Adopting New SecOps Automation in Your SOC Team

Written by Matan Eli Matalon

    Share article
    FacebookTwitterLinkedInRedditCopy Link

    Top Blogs

    “Automation” has been a buzzword in the world of cybersecurity for a while now, however, enterprises are still struggling to fully realize its potential for incident response. In today’s complex and rapidly changing threat environment, manual security processes for security operations (SecOps) are no longer enough to keep up with the pace of threats.

    In this blog, we’ll explore the current situation in the cybersecurity field and challenges for organizations to keep up with the rapid growth in cyber attacks and security alerts. Then we will explain what tierless” Automated SecOps is and how it can help companies save time, resources, and money. 

    Stuck In a Loop: Top 3 SecOps Challenges

    With the rapid growth in attacks and the explosion of new technologies, security teams, and analysts in particular have become dependent on the data and verdicts produced from them. Often, data and verdicts that require human interaction and manual investigation to confirm threats and start the incident response process.

    Looking at the current state of security teams, the challenges they need to face daily can be classified into three main categories: People, Technology, and Budget. Each category has its own set of challenges and solutions the security industry came up with to overcome them.

    Let’s tackle them one by one.

    People Challenges in SecOps

    Never-Ending Cybersecurity Talent Shortage

    The threat landscape keeps growing, new security products emerge, and more data is being produced. The need for people and resources is higher than ever before. With that in mind, we can expect there will be a limit to the number of people you could hire and train. Medium or small organizations will not be able to attract, retain, and support large security teams. Even for large organizations, more people does not necessarily equal “more effective.”

    Traditional security operation centers have relied on “tiered” teams, with the Tier 1 SOC analysts performing the alert monitoring, initial investigation and triage. But as the number of alerts has grown, the burden and cost of maintaining this level of SOC analysts has continued to increase.

    Security Alert Fatigue

    Alert fatigue is a serious issue for organizations, especially when the volume of alerts rises and their staffing remains static (or even gets cut).

    Security teams face thousands of alerts daily, while needing to perform at the highest level and make decisions that ensure the security of the company they work for. But when the number of alerts rises, the quality of the decision decreases. The risk of SOC analyst burnout and the cost of turnover also increases.

    Many of those affected by alert fatigue are Tier 1 SOC analysts, who may be inexperienced and overloaded with responsibility as the cost of mistakes can be very high. When the quality of life is affected for SOC analysts, the quality of work is affected, and that puts the organization at risk.

    Technology Challenges in SecOps

    Lack of Focus from Too Many Scattered Tools

    The attack surface has expanded, so we have more and more security solutions that try to solve a variety of problems. Because each solution generates huge amounts of data, huge amounts of alerts are produced as well. 

    SOC teams need to constantly shift their focus from one system to another, and in some cases, you’ll get redundancy between solutions (the same alert from two or more products). Sometimes, you’ll miss a real incident that poses an actual risk. 

    Companies usually try to solve it by consolidating their data/alerts into one system. That eliminates the focus factor, where no shifting is needed for SOC analysts – all of your alerts are in one place. Redundancy will decrease and the chance of missing crucial alerts will also drop.

    However, there’s still one issue that doesn’t get addressed: false positives.

    Too Many False Positives

    To eliminate the false positives issue, the cybersecurity industry concluded that the load of triaging and investigating the first few levels of alerts won’t necessarily need to be done by the security teams. Many organizations “solve” this by relying on a dedicated outsourced service that will manage the Tier 1 SOC level tasks of their incident response process. But these services typically still rely on traditional investigation methods and teams of SOC analysts, which face the same issues with alert fatigue and scattered tools. The false positive alerts still exist and many often get “escalated” to the internal security team, as outsourced SOC analysts don’t have the specialized knowledge about the organization’s operations and environment.

    Budget Challenges in SecOps

    Falling Revenue and Cutting Costs

    Every tech company is built differently so, the most revenue-generating teams can vary from one to another. Revenue-generating teams are those whose services make the most money for the organization.

    On the opposite side, there are cost-center teams: teams whose operations cost more than they generate for the company. Security Teams are unfortunately the perfect example of it. 

    The Security Team’s budget is made from two main components: talent and solutions. Talent salary can vary, depending on the market and the experience of the talent, like in any department. However, one component that doesn’t change but only increases is the price of the purchased solutions or expensive service providers. According to Gartner, organizations will spend a collective $188.3 billion on information security and risk management products and services in 2023. 

    Furthermore, in the current economic climate, companies are urging security teams to reduce and cut from their budget. This puts a lot of pressure on CISOs and SecOps leaders because they have to make tough decisions that can impact the entire business. 

    What about outsourcing Security Operation functions?

    The idea of outsourced SOC providers (like an MDR or MSSP) has been in existence for quite some time, but one question remains – does it solve the problem? 

    Overall, the quality of the SOC service provider is not assured and the trust between the parties is not strong. Often this results in redundant work. This can create a different kind of dependence on an outside provider.

    It decreases the number of false positives your team sees.The number of false positives and escalations usually remains relatively very high.
    It reduces some of the workload on your team.The workload does not really “disappear,” it just gets migrated to a different team that deals with the same issues your internal security team dealt with.

    The prices for these SOC services are extremely costly compared to alternatives and other security budget items.

    Your team usually does not get much visibility on the analysis performed by the outsourced service. You typically don’t know which tools or techniques were used to reach the verdict your provider gives you.

    The Next-Generation of Incident Response Automation

    To overcome these challenges, there must be a change in our approach. Times have changed and the traditional incident response process is outdated. Custom-built incident response playbooks are costly to build, difficult to maintain, and effective when they connect a stack of third-party tools.

    Automated SecOps comes to show how we can transition from being reactive, to proactive. From being dependent on the alerts, events, and manual interaction at every step, to gaining independence and changing how we operate in order to adapt to the current climate. 

    Why Now is the Time for More Incident Response Automation

    Cybersecurity vendors have been promoting “automation” for years. Many of those solutions were limited and disappointing. But here’s why now is the time to adopt new, innovative ways of automating the incident response process:

    • Tech Maturity – Most security tools and technologies today offer automation capabilities. Whether it’s customized API commands, integrations with other solutions, or creating automatic workflows based on tasks from different tools the environment is set and ready. More and more, those workflows are “native” and use pre-built logic to integrate without custom-engineered playbooks.
    • Scalability – Automation is almost immune to scale changes. If up until now alert/incident growth resulted in additional hiring and training, with a set of automatic tools or tasks the configuration almost never changes. 10 alerts would get the same treatment as 1000.
    • Visibility – By entrusting your incident response with your own hands (or tools that support automation), you gain not only independence but also full visibility of the analysis performed on your alerts/incidents. You know which tasks are being applied each step of the way. Automating your own process ensures you internal team stays in control, doesn’t get overwhelmed, and has access to the findings you need.

    Automation allows more organizations to have “tierless” SOC teams, maximizing internal capacity to focus on strategic decisions and serious threats.

    Where Do You Start Automating Your Incident Response Process?

    The easiest tasks to automate also make up the biggest percentage of the time invested in the incident response process. So when we start by automating those repetitive, constant tasks, we already reduce a big chunk of our day-to-day workload in SecOps.

    Let’s look at a few examples:

    Tasks PerformedTask PurposeAutomation Opportunity
    File, URL, DNS, and IP scanningSimple reputation-type tasks that Tier 1 analysts do to triage alerts and come up with a definitive verdictRelated tools these days are either open-source projects (downloadable scripts) or API connected. The process stays the same and the result is usually 1 or 0. A simple code project that uses those scripts or API calls can save a lot of valuable time for these recurring tasks. 
    Memory scan for malware analysis / Sandboxing for behavior analysis Both are examples of ways analysts perform a deeper investigation of the incident that is escalated to them. 
    Memory scans deal with the entire (or part of the) memory dump extracted from a potentially infected endpoint or server.
    Behavioral analysis is conducted when the analyst/researcher wants to further understand the behavior of the threat and its tendencies. So they will drop the file into a dedicated sandbox to learn how it operates.
    Online tools that provide a memory scanning capability within their solution, like Intezer, can automate this process. (If memory scans are conducted with open-source tools, you could build in more automation with a script or task.)

    Like memory scans, many tools allow the automation of sending a file to a sandbox and receiving a verdict without any manual work, including some open-source options. Also, there are online solutions that can perform sandboxing and more advanced capabilities with API calls (such as Intezer’s malware analysis).
    Proactive Threat HuntingAnalysts perform threat hunting when they suspect the escalated threat might spread across the organization’s network or want to investigate a new threat that has been publically shared. They will create custom queries to run on their data engines to try to find related events or incidents.This process is trickier to automate because IOCs change constantly, and the sources from which we gather the information can change as well. But one thing that stays the same is where we search for the IOCs and the queries we create for them.
    For example, EDRs like SentinelOne and CrowdStrike offer API commands and Python Libraries (respectively) to run various tasks in general, and create and run event queries in particular. Writing a script that integrates with these, leaves you with only providing the IOCs in a way of CSV or JSON, the rest will be done automatically. 
    Same with big data engines like Splunk, which offers Python libraries to upload CSV and JSON files to run advanced searches on.  

    Robots Can’t Replace All Human Knowledge and Interaction

    It’s important to understand that there will be no robots that replace SOC teams in the near future, simply due to the fact that as defenses get smarter, adversaries get smarter as well. Since organizations, their environments, and their workforces are unique, it’s hard to imagine a future that won’t require human knowledge and intervention for incident response. Robots can’t strategize or make plans that adapt to the changing needs of an organization and it’s objectives.

    Security teams, and analysts in particular will need to approach all problems with an automation-first mindset, so that they can minimize the operations time of their team and keep the focus on higher-order tasks. After all, the alert fatigue issue will only grow as data grows.

    We will not be able to achieve exponential improvement in productivity and efficiency for SecOps without a heavy emphasis on automation.

    Curious about how Intezer automates stages of the investigation and incident response process? Book a demo to talk with us and see how Intezer could help your security team.

    Matan Eli Matalon

    Matan Eli Matalon is the Information Security Manager at Intezer. He is in charge of Corporate Security, Compliance, Incident Response and Internal Product Implementations.

    Generic filters
    Exact matches only
    Search in title
    Search in content
    Search in excerpt