Automation can’t be just about running the process, but must include three important stages
I’ve written a lot about the challenges their Security Operations Centers (SOCs) face with respect to data, systems and people as they transform to become detection and response organizations. The key elements required include relevant and prioritized data, bi-directional integration across systems, and passive and active collaboration. What brings it all together, particularly given the shortage of security personnel, is automation.
New product categories have emerged to tackle the automation challenge, including Security Orchestration, Automation and Response (SOAR) platforms and tools and Extended Detection and Response (XDR) solutions. But the truth is, the security industry’s approach to automation has overlooked the vastly different needs of detection and response use cases because the focus has been on defining a process and automating the steps needed to complete that process. That works fine if you’re in a static environment doing the same thing over and over again. But for detection and response, which is dynamic and variable, that’s not the case. What is learned from performing an action is far more important than the action itself, so you need to look at inputs and outputs to the process.
Think of it this way. Elite athletes know how to play their sport of choice and when they’re engaged in the process muscle memory plays a role, pushing them through the motions faster and more smoothly. But diet, exercise and environment have a dramatic impact on performance as does learning from the results – watching and analyzing tapes and incorporating feedback from coaches in order to make adjustments and improve. Eventually athletes plateau and teams get in a rut. To take their performance to the next level, they make more changes to the inputs based on data and learnings. So, the inputs and outputs drive the process and fuel desired results.
That is how we need to think about automation to accelerate modern SOC operations for detection and response. Automation can’t be just about running the process, but must include three important stages:
1. Input – Define what should have actions taken upon it and when those actions should occur.
2. Run – Perform the course of action or defined process through to completion.
3. Output/feedback – Record what is learned for analytics and to improve future response.
To break this down a little further, input involves determining the right criteria and triggers for the process. This starts by automatically aggregating the right internal data into a central repository so analysts can gain a comprehensive understanding of the threat they are facing and what they must defend. Analysts can augment and enrich this data automatically with threat data from the multiple sources they subscribe to – commercial, open source, government, industry, existing security vendors – as well as with frameworks like MITRE ATT&CK. Combining and correlating internal and external data, and applying an automated scoring framework, allows you to prioritize what action to take based on what is relevant for your organization.
With the right inputs, now you can simplify actions taken and run the right process. You are able to focus on what really matters to your organization instead of wasting time running processes that aren’t necessary or effective against the latest threat. You can deploy the right intelligence to the right tools, immediately and automatically updating your sensor grid and alleviating much of the manual and fragmented effort. This data-driven process enables efficient and effective response.
Finally, for detection and response, the output and feedback when performing an action is far more important than the action itself. Defining your desired outcomes and what should be learned from the action taken will improve future response and help strengthen protections against future similar threats. As new data, feedback and learnings are added to the platform, intelligence is automatically reevaluated and reprioritized, which in turn makes the input stage of automation more efficient.
With the security talent crunch and the need to conduct advanced security operations like detection and response, automation is a key strategy. But for efficiency and effectiveness, automation must take a data-driven approach and encompass how we initiate and learn from the response, not just how we execute the process. That’s how we unleash the full power of security automation.
Related: Putting the Pieces Together for Extended Detection and Response