Today’s SOCs are complex. SOC personnel have never had more tools at their disposal, data to analyse or threat actors targeting their organisation. This has resulted in an unprecedented number of daily tasks, security alerts and false positives that SOCs must handle on a daily basis (68% of respondents to a Ponemon Institute survey reported that their security operations team spends a significant amount of time chasing false positives.)
ECS Security firmly believe that to gain full value from a SOC it must be threat-focussed (with compliance requirements being satisfied by a subset of the threat management activity). Focussing on threat means focussing on continually evolving actors and as such means the number of alerts will generally increase, even with the best tuning practices in place. This, combined with the scarcity of skilled resource, means that SOC managers need to consider force multipliers and this blog describes how automation and orchestration can provide real value.
In this context, automation should be considered the execution of a task or set of tasks by a system without human intervention.
The following example will help explain how this could apply to a SOC: When an analyst receives an alert highlighting potential malware infection of an endpoint, they will need supplementary data about the endpoint to make a decision on the appropriate responsive action. This data could reside on many systems such as end-point protection solutions, asset management systems and potentially the device itself. The analyst needs that data gathered and then recorded in a central ticket for audit and continuity purposes prior to making a decision on response.
The data collection activity in the potential malware example if performed manually could cost the SOC significant human time which is a scarce resource for a busy SOC.
A resourceful analyst may develop a script that when executed will connect to a relevant data source and collect the required data avoiding the analyst having to perform the task directly. Providing this is done securely and safely then this is a good example of automation and how it can help the capacity of a SOC.
Orchestration: the next level
Orchestration takes automation to the next level by combining automation with human followed and executed workflows. It also helps establish sound governance around the automation abilities that a SOC creates and the human workflow brings the obvious benefits of consistency and quality.
In the malware example described above, orchestration tooling could potentially be used to automate the detection of this type of alert, the gathering of the standard data that is required for such an event and the recording of it into a central ticket before presenting the ticket to the appropriate ticket queue manned by actual human SOC analysts. The SOC analyst that picks up the ticket then makes the decision on the appropriate response based on the data within the ticket.
Orchestration used in this fashion reduces the amount of time required to gather standard dataset information (as technology, configured correctly, can perform repeatable tasks faster than a human), frees up the time of the SOC analyst to concentrate on other tasks and interleaves technology with human activity in a controlled and effective fashion.
Full Automation Including Response
Full automation is where the tooling can carry out the complete end to end activity or at least one of the potential end to end paths. This requires the scenario to be very well defined, the required data to be collectable using technology, the response decisions to be formulaic and the response action to be executable without human participation. All fully automated outcome paths have to be risk assessed and any risks mitigated within appetite.
In the example above, enough data would need to be collected for an automated decision to be able to trigger an automated response action or for the system to decide that the automated response action should not be made and pass the populated ticket to a ticket queue manned by actual human SOC analysts.
As can be seen above, full automation doesn’t mean your analysts are no longer required. These methods support human analytics and response. Leveraging automation and orchestration can equip analysts to respond faster, provides them with more opportunity to think and enables them to use their security insight to find unknown threats and improve the security posture of the organisation.
If a SOC is running at 100% capacity and have their SOC analysts performing large volumes of repeatable, predictable tasks then they are not generate value from the skill sets of their analysts or providing them with the opportunity to advance their capabilities. ECS believe that automation and orchestration should be considered by every SOC manager to scale and accelerate their SOC capabilities.
ECS work with products such as Splunk, ServiceNow, Tanium, Illumio and Jira to enable organisations to better leverage orchestration and automation within their operations.