The future of SOCs: Automation where it matters
Sophisticated attacks, remote work needs and rapidly changing technologies challenge organizations to manage IT security while containing costs and using overburdened staff. Security operations centers (SOCs) increasingly use automation to manage complexity, improve process performance and improve the productivity of valuable staff.
In a recent example of automation, Microsoft announced the elimination of “Patch Tuesday” and the rollout of Windows Autopatch – automating Windows updates for both quality and features. Patching can be a labor-intensive but critical cybersecurity task often left undone due to other priorities. The new approach speeds up the deployment of patches to reduce possible security risks while reducing organization resources needed for updates.
Another example is the automation of database management processes. Historically, organizations devoted significant IT resources to provide their user clients with new ways to access, analyze and use data. Database platform providers are now using automation to “democratize” data access for users and eliminate the IT bottleneck. Both Oracle’s new generation Autonomous Data Warehouse tools and Microsoft’s Azure Data Catalog and associated tools are using automation to make digital information accessible to the non-technical worker. Automation makes routine IT tasks more efficient, speeds implementation and frees staff to address other priorities.
Automation is an emerging trend for SOCs. Like Microsoft’s new security patch technology, SOC automation intends to both improve an enterprise’s security posture and reduce the burden on security engineers and security analysts.
As security professionals, we all look to new SOC technologies that promise to detect threats that could be catastrophic for our organizations. But too often, people who work in the SOC can be overlooked. The real work of the SOC continues to be handled by security engineers who maintain the tools and the security analysts who have the insights that can assess attacks and determine what the organization should do to address threats. SOC teams are being stressed and stretched to the breaking point. CISOs increasingly focus on how to enhance their teams’ abilities to respond to threats, as well as improve job satisfaction, which is critical to maintaining staff in a tight labor market.
It is stated in a recent Fortinet report that SOC analysts remain amongst the most sought-after roles in cybersecurity. In addition, security teams must manually process thousands of alerts every day, leading to staff shortages. In a 2022 ISACA study, 62 percent of respondents reported that their cybersecurity teams are understaffed.
Security professionals are looking for solutions that can help with the workforce issues – automation for manual security tasks, tools that help analysts assess and remediate threats and workflow automation to make processes more efficient. Let’s look at where advances in SOC automation solutions can help.
Less is better
Manually chasing thousands of alerts every day is inefficient and frustrating for analysts, not to mention an opportunity for attacker exploitation. Modern SOC platforms can automatically ingest and manage a larger amount of data from more sources by using machine learning, threat intel, correlation, and rules for analysis.
Automated investigation of threats can amplify and prioritize attack signals and minimize false positives. Rather than receiving thousands of threats, delivering the hottest attack leads to analysts allows them to detect and respond to those that are most critical. For example, analyzing a suspicious binary hash prevalence on devices in the organization can indicate whether the alert is an actual attack or a false positive from automatic processes.
A picture is worth a thousand words
Simplified attack presentations to analysts can also improve efficiency and enable faster response. Correlation links attack points to provide better insight into the attack and graph-based correlation presents the full attack story in a format that allows analysts to easily understand the attack better and faster to respond with more clarity. For example, correlating between EDR, Okta and firewall alerts based on an attacker’s IP may indicate a higher priority attack and helps the analyst focus on simultaneously investigating three alerts from different detection platforms.
Data doesn’t equal knowledge
Even when fewer alerts are passed onto analysts, the data doesn’t provide enough information for the analyst to quickly determine the necessary response actions. Machine learning-based correlation of signals and alerts across disparate areas of suspicious activity can surface actionable attack stories for analysts. These attack stories can be escalated into SOAR tools and other existing workflows that enable response automation, identify mitigation actions, reduce attackers’ dwell time, and improve analyst performance.
For example, automatically correlating among a single employee’s different users on several platforms (e.g., Active Directory user, AWS user, application user) can reduce response time by rapidly disabling the different platform users belonging to the same hacked employee. By using automation to elevate detection and analytics, level one analyst workflows can be automated, level one analysts can be “upskilled” and level two and level three analysts can be empowered.
Improvement needs feedback
And lastly, the overwhelming volume of alerts and alert triage means that security analysts often don’t have time to pass their learnings back into the rest of the organization. Making continual improvements in SOC operations and the organization’s security posture is not just done by purchasing new technology. Analyst learnings and insights need to be fed into the system so that their knowledge is shared throughout the organization and can be used to improve SOC operations. Automating mundane tasks and allowing analysts to identify and respond to attacks more quickly enable this collaboration.
Looking to the future
The future is unlikely to be less complex – attacks will continue, hackers will use increasingly sophisticated and clever methods to breach enterprise defenses and the shortage of analysts will not be solved quickly. SOC automation can allow SOC staff to be real security practitioners – empowering security teams to overcome the volume and complexity, focus on detecting and responding to threats and work to improve organizational efficiency while lowering costs.