4 Places to Supercharge Your SOC with Automation
It’s no secret that the job of SOC teams continues to become increasingly difficult. Increased volume and sophistication of attacks are plaguing under-resourced teams with false positives and analyst burnout.
However, like many other industries, cybersecurity is now beginning to lean on and benefit from advancements in automation to not only maintain the status quo, but to attain better security outcomes.
The need for automation is clear, and it is apparent that it is becoming table stakes for the industry. Of all cyber resilient organizations, IBM estimates that 62% have deployed automation, AI and machine learning tools and processes.
Up until now, much of these advancements in automation have been focused on response, with SOAR and incident response tools playing an instrumental role in tackling the most urgent phase of the SOC workflow.
Centering the focus only on response, however, means we’re treating the symptoms instead of the root cause of the disease. By breaking down the SOC workflow into phases, it is easy to see more instances where automation can improve the speed and efficacy of security teams.
The four phases where it is possible to expand coverage of automation include:
Ingesting huge amounts of data may sound overwhelming to many security teams. Historically, teams have had a hard time connecting data sources or have simply had to ignore the data volumes that they couldn’t handle due to cost-prohibitive models of legacy tools that charge for the amount of data that they store.
With the world continually migrating to the cloud, it is imperative that security teams do not shy away from massive data. Instead, they need to enact solutions that help them manage it and in turn, achieve better security outcomes by having increased visibility on the entire attack surface.
Security data lakes have brought with them a paradigm shift in security operations. They support the ingestion of massive volumes and variety of data, at the speed of cloud, and allow security platforms to run analytics on top of them with reduced complexity and at a predictable cost.
As more data is ingested, there will inherently be more alerts discovered. Again, this may sound intimidating to overworked security teams, but automated processes, such as out-of-the-box detection rules across attack vectors, is another perfect example where automation can lead to an improvement in coverage.
Generally speaking, there are many similarities in the way networks are attacked, with approximately 80% of threat signals being common across most organizations.
A modern SOC platform offers out-of-the-box detection rules that cover this 80% by plugging into threat intelligence feeds, open-source knowledge bases, social media, or dark web forums, to create logic protecting against the most common threats. Combining those with additional rules written by in-house security teams, platforms are able to keep up-to-date with threat techniques and utilize automated detection around them.
The investigation phase of the SOC workflow is one that is not often associated with automation. It is traditionally bogged down by numerous tools and manual investigations limiting the efficiency and accuracy of security teams.
The processes that can be bolstered with automation within the investigation phase include:
Together, these automated tasks offer analysts fast indications of which incidents are the highest priority and need further investigation. This is a drastic improvement compared to legacy systems where analysts are constantly checking and rechecking incidents, investigating redundancies and manually piecing together events.
Automated investigation, when in conjunction with manual search practices, can lead to more real incidents investigated, triaged and understood with more accuracy.
Once a threat is identified, the obvious next step would be to respond to it. As mentioned earlier, SOARs do a good job with automating the response phase with known threats.
The efficiency of this automation, however, relies heavily on data that is provided by other sources, i.e. when earlier phases of the SOC workflow can deliver usable and reliable outputs that can be sent to a response software.
Integrating more accurate data that has been normalized and investigated by expertly engineered automation makes response tools much more reliable and effective.
Obviously, not all responses can be automated as attackers continue to evolve their methods. In many instances, it’s necessary for analysts to investigate incidents thoroughly and enact responses manually. But like the other phases of the workflow, the more that these tasks can be automated, the more security teams will be freed up to address more complex attacks.
Many teams know that automation will increase their productivity, but changing processes and software is often difficult for several reasons:
These blockers piled on top of extreme personnel shortages can make the task seem daunting.
But, as automation continues to take center stage, the industry will continue to see significant reductions in total cost of ownership (TCO), mean time to detection/response (MTTD/MTTR), analyst burnout and CISO frustration.
When several pieces of the SOC workflow are combined and automated, the weight and pressure of the normal workload begin to dissolve. Analysts will start to be able to wave goodbye to spending long hours bouncing from tool to tool, chasing false positives or simply maintaining traditional SIEM solutions.
The new generation of SOC platforms have a lot to offer, at every stage of the SOC workflow. Having been born in the cloud, SOC platforms are able to utilize modern data architectures to more easily develop additional features and enhancements. This, along with the advantage of being able to ingest all security data at a fraction of the cost of legacy tools, has resulted in a trend towards increased automation embedded in them.
An example of that can be the investigation of threats: this is known by most analysts to be a tedious, manual task, involving sorting through endless false positives. But today’s SOC platforms have introduced automation, significantly improving the investigation process. Improvements like automated cross-source correlation, ML models, and built-in data interrogation queries have emerged to help analysts through the repetitive and most laborious threat investigation tasks.
Now is the time to start leveraging automation as it continues to change the industry. Teams not actively adopting these innovations will find themselves behind the curve, potentially leaving their organizations vulnerable and their personnel overwhelmed.
Learn more about how Hunters SOC Platform can help your SOC: www.hunters.ai
Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips.