Automating Enterprise Security: How to Move from Reactive to Proactive Prevention and Cyber Response

18 November 2020

By Lewis Martin –


If you need further reason to consider investing in proactive automation for enterprise security, consider that automation already exists all around us. If you programme your thermostat, rely on your smart refrigerator to notify you of expiring food, are greeted by a pot of coffee at a set time every morning, or auto-pay bills regularly – you’ve adopted automation in your personal life. In the workplace, you might already automate elements of your hiring process, customer support, facility management or even your technology help desk. But what about threat intelligence, incident response and security automation?  

In 2020, 80% of firms have seen an increase in cyberattacks and the severity of attacks continues to increase. Considering the rise of critical incidents, it’s no surprise that cybersecurity teams are finally making incident automation a priority. Moreover, more employees are now working from home and accessing company information via home networks and personal or mobile devices. As major data breaches continue to threaten the modern enterprise, cybersecurity teams must rethink their processes and solutions for security vulnerability and incident response using automation.  

The Race to Outpace Cyber Attackers

Major data breaches continue to dominate the news; 48% of organisations report experiencing one or more data breaches in the past two years. In an ideal scenario, this rise in cybersecurity incidents would lead more cybersecurity teams to invest in the proper tools and processes to detect and patch vulnerabilities and respond to incidents in a timely manner. Instead, many teams (including those keenly aware of the growing risk), continue to spend more time navigating manual processes for threat detection and response than they do on actually responding to vulnerabilities.  

Well over half of organisations say attackers are outpacing enterprise security systems via machine learning and AI. Without automation, it may soon become difficult if not impossible to keep up altogether. 

What’s the Holdup with Automation?

Given the rise of cyber incidents and the critical need for better vulnerability detection and patching, why aren’t our practices improving at a faster rate? Why haven’t more organisations moved to more proactive, integrated and automated monitoring and response systems? Despite the benefits of automation to respond to vulnerabilities, less than half use this technology. 

One reason is lack of awareness. We said earlier that about 40% of organisations knew that breaches were linked to known vulnerabilities. Which means that the majority remain unaware of vulnerabilities that could result in a data breach or intrusion.  

Another challenge is time. ServiceNow, the leader in digital workflow solutions, says it takes 43 days on average to see a cyberattack once a patch is released for high priority vulnerabilities, an increase from 36 days in the previous years’ study. Meaning there is more time and greater pressure for technology teams to apply critical patches, but it’s hard to transform your security practices when you’re practicing security every day. Navigating manual processes, in general, takes up precious time. On a related note, siloed organisations may struggle to identify responsibility for patching among different teams, further adding to the delays and pressure that prevent thoughtful, planned transformation. Human error contributes too; if we continue to use email and spreadsheets to manage the process, things will undoubtedly slip through the cracks as we continue with a “this is how we’ve always done it” mindset that slows transformation. 

These challenges are often confounded by a lack of resources, limited common views of the applications and a general belief that attackers are outpacing organisations with machine learning or AI. So why bother, right?  

Moving from Reactive to Proactive Incident Response

Automation or not, responding to security vulnerabilities and any resulting incidents is – and should be – an ongoing process. However, introducing smart and stringent processes, toolsets and automation as part of the full orchestration will make your security teams more proactive, efficient and able to more quickly identify vulnerabilities and plug these gaps before an incident occurs.  

The concept of singularity is key here. As cyber incidents continue to present a threat for modern organisations, now is the time to adopt a single integrated system of record that supports and drives automation to resolve security incidents and vulnerabilities – before they can be exploited by cybercriminals. As a technology leader, you likely know the phrase, single pane of glass (or SPOG) solution. In this case, consider how you and your team could track threat identification and response in a single unified dashboard or console, integrating data from multiple sources and applications in a single pane of glass, e.g., a monitor or mobile screen. Thwarting cyberattacks is an ongoing and complicated battle, presenting and interpreting critical data to thwart attacks shouldn’t be. 

Shifting from a reactive, legacy cyber response to proactive, automated prevention will require the adoption and integration of new workflows and platforms. Such orchestration is doable and advisable, but it will take time and organisational buy-in to do it right. One realistic option for many firms is to partner with a third-party expert for implementation. 

This is exactly why we’ve partnered with ServiceNow, to offer the ServiceNow Security Operations application to more effectively identify, prioritise and respond to threats not only more quickly, but also in a more robust and integrated manner. ServiceNow Security Operations is a security orchestration, automation and response engine built on the Now Platform that brings in security and vulnerability management from your existing tools and uses intelligent workflows, automation and deep connection with IT to streamline security response. 

In ServiceNow, the Security Operations application includes Incident Response, Vulnerability Response, Threat Intelligence and Configurations Compliance. The application enables users to leverage the third-party integrations to attain SPOG and use defined security best practice workflows to enhance their security capabilities to identify security issues efficiently. You can also use ServiceNow Security Operations playbooks for Automated Phishing, enabling you to detect phishing campaigns across the organisation; Automated Malwaredesigned to automate responses to malware; and Failed Login, which optimises the investigation of failed login security incidents. 

And, as with everything we do, we follow a dedicated project management process to implement change and transformation at your pace and budget. With ServiceNow Security Operations, everything is underpinned by our proven KA2 Smarter Framework to deliver the best in cybersecurity operations. For example, when you invest in ServiceNow Security Operations, we’ll work with you to not only adopt ServiceNow, but revise other internal systems and processes in support of automation and orchestration that will speed up threat analysis, ensure proper patch management and improve your overall cyber security visibility. 

Automation will help your team reduce the time it takes to identify and respond to vulnerabilities. Yet, there are additional benefits. Research shows that organisations that invest in automation also experience reduced downtime, timely patching and effective prioritisation that enables better use of your IT staff and time. Automation, the right partner in KA2 and ServiceNow and further investments in staffing will strengthen your organisation’s security posture and keep you safe. 

KA2 has proven experience in accelerating the value of ServiceNow for our clients. To learn more about how KA2 can help you leverage your processes, the ServiceNow platform and the Security Operations application, please get in touch today.