It’s no secret that the work of SOC teams continues to get harder and harder. The increase in attack volume and sophistication plagues underfunded teams with false positives and analyst burnout.
However, like many other industries, cybersecurity is now beginning to build on and benefit from advances in automation to not only maintain the status quo, but also to achieve better security outcomes.
Multi-phase automation of the SOC workflow
The need for automation is clear and it is evident that it is becoming table stakes for the industry. Of all cyber-resilient organizations, IBM estimates that 62% have deployed automation, artificial intelligence and machine learning tools and processes.
So far, most of these advancements in automation have focused on response, with SOAR and incident response tools playing an instrumental role in handling the most urgent phase of the SOC workflow.
However, focusing attention only on the response means that we are treating the symptoms rather than the root cause of the disease. By breaking down the SOC workflow into phases, it’s easy to see more cases where automation can improve the speed and efficiency of security teams.
The four phases where automation coverage can be expanded include:
- Data ingestion and normalization: Automating data ingestion and normalization can enable teams to manage massive amounts of data from multiple sources, laying the foundation for additional automated processes
- Detection: Offloading the creation of a large percentage of detection rules can free up time for security analysts to focus on threats unique to their organization or market segment.
- Investigation: Offload manual and tedious work to shorten investigation and triage processes
- Reply: Automatically respond to known and discovered threats for fast and accurate mitigation
Data: laying the groundwork for automation
Ingesting massive amounts of data can seem overwhelming to many security teams. Historically, teams have struggled to connect data sources or simply had to ignore data volumes they could not handle due to cost-prohibitive legacy tool models that charge for the amount of data they store.
As the world continually migrates to the cloud, it’s imperative that security teams don’t shy away from using big data. Instead, they need to adopt solutions that help them manage it and, in turn, achieve better security outcomes by having increased visibility across the entire attack surface.
Security data lakes have brought about a paradigm shift in security operations. They support the ingestion of massive volumes and a variety of data, at the speed of the cloud, and allow security platforms to run analytics on it with reduced complexity and at a predictable cost.
Detection: Automate 80%
As more data is ingested, there will inherently be more alerts discovered. Again, this may seem daunting for overworked security teams, but automated processes, such as out-of-the-box detection rules on attack vectors, are another perfect example where automation can lead to improved coverage.
Generally speaking, there are many similarities in how networks are attacked, with around 80% of threat signals common to most organizations.
A modern SOC platform offers out-of-the-box detection rules that cover that 80% by connecting to threat intelligence feeds, open source knowledge bases, social media or dark web forums, to create protection logic against the most common threats. By combining these with additional rules written by internal security teams, platforms are able to stay abreast of threat techniques and use automated detection around them.
Investigation: separating the signal from the noise
The investigation phase of the SOC workflow is a phase not often associated with automation. It is traditionally bogged down by numerous tools and manual investigations limiting the efficiency and accuracy of security teams.
Processes that can be enhanced by automation during the investigation phase include:
- Grouping of alerts focused on threats: Security tools will give you thousands of alerts, but in reality, these boil down to just a few threats. On a large scale, this becomes a huge resource drain. If alerts are automatically grouped according to their threat context, then security analysts can more easily understand and respond to single incidents instead of searching for hundreds of alerts and false positives.
- Enrichment: By automatically enriching the entities associated with each signal or alert with additional information from many different data sources, teams get all the context available to understand the risk of the alert.
- Correlation: Automatic event correlation provides better visibility into the path of attackers through the organization’s network.
- Visualization: Once correlated, attack “stories” can be mapped and visualized in an easy-to-read timeline, making it easier for analysts and other stakeholders to get clear insights.
Together, these automated tasks provide analysts with quick insights into the highest priority incidents that require further investigation. This is a drastic improvement over legacy systems where analysts are constantly checking and rechecking incidents, investigating redundancies, and manually reconstructing events.
Automated investigation, when combined with manual search practices, can lead to more real-life incidents being investigated, triaged, and understood more accurately.
Answer: Act quickly and confidently
Once a threat is identified, the obvious next step would be to respond to it. As mentioned earlier, SOARs do a good job of automating the phase of responding to known threats.
The effectiveness of this automation, however, is highly dependent on data provided by other sources, i.e. where previous phases of the SOC workflow can provide usable and reliable outputs that can be sent to response software.
Incorporating more accurate data that has been standardized and studied by expert-designed automation makes response tools much more reliable and efficient.
Obviously, not all responses can be automated as attackers continue to evolve their methods. In many cases, analysts must thoroughly investigate incidents and adopt responses manually. But like the other phases of the workflow, the more these tasks can be automated, the more security teams will be freed up to deal with more complex attacks.
So why aren’t more companies using automation?
Many teams know that automation will increase their productivity, but changing processes and software is often difficult for several reasons:
- Replacing legacy software is time-consuming, expensive, and potentially risky
- Obtaining stakeholder approval for major implementations is difficult and slow
- Training analysts to use new software takes time and resources
- Ever-changing attack techniques keep security teams busy with the “here and now”
These blockers stacked on extreme staff shortages can make the task daunting.
But, as automation continues to take center stage, the industry will continue to see significant reductions in total cost of ownership (TCO), mean time to detect/response (MTTD/MTTR), analyst burnout and CISO frustration.
SOC platforms to the rescue
When multiple elements of the SOC workflow are combined and automated, the weight and pressure of the normal workload begins to dissolve. Analysts will begin to be able to say goodbye to the long hours spent switching between tools, hunting for false positives, or simply maintaining traditional SIEM solutions.
The new generation of SOC platforms has a lot to offer, at every stage of the SOC workflow. Born in the cloud, SOC platforms are able to use modern data architectures to more easily develop additional features and enhancements. This, coupled with the advantage of being able to ingest all security data at a fraction of the cost of legacy tools, has resulted in a trend towards increased automation built into them.
|An example of an automatic investigation summary on the Hunters SOC platform showing the key entities of an alert generated after a user logs into the Okta web console from an unmonitored device with no active EDR agent, as well as the risk score associated with it|
An example of this may be threat investigation: this is known to most analysts as a tedious manual task, involving sorting through countless false positives. But today’s SOC platforms have introduced automation, dramatically improving the survey process. Enhancements such as automated cross-source correlation, ML models, and built-in data query queries have emerged to help analysts with the most tedious and repetitive threat investigation tasks.
Now is the time to start taking advantage of automation as it continues to change the industry. Teams that don’t actively adopt these innovations will find themselves falling behind, potentially leaving their organizations vulnerable and their staff overwhelmed.
Find out how Hunters SOC Platform can help your SOC: www.hunters.ai