In today’s dynamic threat landscape, IT teams are inundated with security alerts, making security operations difficult to manage without the use of automation. After all, the amount of malware and ransomware being injected into enterprise infrastructure is exponentially higher than the threat detection and response measures most organizations have in place.

At the same time, machines can struggle with gray areas and generate false positives. As such, organizations cannot rely solely on automation tools to handle all security operations. When used in isolation, both human resources and automation have their weaknesses, but when combined, their strengths complement each other.

Automation, human, or hybrid: The right approach for each stage of security

To understand where automation and human intelligence fit into security operations, it’s important to get a picture of each stage of the security lifecycle, from detecting a cyber attack to recovering and strengthening defenses.

MDR Blog Graphic_Automation (1)


The goal of the detection stage is to quickly formulate a response strategy based on situational awareness and threat impact, potential scope of compromise, and the damage that the threat can cause.

The old way

Traditionally, security analysts within an organization would review all the alerts being generated from different security platforms, correlate the information to build a complete picture of every potential threat, and triage and assign priorities.

Unfortunately, this process is prone to human error and inconsistencies, is time-consuming, and increases the likelihood of high-severity threats being overlooked.

A new way

The advanced capabilities of today’s threat analytics and intelligence technologies allow you to detect millions of threats faster and more accurately. You can aggregate threat data from multiple sources automatically and gain additional context and information on threats. For example, with Cisco’s SecureX, you’ll see a wealth of threat data centralized in seconds.

To handle threats even quicker, you need to pair automation with human investigation and validation. Automation’s role is to deliver relevant high-context threat alerts and help analysts more efficiently validate, investigate, contain, and eradicate threats across your organization’s network, cloud, and endpoints.

SecureX gives your security team the data and tools to investigate threats and take appropriate action, within a single console. Cisco also offers a completely managed service in our Managed Detection and Response (MDR) offer. With MDR, you can leverage Cisco’s top security experts who perform the investigation and analysis for you.


Once a threat has been detected and investigated, an analyst or investigator initiates threat containment. Bear in mind, the longer a threat remains active within an organization, the greater the risk of critical damage. Last year, the industry average time to detect and contain a threat was 73 days.

By comparison, the mean time to contain a threat is four hours with Cisco MDR. This is because MDR brings together Cisco’s cutting-edge security technology, threat intelligence, and investigative expertise to resolve threats fast.


Response methods depend on the type and scope of the threat. Some of these can be automated for faster results, such as quarantining a host or blocking a domain.

However, sophisticated cyber attacks require a more sophisticated approach. That’s why your platforms should be configured so IT or SecOps personnel can sanction responses depending on the type of threat detected.


In cases where the threat (e.g. a Distributed Denial of Service attack) has disrupted operations, the security lifecycle continues to the recovery stage.

Organizations should enact recovery procedures depending on the type of attack they’re dealing with – for example, ransomware, which holds an organization’s assets hostage until payment is received, might require full restoration of files from backups stored in different sites.

This stage requires a combination of human judgment – deciding on the best course of action based on the threat and business continuity – and automated disaster recovery tools.

In cases where there’s a breach, organizations using MDR’s Incident Response  option can access around-the-clock Cisco resources, including Talos Incident Response.

After a security breach, it’s also important to conduct a post-mortem to determine where defenses need to be further strengthened and to evaluate the effectiveness of your existing response plan, making amendments where necessary. The Cisco Incident Response option also can help an organization  assess current capabilities and pro-actively plan for a breach, as well as respond if one occurs.

Find a partner that combines automation and expertise

The use of automation to augment human intelligence, as opposed to replacing it, can have a powerful impact on the effectiveness of an organization’s cybersecurity posture.

However, the lack of cybersecurity professionals in the market remains a challenge for organizations, making it more difficult for them to research and analyze threats.

In light of these challenges, turning to a vendor that combines automation and trusted expertise is the best choice for many businesses today.

Learn how Cisco MDR can advance your security operations and give you the freedom to focus on what matters most to your organization. Get in touch today.