Making the case for security operation automation

According to ESG research, 52% of organizations believe that security operations are more difficult today than they were two years ago, due to factors such as the dangerous threat landscape, growing attack surface, and the volume/complexity of security alerts. In analyzing this data, I see a common theme: scale. Security teams must be able to scale operations to deal with the increasing volume of everything coming at them. Faced with a global cybersecurity skills shortage, CISOs need alternatives to hiring their way out of this quagmire.

How can organizations proceed? By automating security operations processes. ESG research reveals that nearly half (46%) of security operations center (SOC) teams are automating security operations processes “extensively,” while another 44% are automating security operations processes “somewhat.”

Multiple approaches to security automation

When it comes to security operations process automation, one might equate this activity with security orchestration, automation, and response (SOAR) technology. In some cases, this is a correct assumption, as 37% of organizations use some type of commercial SOAR tools. Interestingly, more than half (53%) of organizations eschew SOAR, using security operations process automation functionality within other security technologies instead – security information and event management (SIEM), threat intelligence platforms (TIPs), IT operations tools, or extended detection and response (XDR), for example. Those organizations using SOAR admit that it is no day at the beach – 80% agree that using SOAR was more complex and time consuming than they anticipated.

Technology aside, security professionals acknowledge that there are a few major impediments to security operations process automation. For example, 39% claim that their SOC team doesn’t have the software programming skills necessary for developing automation workflows, and 21% say that their security operations processes are relatively immature, requiring re-engineering before they can be automated. This last obstacle reflects Bill Gates’s well-known observation about process automation: “Automation applied to an efficient operation will magnify the efficiency…automation applied to an inefficient operation will magnify the inefficiency.”

Tips toward security automation success

Clearly, there’s work to be done before many organizations can and should apply resources to security operations process automation. Is it worth the effort? Yes. The research exposes that security pros believe security operations process automation can lead to benefits like improved mean time to respond (MTTR), improved threat detection using playbooks, improved staff productivity, and faster acceleration of addressing critical alerts. The balancing act is in achieving benefits while addressing security operations process automation complexity and skills requirements. Based upon countless interviews with SOC personnel, ESG suggests:

• Start security operations process automation projects with the basics. Every SOC manager I speak with wants to automate pedestrian tasks they undertake dozens of times each day – looking up IP addresses, enriching alerts, checking file hashes against VirusTotal or other malware zoos, etc. Some SOC managers tell me automating tasks alone leads to tremendous productivity improvements. SOC teams should query all staff members regardless of their seniority, get their input, and then compile and prioritize a list of tasks for automation. Complement this list by defining metrics that can help the SOC team gauge progress.
• Look for shortcuts in existing technologies. As described above, task automation is no secret. Before writing code or investing in SOAR technology, its worth assessing the process automation capabilities you already have with tools like SIEM, XDR, TIP, or ServiceNow. Many of these vendors now bake in some of the task automation capabilities mentioned previously. It may also be worthwhile to go beyond the vendors and seek out other users to see if they’ve addressed SOC process automation in creative ways within common technologies.
• Research existing security operations process templates. After assessing your own security operations processes, it may be useful to review established best practices and observe what leading organizations are already doing. It’s worth noting that some SOAR vendors provide basic workflow templates for processes such as phishing investigations, threat hunting, and incident response that can be customized for applicability to individual organization’s needs.
• Explore low code/no code options. To overcome the development skills impediment, leading SOARs such as Demisto (PAN XSOAR), Siemplify (Google), Splunk SOAR, or Swimlane offer drag-and-drop menus that can help organizations create simple automated workflows. Newer SOAR offerings from Tines and Torq are designed around low code/no code from the ground up. Low code/no code SOAR not only eases workflow creation, but it also democratizes process automation for all SOC employees – from junior Tier-1 analysts to seasoned threat hunters, researchers, and incident responders.