The Myth of the Unmanned SOC
By Amos Stern, CEO, Siemplify
It’s no secret that security operations are under fire. In most enterprises, the only thing standing between a normal day and a financially devastating data breach is the security analyst. Yet, despite decades of investment in cybersecurity protection, detection, and intelligence tools, the analyst lacks a centralized software platform to operationalize all of this data in time to effectively prevent breaches from occurring. Drowning in a sea of alerts, and with the business on the line, SOC analysts are desperately seeking solutions. Automation is being hailed as the answer.
But what does “security automation” really mean?
Automation is only one facet of Orchestration
Among cyber professionals, orchestration and automation are frequently used interchangeably. Some have positioned orchestration as the “next” phase of automation. It’s no wonder security leaders are confused. In our review of the landscape, almost all automation point solutions simply remediate individual, low-level alerts. The idea is that this will offload a portion of the analyst workload to free up time to investigate the important stuff. But with what tool?
To be clear, automating the response to a low level, false positive, and duplicate alerts are just one piece of orchestration. The list of individual processes that can be automated is growing. And effective automation simplifies routine tasks to execute them with far more efficiency. Yet, even the most advanced automation systems filter only a percentage of security alerts that register on a company’s network.
Even if organizations could automate the full scope of alerts, leaders are simply not inclined to turn the complete control of their security to a black box. Thus, for most organizations, incident responders are still required to sort through alerts and make the tough calls as to whether an attack is truly occurring. The analyst is more important than ever. The question is how do we empower them and strike the right balance of machine-driven vs. analyst driven response. The answer is orchestration. Insecurity parlance, orchestration is a method of connecting security tools, integrating disparate security data, and providing security teams the broad functionality to respond to all types of threats. When executed properly, it is the connective tissue that streamlines security processes and powers an effective security response.
Effective Orchestration Applied
You cannot find or eradicate the threat by playing whack-a-mole with individual alerts. Humans must contextualize alerts and security data into a threat storyline, using automation as an enabler along the way. Comprehensive security orchestration is all about providing the capabilities to navigate the full scope of security operations and incident response from the initial alert through remediation. Regardless of the maturity or size of the security team, effective orchestration is built on a few key tenants:
• Context – understanding of the relationships across alerts, intelligence, and security data into prioritized cases with the complete contextual threat storyline.
• Automation – integrating automated capabilities in a flexible manner; from basic playbooks to semi-automatic workflow, to complete automation of incident response where appropriate. One size fits all doesn’t work with security automation.
• Analyst Enablement – giving analysts the proper tools and visibility to effectively intervene throughout the investigation and response process and ultimately ensuring we are curing the disease, not just the symptoms.
With effective security orchestration, teams are able to utilize a single pane of glass for a coordinated response, both machine-led and analyst drove. There is a delicate balance between human intervention and automation that requires the right underlying architecture and intelligence. Automation must be earned, not given.
Final Thoughts – Driving ROI
Security orchestration is transforming how analysts approach their job. The analyst isn’t going away, and given the shortfall in staffing, they must be armed with a comprehensive orchestration platform designed specifically for them. The average breach costs businesses north of $10M, which makes the status quo no longer tenable. Given the stakes, security leaders recognize the importance of driving analyst productivity, increasing the number of mitigating threats, and perhaps most importantly, a dramatic shortening in the meantime to remediation, for all alerts (both automated and human-led). Once again, enterprise security leaders must avoid the distraction of point solutions that create yet another dangerous silo in the security operation and arm the organization with the right balance of automation and human intuition from a single pane of glass.
About The Author
Amos Stern is the CEO and Co-Founder of Siemplify. He brings a unique technical and business background that includes the leadership of the Cyber Security department within the IDF Intelligence Corps. He served multiple roles within the Elbit Systems Cyber & Intelligence Division. Among other roles, Amos was responsible for designing and building large scale intelligence investigation platforms as well as defensive and offensive cybersecurity solutions for governments and law enforcement organizations globally. Amos has extensive experience training SOC teams of all sizes. Amos can be reached via email at [email protected] and on Twitter at @AmosGnux. For more information about Siemplify, please visit our website: www.siemplify.co.