No-code vs. low-code and near-no-code security automation

It seems that “no-code” is a term we hear more often in the security automation context these days. And this is especially true because automation has become one of the major talking points in cybersecurity. 

How is no-code automation implemented in cybersecurity? How do no-code and Sumo Logic automation compare to each other? We’ll discuss all these questions in the following sections.

While no-code is our focus, we will also examine low-code security automation and full-code automation. These concepts are closely related and will help you gain a better insight into automation.

Three types of security automation

We define the main concepts in our discussion of security automation in the following way:

• No-code automation means you can automate an entire workflow and add integrations as an indispensable part without using code and relying on developers altogether. Moreover, you can achieve this feat without any coding knowledge and skill.
• Low-code or near-no-code automation means you can automate a workflow and integrate new tools easily using code and relying on developers. In this case, automation is extensively but not entirely code-independent.
• Full-code automation is automation entirely dependent on code. In other words, you rely on coding and developers throughout the process to create automated workflows and add integrations.

The current state of affairs: no-code vs. full-code vs. low-code security automation

No-code automation

No-code automation solutions seem easy to use, but the ease of use has a trade-off: severely limited flexibility and customizability. They offer exclusively ready-made integrations and pre-built workflows with only a narrow application in the gazillion possible real-world scenarios.

Customizability and flexibility are critical to building a scalable and robust security posture in a fluctuating cybersecurity landscape. Therefore, from a security operation center’s standpoint, this trade-off can be a colossal drawback and a reason to look beyond no-code automation.

Besides, in cybersecurity, maximum accessibility sounds more like a to-do list item than a reality. It is hard to imagine anyone besides a security professional in charge of automation, no matter how high the level of technology abstraction is.

Full-code automation

Unlike no-code, full-code automation is highly customizable precisely because it is implemented through code. On the flip side, it is time-consuming, complex, and requires experts’ help, which affects the user experience.

Due to its complexity and suboptimal user experience, full-code automation is hardly acceptable in today’s excessively complex and fast-moving cyber environments.

Low-code / near no-code automation

Low-code is somewhere in between no-code and full-code automation. It is highly flexible—as low-code development has proved elsewhere—and helps you avoid both pitfalls.

Near-no-code solutions allow you to use as much custom code as necessary to adjust workflow automation and extend integration options. But they also include a visual editor where you can edit pre-built playbooks or create brand-new workflows, which makes them user-friendly.

Unlike no-code automation tools, low-code solutions have richer integration libraries. More importantly, they provide on-demand integrations through simple code. In addition, they include advanced reporting still missing in no-code solutions. Almost the same applies to case management.

Compared to full code automation, the visual interface makes them far more user-friendly, easier to use and appealing.

Why no-code security automation isn’t practical

No-code security automation can’t realistically exist for the long term simply because cybersecurity processes and vendor APIs continually evolve.

Flexibility in building integrations is vital for security automation. But it is hard to imagine how you can have flexibility without the possibility of using code. Users often ask for actions that work differently or require different logic than what might be more common. A generic “one size fits all” approach simply doesn’t work well in practice.

Concerning the integration of cybersecurity tools, APIs change, and businesses evolve, and so do the processes that protect those businesses.

For example, security professionals may want to:

• Extend integrations’ action functionalities and go beyond standard actions
• Modify action parameters by changing the name or order of inputs, adding personalized hints and default values, creating new fields and more
• Personalize action results — for instance, removing any fields they don’t need
• Create custom table views by filtering and grouping the available data in an organized way, allowing them to see only the most relevant information
• Refactoring, in case integrated technologies evolve—for example, if APIs or endpoints change

Going above and beyond: security automation without developers

To help security teams minimize tool and alert fatigue, Sumo Logic’s security information and event management solution, Cloud SIEM, and security orchestration, automation and response solution, Cloud SOAR, provide automation capabilities that allow security analysts to fully automate playbooks with actions like enrichments and notifications to address potential security threats faster and more accurately.

Learn more about these automation capabilities and note that using the Automation Service with Cloud SIEM differs from Cloud SOAR in the following ways:

• In Cloud SIEM, the Automation Service only supports automated enrichment, notification, and custom action types.
• Using the Automation Service with Cloud SIEM does not include the incident and case management features from Cloud SOAR.
• Cloud SOAR provides full or enhanced playbooks, integrations, and actions.

Sumo Logic’s Cloud SOAR solution goes beyond a near-no-code or low-code platform. It allows users to employ code for automation and integration purposes without them necessarily being the ones who develop the code. That means you don’t have to hire a data scientist or engineer just to make it work. And if you don’t already have developers on your team, Sumo Logic experts can add or modify any necessary actions as needed. 

Our Supervised Active Intelligence engine recommends the right playbooks for your team and uses its machine-learning algorithm to find the most suitable response to an incident.

You can also choose from hundreds of out-of-the-box actions and playbooks or ask the Sumo Logic professional services team to develop your necessary API connectors. Sumo Logic Cloud SOAR offers hundreds of pre-built integrations with leading third-party threat intelligence vendors, which help secure operations and automate incident response. 

Open Integration Framework

If your security team has experience with code, you can leverage Cloud SOAR’s Open Integration Framework (OIF). The OIF is a graphical environment that includes a full-fledged IDE and supports multiple languages: Python, Perl, PowerShell, Bash scripting and YAML.

The OIF is where you change existing code, add new code and define custom actions. Anyone can access it and effortlessly develop a wealth of new connectors. The Sumo Logic Cloud SOAR team can provide the necessary training and support for in-house developers to get the most out of the OIF.

Modifying code is critical to an efficient security operations center (SOC) because it leads to flexibility and customizability.

No-code has its merits for non-technical users. However, once a user’s needs become more complex and sophisticated, it is hard to imagine how a no-code security solution catches up with an organization’s needs. Sumo Logic is a global leader in security automation with hundreds of out-of-the-box integrations.

Learn more about why proactive threat hunting is a necessity.