It's no secret that the job of SOC teams continues to become increasingly difficult. Increased volume and sophistication of attacks are plaguing under-resourced teams with false positives and analyst burnout.
However, like many other industries, cybersecurity is now beginning to lean on and benefit from advancements in automation to not only maintain the status quo, but to attain better security outcomes.
Automation across multiple phases of the SOC workflow
The need for automation is clear, and it is apparent that it is becoming table stakes for the industry. Of all cyber resilient organizations, IBM estimates that 62% have deployed automation, AI and machine learning tools and processes.
Up until now, much of these advancements in automation have been focused on response, with SOAR and incident response tools playing an instrumental role in tackling the most urgent phase of the SOC workflow.
Centering the focus only on response, however, means we're treating the symptoms instead of the root cause of the disease. By breaking down the SOC workflow into phases, it is easy to see more instances where automation can improve the speed and efficacy of security teams.
The four phases where it is possible to expand coverage of automation include:
- Data ingestion and normalization: Automating data ingestion and normalization can empower teams to handle huge amounts of data from multiple sources, laying the foundation for additional automated processes
- Detection: Offloading the creation of a significant percentage of the detection rules can free up time for security analysts to focus on the threats that are unique to their organization or market segment
- Investigation: Offloading manual and tedious work to shorten investigation and triage processes
- Response: Automatically responding to known and discovered threats for rapid and accurate mitigation
Data: Laying the foundation for automation
Ingesting huge amounts of data may sound overwhelming to many security teams. Historically, teams have had a hard time connecting data sources or have simply had to ignore the data volumes that they couldn't handle due to cost-prohibitive models of legacy tools that charge for the amount of data that they store.
With the world continually migrating to the cloud, it is imperative that security teams do not shy away from massive data. Instead, they need to enact solutions that help them manage it and in turn, achieve better security outcomes by having increased visibility on the entire attack surface.
Security data lakes have brought with them a paradigm shift in security operations. They support the ingestion of massive volumes and variety of data, at the speed of cloud, and allow security platforms to run analytics on top of them with reduced complexity and at a predictable cost.
Detection: Automating the 80%
As more data is ingested, there will inherently be more alerts discovered. Again, this may sound intimidating to overworked security teams, but automated processes, such as out-of-the-box detection rules across attack vectors, is another perfect example where automation can lead to an improvement in coverage.
Generally speaking, there are many similarities in the way networks are attacked, with approximately 80% of threat signals being common across most organizations.
A modern SOC platform offers out-of-the-box detection rules that cover this 80% by plugging into threat intelligence feeds, open-source knowledge bases, social media, or dark web forums, to create logic protecting against the most common threats. Combining those with additional rules written by in-house security teams, platforms are able to keep up-to-date with threat techniques and utilize automated detection around them.
Investigation: Separate the signal from the noise
The investigation phase of the SOC workflow is one that is not often associated with automation. It is traditionally bogged down by numerous tools and manual investigations limiting the efficiency and accuracy of security teams.
The processes that can be bolstered with automation within the investigation phase include:
- Threat-centric clustering of alerts: Security tools will give you thousands of alerts, but in reality these boil down to only a few threats. At scale, this becomes an enormous resource drain. If the alerts are automatically grouped based on their threat context, then security analysts can more easily understand and respond to single incidents as opposed to chasing hundreds of alerts and false-positives.
- Enrichment: By automatically enriching the entities associated with each signal or alert with additional information from many different data sources, teams get all the available context to understand the risk of the alert.
- Correlation: Automatically correlating events leads to better visibility into the path of attackers within the organization's network.
- Visualization: Once correlated, attack "stories" can be mapped and visualized in an easy-to-read timeline making it easier for analysts and other stakeholders to gain clear insights.
Together, these automated tasks offer analysts fast indications of which incidents are the highest priority and need further investigation. This is a drastic improvement compared to legacy systems where analysts are constantly checking and rechecking incidents, investigating redundancies and manually piecing together events.
Automated investigation, when in conjunction with manual search practices, can lead to more real incidents investigated, triaged and understood with more accuracy.
Response: Act quickly and confidently
Once a threat is identified, the obvious next step would be to respond to it. As mentioned earlier, SOARs do a good job with automating the response phase with known threats.
The efficiency of this automation, however, relies heavily on data that is provided by other sources, i.e. when earlier phases of the SOC workflow can deliver usable and reliable outputs that can be sent to a response software.
Integrating more accurate data that has been normalized and investigated by expertly engineered automation makes response tools much more reliable and effective.
Obviously, not all responses can be automated as attackers continue to evolve their methods. In many instances, it's necessary for analysts to investigate incidents thoroughly and enact responses manually. But like the other phases of the workflow, the more that these tasks can be automated, the more security teams will be freed up to address more complex attacks.
So, why aren't more companies using automation?
Many teams know that automation will increase their productivity, but changing processes and software is often difficult for several reasons:
- Replacing legacy software is time consuming, expensive and potentially risky
- Getting stakeholder approval for major implementations is challenging and slow
- Educating analysts on using new software takes time and resources
- Ever-evolving attack techniques keep security teams occupied with the "here and now"
These blockers piled on top of extreme personnel shortages can make the task seem daunting.
But, as automation continues to take center stage, the industry will continue to see significant reductions in total cost of ownership (TCO), mean time to detection/response (MTTD/MTTR), analyst burnout and CISO frustration.
SOC Platforms to the rescue
When several pieces of the SOC workflow are combined and automated, the weight and pressure of the normal workload begin to dissolve. Analysts will start to be able to wave goodbye to spending long hours bouncing from tool to tool, chasing false positives or simply maintaining traditional SIEM solutions.
The new generation of SOC platforms have a lot to offer, at every stage of the SOC workflow. Having been born in the cloud, SOC platforms are able to utilize modern data architectures to more easily develop additional features and enhancements. This, along with the advantage of being able to ingest all security data at a fraction of the cost of legacy tools, has resulted in a trend towards increased automation embedded in them.
A sample Auto-Investigation summary on the Hunters SOC Platform showing the key entities of an alert generated after a user logged in to the Okta web console from an unmonitored device without an active EDR agent, as well as the Risk Score associated with it |
An example of that can be the investigation of threats: this is known by most analysts to be a tedious, manual task, involving sorting through endless false positives. But today's SOC platforms have introduced automation, significantly improving the investigation process. Improvements like automated cross-source correlation, ML models, and built-in data interrogation queries have emerged to help analysts through the repetitive and most laborious threat investigation tasks.
Now is the time to start leveraging automation as it continues to change the industry. Teams not actively adopting these innovations will find themselves behind the curve, potentially leaving their organizations vulnerable and their personnel overwhelmed.
Learn more about how Hunters SOC Platform can help your SOC: www.hunters.ai