You might be having trouble finding security talent, but your adversaries aren’t. Droves of online intruders are rattling your network’s doors every day, and now they’re even automating their attacks. As the imbalance grows, the chances increase that a missed alert or under-the-radar event will grant an attacker access to your systems. To cope with the rising tide of cyberattacks, we recommend automating your security operations center (SOC) … but how, you ask?
Here’s a primer to get you started.
Automation may reduce human effort, but it shouldn’t take people out of the loop entirely. Every successful SOC automation relies on human knowledge. Create a team that can contribute to the initial automation and then maintain and adapt it over time to suit evolving security challenges. Lastly, find or train analysts who can use the information that automation uncovers.
Also, consider the role third-party technology providers play in your team. How can you enlist their help when automating security processes involving their products and services?
A robust team will help identify the goals for your automation initiative, pinpointing specific problems that you’re trying to solve. A lack of experienced analysts inflates staff costs, which makes cost containment a common goal for SOCs.
Staffing issues also contribute to another problem: throughput and success rate. Manual tasks that take too long create bottlenecks that limit a SOC’s ability to scale.
Another goal that might be uncovered during an automation project is the normalization of your technology stack. A ‘frankenstack’ of different vendors’ tools built up over time will create information bottlenecks and limit analysts’ ability to collaborate on investigations.
A successful automation initiative takes expertise and experience. There are three approaches to finding the right people – 1) do it all in-house, which is frequently cost prohibitive for companies battling a lack of internal expertise, 2) appoint a professional, managed security services provider (MSSP) to take on the entire process for you or 3) combine these in a hybrid approach.
Having identified your goals, a consultative MSSP can help you prioritize those to target first. Create a timeline for the key steps, mapping them against specific automation solutions.
This is also the time to validate your existing processes. That includes understanding what kinds of events you care about and assigning weights to them. This is especially important for the kind of human-in-the-loop operation we’re talking about, where analysts are still a vital part of the ecosystem and will ultimately see the most important events. An automated system must be able to show them the right data.
This may sound like a daunting task, but it’s also an opportunity for optimization. No one wants to automate flawed processes.
After designing your deployment timeline and sourcing your skills, it’s time to grease the wheels internally. Security automation could affect other processes in the business, meaning that you’ll need to win support from internal stakeholders. Identify those people and secure their buy-in, all the way up to senior level. You may find opposition to your initiative, which is common. Try enlisting internal champions to listen and address their concerns. Only then can you deploy your automation with a guarantee of success.
How do you measure that success? Use key performance indicators (KPIs) that underpin your objectives. For example, threat detection and response automation might include the number of positive alerts that your analysts receive, and the time spent handling them.
Your security team may track some of these KPIs already but prepare to adapt them based on post-automation changes. Some alerts that were more relevant in a manual setting might no longer surface in a well-organized, automated SOC. Similarly, the number of people available to work on an alert might change as automation tames your staffing issues.
Working out what to automate first can be a puzzle for security teams. Begin by focusing on areas where automation can deliver fast, high-impact results.
Look for inefficient workflows, using interviews with security team members living that experience every day. Once you’ve identified the inefficiencies, assess how repeatable those tasks are, and the effect that standardizing them will have on KPIs including time and cost.
At Nuspire, we have found endpoint detection and response (EDR) to be a good starting point. The focus for security teams has spread to the endpoint as the cloud and remote working practices have evolved. EDR has become crucial but is also difficult to manage manually.
A well-honed EDR automation quarantines devices that exhibit unsafe behavior. This can limit an attack’s blast radius to a small set of devices, saving considerable downstream time and cost.
Automation can be a powerful tool, but doing it properly takes careful preparation and planning. Even after you flip the switch, successful automation is a multiplier, not a substitute. It empowers an adept team rather than replacing it altogether. So, the first question you should ask is: which third-party service provider would you like on your side?