Security Automation: The Key to a Smarter SOC

Security Automation: The Key to a Smarter SOC

By Tony Velleca

March 3, 2020

In the wake of increasingly sophisticated cyber security threats, the pressure on enterprise security teams intensifies. While detection tools have advanced significantly, security  teams continue to be overwhelmed in their response - whether it’s due to alert fatigue, challenges of prioritization, or their inability to make sense of the vast volume of data being generated by all the tools.   

Maximizing the effectiveness of your security operations center (SOC) improves the speed and accuracy of incident detection and response. This requires deep integration of all your security solutions and processes to help you orchestrate SOC procedures . Rather than having a stack of siloed tools, a cohesive SOC is created providing higher efficiency, consistency, increased capabilities and a solid foundation for taking the next step toward —security automation.

How Security Automation Improves Detection and Response

The problem with a continuous focus on adding detection tools is that it leaves us with an overabundance of alerts that traditional SOCs can’t handle. By introducing security automation, you can scale operations to keep pace with the wave of data generated by advanced detection tools.

Rather than trying to outpace the explosion of security alerts by constantly hiring more analysts for your SOC team, security automation services allow SOCs to scale in several key ways.

  1. Alert Enrichment

    Integration and orchestration without automation won’t make the most of your detection and response investments. The initial work of a Cyber Analyst is to add context to an alert through enrichment. For example, resolving an IP address to a device, determine what system the device belongs to, and determining if there are known vulnerabilities for this system or other observables. 

    The first step in Security Automation is enriching your alerts automatically with context so that instead of working with a long list of disparate alerts, you see insights and can prioritize your response and remove false positives. For example, there should be a different sense of urgency in the way an Analyst responds to an attack on a privileged user versus a non-privileged user with limited access. 

    Alert Enrichment automatically adds context to an alert so those alerts may be prioritized and potentially correlated as a single incident and start to chain together a potential attack scenario. 

  2. Attack Visibility 

    The high volume of alerts generated by prevention and detection tools can be a blessing and a curse for SOC teams. In theory, all of those alerts indicate that your tools are effectively monitoring for and blocking threats as they approach your network. But the reality is that high volumes of alerts lead to false positives that diminish the effectiveness of your cyber security tools directing the attention of your security  analysts in the wrong direction..

    When your SOC team is overwhelmed by alerts and false positives become a regular occurance, attackers can more easily gain a foothold into your network without being detected. This is one main reason why the average company takes 197 days to detect a data breach.

    Security automation must focus on assembling the alerts into the probability of different types of attacks. These attack patterns are a chain or graph of discrete techniques. Often attackers have signature techniques that are used to complete a full attack.

  3. Proactive Hunting

    Despite the fact that cyber security spending is expected to eclipse $1 trillion by 2021, attackers continue to evade prevention and detection tools. Part of the problem is that traditional SOCs are limited to reactive monitoring without acknowledging that a response is required (because breaches will inevitably occur). Even when alerts are triggered, manual processes mean that the response is slow to deploy and the damage is magnified and more complex to resolve.

    To be proactive, security teams must be able to assemble multiple alerts into the probability of an attack scenario as mentioned above. Since there are a number steps that an attacker must take to implement a complex attack, being proactive means anticipating the next step, hunting for evidence and automating key response steps. 

    The speed and efficiency of security automation can also deter cyber criminals looking for a soft target. By making your SOC more proactive and keeping ahead of the latest cyber security threats you go beyond leveling the playing field to being in another league altogether. 

The Primary Benefits of Security Automation

We know that bringing artificial intelligence and machine learning to key business processes introduces speed, cost efficiency, and accuracy that can’t be met by human resources alone. These advantages are part of the value that security automation can bring to your SOC team. But the benefits of security automation extend further.

A deeply integrated and orchestrated SOC becomes vastly more effective when security automation is added to its capabilities. Collecting data faster, correlating it more efficiently, automatically deploying patches and fixes, and detecting cyber security threats more effectively are all features of security automation services. But how exactly do these capabilities benefit your SOC? Increasing your analytic capabilities with AI-powered security automation helps you:

  • Minimize Response Times: The goal of security automation isn’t to replace human analysts. Automating tedious, time-consuming, non-cognitive tasks frees up your cyber threat intelligence analyst to focus on higher priority incidents that will provide greater value to your security platform. This impacts your response times in two ways. First, automation addresses those tedious tasks faster than humans would be able to. And second, you’re able to respond to higher level threats faster because your SOC team has access to more contextualized insights into attacker activity.
  • Reduce Human Error: Human error is widely known as a primary cause of cyber attacks. One Kaspersky study found that humans cause 90% of cloud-based data breaches. These errors often occur as security analysts try to balance all of the tasks required of an SOC team that’s already pushed to its limits. When so many tasks are required just to monitor activities, there isn’t much time left to be proactive.       
  • Eliminate Alert Fatigue: While it was once true that prevention and detection capabilities were strong enough to keep pace with advanced attackers, that is no longer the case. Now, context is the key to protecting your organization. Without a way to contextualize data, your SOC team will be inundated with more dumb alerts than it can manage. This can result in alert fatigue that allows threats to penetrate your perimeter and increases your response times. When security automation contextualizes your data, you can be sure that smart alerts are accurate and your responses may be prioritized accordingly.

Each of these security automation benefits will help advance your SOC operations. And when combined with the right team, you can create an SOC that can both detect and respond to even the most sophisticated attacks.

The real challenge is introducing security automation to your SOC in a way that leverages existing tools yet does not introduce added complexity for the SOC team, while ensuring that clear benefits can be identified and quantified. That’s why we’ve created a managed detection and response platform and managed services to help you stand up to the most advanced and persistent cyber criminals.

Check out our Cyber Hub and sign up for our newsletter to learn how you can stay one step ahead making the most of security automation.

 

Tony Velleca
Written by Tony Velleca
Tony is CyberProof’s CEO and is CISO at UST Global. Tony previously co-founded and was CTO at huddle247.com, rated by PC Magazine as one of the top virtual workspace solutions in 2000. He previously worked for Boeing and Rolls-Royce, Inc. focusing on conceptual design and optimized propulsion systems for next generation aircraft. He holds a BS degree in Aerospace Engineering from Georgia Institute of Technology and an MBA from University of California, Irvine.