“Automation” has been a buzzword in the world of cybersecurity for a while now, however, enterprises are still struggling to fully realize its potential. In today’s complex and rapidly changing threat environment, manual security processes for security operations (SecOps) are no longer enough to keep up with the pace of threats.
In this blog, we’ll explore the current situation in the cybersecurity field and challenges for organizations to keep up with the rapid growth in cyber attacks and security alerts. Then we will explain what Tierless Automated SecOps is and how it can help companies save time, resources, and money.
Stuck In a Loop: Dependence
With the rapid growth in attacks and the explosion of new technologies, security teams, and analysts in particular have become dependent on the data and verdicts produced from them.
Looking at the current state of security teams, the challenges they need to face daily can be classified into three main categories: People, Technology, and Budget. Each category has its own set of challenges and solutions the security industry came up with to overcome them.
Let’s tackle them one by one.
Challenges for People in SecOps
Never-ending Talent Shortage – The threat landscape keeps growing, new security products emerge, and more data is being produced. The need for people and resources is higher than ever before. With that in mind, we can expect there will be a limit to the number of people you could hire and train. Medium or small organizations will not be able to attract, retain, and support large security teams. Even for large organizations, more people does not necessarily equal “more effective.”
Alert Fatigue – Security teams face thousands of alerts daily, while needing to perform at the highest level and make decisions that ensure the security of the company they work for. When the number of alerts rises, the quality of the decision decreases. Many of those affected by alert fatigue are Tier 1 analysts, who may be inexperienced and overloaded with responsibility as the cost of mistakes can be very high.
When the quality of life is affected, the quality of work is affected, and that puts the organization at risk.
Challenges in SecOps Technology
Lack of Focus – The attack surface has expanded, so we have more and more security solutions that try to solve a variety of problems. Because each solution generates huge amounts of data, huge amounts of alerts are produced as well.
SOC teams need to constantly shift their focus from one system to another, and in some cases, you’ll get redundancy between solutions (the same alert from two or more products). Sometimes, you’ll miss a real incident that poses an actual risk.
Companies usually try to solve it by consolidating their data/alerts into one system. That eliminates the focus factor, where no shifting is needed – all of your alerts are in one place. Redundancy will decrease and the chance of missing crucial alerts will also drop.
However, there’s still one issue that doesn’t get addressed: false positives.
Too Many False Positives – To eliminate the false positives issue, the cyber-security industry concluded that the load of triaging and investigating the first few levels of alerts won’t necessarily need to be done by the security teams, but rather a dedicated outsourced service that will do that for them.
Budget Challenges in SecOps
Revenue – Every tech company is built differently so, the most revenue-generating teams can vary from one to another. Revenue-generating teams are those whose services make the most money for the organization.
On the opposite side, there are cost-center teams: teams whose operations cost more than they generate for the company. Security Teams are unfortunately the perfect example of it.
The Security Team’s budget is made from two main components: talent and solutions. Talent salary can vary, depending on the market and the experience of the talent, like in any department. However, one component that doesn’t change but only increases is the price of the purchased solutions or expensive service providers. According to Gartner, organizations will spend a collective $188.3 billion on information security and risk management products and services in 2023.
Furthermore, in the current economic climate, companies are urging security teams to reduce and cut from their budget. This puts a lot of pressure on CISOs and SecOps leaders because they have to make tough decisions that can impact the entire business.
What about outsourcing Security Operation functions?
The idea of outsourced SOC providers (like an MDR or MSSP) has been in existence for quite some time, but one question remains – does it solve the problem?
Overall, the quality of the SOC service is not assured and the trust between the parties is not strong. Often this results in redundant work. This can create a different kind of dependence on an outside provider.
| Pros | Cons |
| It decreases the number of false positives your team sees. | The number of false positives and escalations usually remains relatively very high. |
| It reduces some of the workload on your team. | The workload does not really “disappear,” it just gets migrated to a different team that deals with the same issues your internal security team dealt with. |
– | The prices for these SOC services are extremely costly compared to alternatives and other security budget items. |
– | Your team usually does not get much visibility on the analysis performed by the outsourced service. You typically don’t know which tools or techniques were used to reach the verdict your provider gives you. |
Ending the Never-Ending: Transition To Automation
To overcome these challenges, there must be a change in our approach. Times have changed and the traditional IR process is outdated.
Tierless Automated SecOps comes to show how we can transition from being reactive, to proactive. From being dependent on the alerts and events to gaining independence and changing how we operate in order to adapt to the current climate.
Why Automation?
- Tech Maturity – Most security tools and technologies today offer automation capabilities. Whether it’s customized API commands, integrations with other solutions, or creating automatic workflows based on tasks from different tools the environment is set and ready.
- Scalability – Automation is almost immune to scale changes. If up until now alert/incident growth resulted in additional hiring and training, with a set of automatic tools or tasks the configuration almost never changes. 10 alerts would get the same treatment as 1000.
- Visibility – By entrusting your incident response with your own hands (or tools that support automation), you gain not only independence but also full visibility of the analysis performed on your alerts/incidents. You know which tasks are being applied each step of the way.
Where do I start?
The easiest tasks to automate also make up the biggest percentage of the time invested in the incident response process. So when we start by automating those repetitive, constant tasks, we already reduce a big chunk of our day-to-day workload in SecOps.
Let’s look at some examples:
| Tasks Performed | Task Purpose | Automation Opportunity |
| File, URL, DNS, and IP scanning | Simple reputation-type tasks that Tier 1 analysts do to triage alerts and come up with a definitive verdict | Related tools these days are either open-source projects (downloadable scripts) or API connected. The process stays the same and the result is usually 1 or 0. A simple code project that uses those scripts or API calls can save a lot of valuable time for these recurring tasks. |
| Memory scan for malware analysis / Sandboxing for behavior analysis | Both are examples of ways analysts perform a deeper investigation of the incident that is escalated to them. Memory scans deal with the entire (or part of the) memory dump extracted from a potentially infected endpoint or server. Behavioral analysis is conducted when the analyst/researcher wants to further understand the behavior of the threat and its tendencies. So they will drop the file into a dedicated sandbox to learn how it operates. | Online tools that provide a memory scanning capability within their solution, like Intezer, can automate this process. (If memory scans are conducted with open-source tools, you could build in more automation with a script or task.) Like memory scans, many tools allow the automation of sending a file to a sandbox and receiving a verdict without any manual work, including some open-source options. Also, there are online solutions that can perform sandboxing and more advanced capabilities with API calls (such as Intezer’s malware analysis). |
| Proactive Threat Hunting | Analysts perform threat hunting when they suspect the escalated threat might spread across the organization’s network or want to investigate a new threat that has been publically shared. They will create custom queries to run on their data engines to try to find related events or incidents. | This process is trickier to automate because IOCs change constantly, and the sources from which we gather the information can change as well. But one thing that stays the same is where we search for the IOCs and the queries we create for them. For example, EDRs like SentinelOne and CrowdStrike offer API commands and Python Libraries (respectively) to run various tasks in general, and create and run event queries in particular. Writing a script that integrates with these, leaves you with only providing the IOCs in a way of CSV or JSON, the rest will be done automatically. Same with big data engines like Splunk, which offers Python libraries to upload CSV and JSON files to run advanced searches on. |
In conclusion, it’s important to understand that there will be no robots that replace SOC teams in the near future, simply due to the fact that as defenses get smarter, adversaries get smarter as well.
Security teams, and analysts in particular will need to approach all problems with an automation-first mindset so that they can minimize the operations time of their team and have them focus on higher-order tasks. After all, the alert fatigue issue will only grow as data grows.
We will not be able to achieve exponential improvement in productivity and efficiency for SecOps without a heavy emphasis on automation.
Curious about how Intezer automates alert triage, investigations, and response tasks? Book a demo to talk with us and see how Intezer could help your security team.
Matan Eli Matalon is the Information Security Manager at Intezer. He is in charge of Corporate Security, Compliance, Incident Response and Internal Product Implementations.