workflows, you’ll inevitably repeat certain steps. For instance “post a message to the team Slack in this format”. Extract shared sequences to modules that can be reused across other workflows.
Certain automation workflows can be mission critical and it is important to know when something unexpected has happened. Set up monitoring to make sure somebody gets notified when any of your tools within a workflow has an issue — for example, the API for an upstream system is down, a credential expires, or no alerts have been received recently.
The best automation workflows are continuously improved. From time to time, analyze a random workflow run and creatively think about what could make the task faster or the outputs more useful.
After investing in automation, it’s important to demonstrate value to leadership. For previously manual processes, a good system is to estimate the number of minutes each step used to cost, and track the accumulated data of actual human hours saved (ideally automatically in the platform itself).
Being mindful of these common misconceptions can streamline your ability to get a high-impact no-code security automation program up and running. Next, we’ll explore the best practices that can improve your chances of success.
How the Broad Institute of MIT and Harvard’s Security Team Used No-Code Automation to Slash Its Alert Remediation Time to Seconds
The Broad does big things at scale. Protecting vast amounts of sensitive data while honoring the institute’s founding principles produces complex security challenges. Additionally, information about their system, network, and users is found across their infrastructure, so determining a system flow or the risk factor of any particular system that throws an alert takes a lot of time and effort.
The impact of Tines no-code security automation platform
According to Will Hedglon, Associate Director of Information Security, Broad Institute of MIT and Harvard: “We realized we needed some type of SOAR platform to ingest security intel, make good decisions, and then take actions based on that intel and those decisions. The thing that drew us to Tines is that you just plug APIs into it, and off you go; we aren’t locked into a particular vendor, we don’t have to worry too much about integrating with various platforms. If it has an API, we can do cool stuff with it, so that was the big thrust of why we were interested in Tines. We played around with it for a few weeks and realized this could be really great.
“I’m a very visual learner, so to be able to see everything, the different actions, and modules, is very powerful for me. We could write code to do some of what Tines does, but the amount of time and energy to do error checking and have everything broken out in a way that’s understandable to new team members would be impossible. Tines perfectly fit that gap of making it easy for us to use it, making our workflows understandable, providing really granular error checking, and enabling us to see exactly where something goes wrong. The approach to secrets management also gave us a lot of confidence.
“Pre-Tines, we had a manual, resource-intensive workflow to get an initial alerting from Google Cloud Security Command Center (SCC). For example, if somebody just made a bucket public, my team then spent a lot of time enriching that information to figure out who flipped the bit to make the bucket public, and which team that person is on, and who is that person’s manager, and all of this important enriching data. Then we would create a Jira ticket and find the proper outreach communications to talk to the user to understand if they intentionally made the bucket public, and then wrangle remediation. Each step took some manual intervention and the turnaround time was weeks or sometimes even months. Post Tines, we automate that all away, and users get a nice little Slack message within seconds of flipping a bucket public to remediate it.”
Start small and experiment with core use cases
In thinking about a more sustainable, scalable future for your SecOps team, automation is going to be the most important strategy you could implement. When analysts have the ability to automate their repetitive tasks, they’re not only creating more efficient workflows for everyday processes, they’re freeing up their time to actually do what they love: analysis.
However, security leaders often fear they don’t have the bandwidth or tooling in place to fully leverage security automation. Or, if they adopt automation, they want to automate all their processes immediately. True no-code cloud-based automation platforms offer you the freedom to start small with free Community Editions or trials and grow as your business needs evolve. With automation as well, you can start with a set of core use cases and demonstrate their value before expanding.
Think hard about whether the time is right to build an internal SOC
The days of having an SOC as a standalone team responsible for security are coming to a close. Not only have their costs risen in recent years, but their complexity has as well, and over half of organizations say the ROI of their SOC is getting worse.
As organizations recognize that security touches everyone, security professionals will be embedded into each team in the enterprise. Security leaders should consider whether the investment required in building an SOC would be better spent elsewhere — like implementing automation or developing more iterative approaches to security. While SOCs are phased out, an outsourced SOC or MSSP could provide an interim solution.
Be prepared to pitch for automated access to critical, non-security systems
Security teams are tasked with performing remediations for their organization, yet much of that work is often found on software that the security team has no direct control over. Security teams then find themselves dependent on other teams for their own success — teams whose priorities may not align with the priorities of SecOps. This misalignment and limited access can allow vulnerabilities to remain unaddressed.
Security teams need to find ways to work with other departments to gain access, which will not only require relationship-building and trust, but being able to adequately communicate why SecOps needs access to those systems. Other departments may be reluctant to grant open-ended, manual access, but may be more willing to allow access provided it is only used in automated scenarios with known inputs and outputs.
Invest in best-in-breed solutions
Organizations experienced an average of 925 cyberattacks a week in 2021, a 50% increase from 2020. Threats are frequent and pervasive, and are becoming too sophisticated to be handled by one-size-fits-all solutions. Organizations wanting to stay ahead in their security approach need to un-bundle their security stacks and all-in-one “big box shops” and invest in best-of-breed security tools designed for specific purposes.
Thanks to no-code automation, the overhead costs associated with managing best-in-breed solutions are no longer a hindrance to investment. Since no-code platforms work in sync with known and custom tools alike, automation can also eliminate the risk of fragmentation by uniting together these specialized solutions.
Build a culture of automation
In order to see continued success in the future, SecOps teams need to build a culture of automation where, when encountered with any time-consuming or monotonous workflow or action, the first thought is, “Can we automate some or all of this?” In fact, according to our recent report, two-thirds of analysts think that 50% of their current tasks could be automated today. Still, there’s no shortage of work. A culture of automation will get teams used to recognizing where they can make their tools work harder for them and allow them to shift their focus to more pressing matters. Building automations will also become an essential skill for security practitioners as well.
Security leaders can start by doing the following:
- Annotate as you build your no-code automations so that colleagues can understand how the workflow executes.
- Extract the shared sequences that begin to pop up repeatedly into modules that can be reused across your workflows.
- Set up monitoring to ensure that when something does break, a human gets notified.
- Continuously improve upon your automations, and think creatively about what can make the workflow run faster.
- Demonstrate the value you find in automation to leadership.
Building for the future of SecOps doesn’t have to be daunting. By investing in and implementing automation, you’ll be able to improve efficiency, respond to incidents quicker, automate manual tasks to free up your team for higher impact work, and more. So, what processes will you implement today that will lead your SecOps team into tomorrow?
The future of security is no-code automation
No-code automation isn't simply taking the monotonous tasks off of your team's plate, but giving your team the power and accessibility to get creative with what they automate and evolve the efficiency of their workflows. Not only will your security operations become more streamlined, but also your team can focus more time and energy on scaling the security posture of your organization, too — a key goal for any security team in 2022.