Nick Tausek, lead security automation architect at Swimlane, discusses the benefits that low-code and no-code can bring to security automation
Cyber threats have continued to evolve and become more widespread, while skilled security professionals have become harder to hire and retain. Accordingly, the number of automated security solutions has exploded — 40 per cent of organisations have four or more hyperautomation (automating all automatable processes in a business) initiatives underway, with some organisations executing 15 projects simultaneously, according to Gartner.
Additionally, Gartner warns that, given the proliferation of hyperautomation, poorly executed automation “can have negative impacts on data usage, processes, employee morale and customer satisfaction.” A common mistake businesses make is believing that automation won’t require the facilitation of IT professionals. This assumption by companies stems from a fundamental misunderstanding of automation solutions.
Automation promises to solve many of the most pressing problems security teams face. Organisations must strategically evaluate available no-code and low-code automation solutions to get the most benefit based on their unique needs to avoid automation pitfalls. While it’s evident that low-code and no-code platforms are different in coding functionality, there are other capabilities a team should consider when establishing their expectations from a security automation tool.
Breaking down no-code automation
No-code automation platforms typically offer access to security automation basics. These solutions have fewer features (lacking case management, dashboards, and reporting), limited use cases, and limited customisable features due to having few, if any, inputs for user-sourced coding.
These products typically appeal to smaller security teams due to their cost and overly simple approach. They often come out of the box with pre-made templates that don’t require an established security team to interpret and implement.
Breaking down low-code automation
Low-code automation is seen as a middle point between no-code and full-code. Like no-code approaches, low-code solutions don’t usually require coding, at least not to enable basic functionality. However, low-code automation also enables robust application development features for threat detection, rapid incident response and scaling — with additional user-accessible features such as drag-and-drop application design, data aggregation and built-in business logic, enabled both by native platform features as well as the flexibility provided by user-sourced code.
Furthermore, a low-code solution can enable functionality outside the security operations centre (SOC) — think automated onboarding/offboarding for HR, form automation for legal, and physical security monitoring use cases. Low-code solutions are being used beyond the SOC to block fraudulent links from phishing sources and brand impersonators using business logic and machine learning models — even on smartphones.
A low-code solution is a good fit for a security operations team that requires flexible features for greater visibility and actionability without making things too complicated. For instance, security teams would benefit from self-documenting playbooks that funnel into case management, dashboards and reporting features that are easily customised to fit the business’s unique needs. In addition, a low-code solution’s nearly infinite user-sourced customisation capability allows security leaders to future-proof their investment by implementing seamless integrations, automating manual tasks, unifying complex environments, and more.
Determining the best fit
The most popular use cases for security automation are incident response, threat hunting and phishing detection and remediation. Both low-code and no-code automation have the same goals in the security space: helping teams scale their existing teams/resources to overcome the security talent shortage, helping teams simplify complex security processes by unifying siloed technology and processes, and helping security analysts keep pace with an ever-expanding attack surface. Both solutions aim to increase repeatability, increase capability, reduce errors, and free up valuable human time to focus on what’s important.
Some teams see a no-code option as a short-term solution as they prepare to develop a more comprehensive security strategy. Other teams have an immediate need for the customisable features of a low-code platform to quantify the business outcomes of their security organisation and achieve visibility that allows them to build a powerful system of record for security.
Security leaders should consider several key features when choosing between low-code and no-code automated security solutions:
- Playbook customisation — Low-code platforms are fully customisable to a security team’s unique use cases, from simple drag-and-drop actions to advanced capabilities for users who want to modify their playbooks as they see fit. Comparatively, available actions outside a no-code platform’s pre-made, lightly customisable templates are burdensome, if not impossible, to adjust. Some no-code applications also limit the number of actions in a single workflow.
- Integrations — REST API is traditionally utilised to build integrations with both low-code and no-code platforms. The difference here is mostly found in the size and maturity of integration libraries. Low-code platforms have been on the market longer, so their existing libraries of integrations tend to be larger. In contrast, newer automation options, like no-code platforms, tend to have smaller integration libraries, with more limited functionality and less customisability. Companies with specific industry products often have issues with no-code integrations because these platforms aren’t powerful enough to allow for custom integrations. Security teams should consider existing integrations and weigh the time it takes to build custom integrations that aren’t available in a no-code platform versus the time that would otherwise have been saved using the more extensive integration libraries offered by low-code platforms.
- Case management — Low-code case management features accelerate investigations with enriched data and rapid threat response cross-functionally, so security teams have an easier time closing security alerts from across the organisation. Customisable controls and drag-and-drop widgets aid in the flexibility of building a case management system that is responsive to a team’s existing business logic and workflows. If incident response is a priority, a no-code solution will be a limitation. No-code’s simplicity comes at the cost of sophisticated features like case management. Some have no case management capabilities at all, and those that do include it will require security teams to adopt the workflow and business logic pre-built into the no-code platform, rather than adapting the platform to fit their existing business processes.
- Reporting — Low-code platforms make it easy to adapt reporting processes like end of shift details, weekly status reports or quarterly operational metrics, without needing to build custom scripts. This information, accessible through built-in SOC dashboards, makes it easy to see where you need to reallocate resources to avoid employee burnout or who needs additional training in certain areas. No-code automation is great at simplifying security processes, especially for smaller teams. But the effectiveness of reporting becomes more difficult to ascertain at scale, and you can expect fewer and lighter reporting options, especially where customisability is concerned.
- Setup and maintenance — The allure of a no-code platform is that its setup and maintenance doesn’t seem complex. The tradeoff is that no-code solutions won’t be capable of evolving with the organisation’s needs and priorities over time. Full-featured low-code platforms offer the same out-of-the-box capabilities with the benefit of allowing security teams to extend the platform’s power and use cases with customisation.
Organisations continue to encounter a growing number of threats that are more sophisticated and targeted than ever before, while the skills gap continues to remain a persistent feature of the security landscape. Security automation is an ideal tool for teams that need to act swiftly and effectively to the complexity of these threats. Therefore, it is imperative that security teams not only have a thorough understanding of the automated solutions on the market but also a tight grasp on what their needs are and how an automated solution will meet those needs.
Related:
Four ways towards automation project management success — Tom Henriksson, general partner at OpenOcean, identifies four ways in which automation experts have achieved project management success.
Exploring the evolving security challenges within the metaverse — Dr. Francis Gaffney, director – Mimecast Labs & future operations at Mimecast, explores the evolving security challenges that will take place within the metaverse.