Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

Business Outcomes for Automated Phishing Response

Security Automation Can be a Game Changer for Any SOC or CSIRT, Including Yours

Security Automation Can be a Game Changer for Any SOC or CSIRT, Including Yours

As I’ve written about in previous articles, security automation technology is creating impressive gains for security and incident response teams, by helping them improve operational effectiveness, increase speed and agility, and reduce risk. More and more security analysts and SOC managers are beginning to understand the potential of automation as they experience it firsthand or hear about it from their peers.

However, it can be difficult to accurately demonstrate these gains using language that everyone can understand and appreciate: time and cost. This is particularly important for SOC and CSIRT managers who need to communicate with company stakeholders responsible for budgeting, training, and risk management—and who may not understand the ins and outs of a security operation.

As a result, security folks are increasingly interested in the business outcomes yielded by security automation. Their interest is driven by two factors: first, they want to know potential business outcomes beforehand, in order to get buy-in from executives and team members during the project planning phase; and second, they want to know—for their own SOC management purposes—how many person-hours can be saved in order to run their SOC more efficiently. 

I have been involved with the implementation of many incident response solutions and have documented the “before and after” of security automation. In this post I’m going to share the typical business outcomes experienced by a security team and show you the simple mathematical approach that can help you estimate the effect of automation in your SOC.

1. Choose a use case to measure

Ask your security team: what incident types are causing the most grief? What incident types require you to constantly switch between multiple tools to investigate? Often, phishing is identified as the obvious incident type that is most ripe for automation. This is due to the sheer volume of phishing attempts—particularly in large enterprises—and the combination of steps and tools that are required to investigate and resolve the incidents. For these reasons, we’ll use phishing as our example in this article.

2. Establish baseline metrics for your manual response

Next, calculate or estimate the number of phishing attempts you face each month. How many of these were false positives and how many turned out to be genuine incidents? How many minutes or hours does it take, on average, to close each false positive? How long does it take to close each true positive, or genuine incident? 

Now, multiply the average response time by the number of phishing attempts per month and the hourly cost of a security analyst in your organization. This will give you the amount of money that you spend in an average month investigating and responding to phishing incidents.

3. Compare the manual response to an automated process

In organizations that use a security orchestration, automation, and response (SOAR) tool, the process for responding to a phishing attempt looks very different. The phishing inbox connects with the SOAR tool, automatically escalating an alert when a phishing attempt is reported. The SOAR tool then takes the MSG file and uploads it to a sandbox, generating a report for the analyst. The analyst can quickly evaluate the report to determine whether the incident is a false positive or true positive. 

If the analyst determines it’s a false positive, the SOAR tool will notify the user who received the initial email, and close the alert. If it’s a true positive, the SOAR tool can conduct a series of automated actions across the security environment, such as banning the hash, performing a network scan, and quarantining any infected endpoints. This whole process only takes a few minutes.

4. Crunch the numbers

Based on the many organizations that I’ve worked with on automation projects, closing a false positive will take around 2-3 minutes, and resolving a genuine incident will take 4-6 minutes. So, let’s take a conservative estimate of the automated processes, and compare against the manual response’s baseline:

• Events per week remain the same: 200.

• False positives and true positives remain the same: 164 and 36.

• Time to close each false positive goes from 15 minutes to 3 minutes.

• Time to resolve each true positive goes from 30 minutes to 6 minutes.

• Overall time per week spent on phishing incidents goes from 59 hours to 10 hours.

If paying and “housing” your security analysts cost $75 per hour, that means that manually resolving phishing incidents is costing your organization $4425 per week. Introducing automation would reduce the cost to just $750 per week. Extrapolated over a full year, your SOC could save 2,548 hours and $191,100 per year—just by automating a single use case. Now, ask yourself: what could your team do with the extra time?  What about the extra budget? 

Obviously, there are many other use cases that can benefit from automation. By highlighting phishing, which causes so many headaches for all us security professionals, I hope you can see just how much of a game-changer automation can be for any SOC or CSIRT, including yours.

RelatedSeven Security Activities You Should Automate

RelatedAutomating in Security With Intelligence

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Incident Response

Implementation of security automation can be overwhelming, and has remained a barrier to adoption

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...