Are you running a Security Operations Center (SOC) that handles hundreds or thousands of alerts? Are your analysts unable to cope with a tsunami of events and eventually get burnt out? Are they unable to zero in on events of interest at speed and scale?
If the answer to any of the above questions is a yes, it is probably time to consider adding automation to your SOC ecosystem.
Nowadays, most of the modern next-generation SOC platforms come with a native Security Orchestration Automation and Remediation (SOAR) capabilities. While automation does make things simpler in the long term, it needs a lot of careful planning and a clear strategy.
Security Automation > What, When, Where and How
If you feel lost trying to figure out where to get started with this, you are not the only one.
To identify tasks or activities that can be automated, you need to start with an inventory of tasks and activities that your L1 function does, and out of those, identify the tasks that are repeatable in nature and have reversible outcomes.
Typically tasks in which you can use SOAR broadly fall under these categories.
- Enrichment: add context or additional information to the event that is being collected, this is typically by far the most popular SOAR use case.
- e.g., finds hash of the file, do a ‘who is’ look up, find details of a user on LDAP
- Orchestration: start or stop a certain service or process on an end point
- e.g., finds hash of the file, do a ‘who is’ look up
- Remediation: take an action to contain or correct an incident
- e.g., disable user on a directory
- Case management: tracking of end-to-end triage process
- E.g., tagging findings, evidence, documentation, and triage process management
- Reporting: reporting of SOC’s operational parameters
- E.g., Heat maps, situation reports etc.
Points to watch out for while implementing SOAR
Automation works best in mature and stable environments. While SOAR solutions make your SOC function more efficiently it is not a replacement for your L1/L2 function. Below are the three common pitfalls you need to watch out for while implementing a SOAR platform in your SOC.
Trying to automate everything at one go
With so many manual processes and staff in short supply, it can be tempting to go all in on security automation. But if you are just starting out, identify processes that are prime candidates for automation and implement automation in those areas first. From there you can determine how to continue forward on the automation component of your journey.
Also, it is practically impossible to automate everything. Many of the complex cases still need the hands-on, critical thinking that can only come from an experienced and well-trained security analyst. So, any SOAR implementation is always about finding the right balance of machine-led and analyst-led activities for your particular SOC.
Not mapping out incident response processes
Only the processes that have predictable and reversible outcomes can be considered for automation. SOAR solutions can be used to automate security operations processes, however, automation applied in an unplanned and uncontrolled manner can result in complete chaos. To avoid this pitfall, security operations teams need to devote considerable time to outlining and mapping their processes before building playbooks.
Incident response processes that are ‘cast in stone’
You cannot get everything right the first time. Even if you have devoted a lot of time and energy designing a particular incident response playbook, there is still a good chance it will not turn out to be perfect. Besides, the tactics, techniques, and procedures (TTPs) of cyberthreats evolve with time. Thus, you need to adapt and incorporate changes accordingly.
Expecting SOAR to be a wonder drug
There is no magic cure for all the challenges security operations teams face. SOAR holds the promise of driving process improvement, increasing efficiency and maximizing effectiveness for enterprise SOCs. As such, as you embark upon a SOAR implementation project, be sure to be clear on how it can best enable your team to maximize the use of the security tools you already have, empower your existing team, and inject new structure to your processes and techniques.