When automation is balanced between humans and machines, we can ensure teams always have the best tool for the job
As Security Operations Centers (SOCs) narrow the focus of their mission to become detection and response organizations, they need three main capabilities in place to prepare their SOC of the future. I’ve talked about the first two already – a data-driven approach to security and an open integration architecture. When security is data-driven, teams have the context to focus on relevant, high-priority issues, make the best decisions and take the right actions. Data-driven security also provides a continuous feedback loop so that teams can capture and use data to improve future analysis. An open integration architecture enables data to flow throughout the infrastructure and ensures systems and tools can work together.
The third building block for the SOC is automation. Some people talk about automating everything within a SOC. However, that can lead to many challenges. A balanced approach to automation is needed because SOCs are nothing without the expert analysts that run them. Balancing automation with human intelligence and analysis allows teams to always have the best tool for the job. Repetitive, low-risk, time-consuming tasks are prime candidates for automation, while human analysts take the lead on irregular, high-impact, time-sensitive investigations with automation simplifying some of the work.
The benefits of balanced automation are many, and include retention and better utilization of scarce, highly skilled human resources and better outcomes because you can work faster and smarter. A balance between human and machine can also alleviate the fear of being burned when machines quarantine a system or block a port on a firewall in error. In turn, this builds confidence to move forward with more automation and strike the right balance for your organization, which results in another benefit – cost savings. The Cost of a Data Breach Report 2021 looked at the average cost of a data breach by security automation deployment level and the findings were eye opening. The average cost of a data breach dropped from $6.71 million for organizations with no security automation, to $3.85 million for organizations with some level of security automation.
What does balanced automation look like?
We know any discussion about the future of cybersecurity must include automation, but what does balanced automation within the SOC look like? We see it come into play in all phases of security operations.
Detection. Adversaries have become craftier and shifted tactics to achieve their goals. So, detection has evolved from finding the one control point or system where the attack is being triggered, to the multiple points across the enterprise that are involved – and time is of the essence. With an open integration framework, data from disparate internal sources can be automatically aggregated, augmented and enriched with external threat data from the multiple sources the organization subscribes to – commercial, open source, government, industry and existing security vendors. When all this data is presented on a single screen, and prioritized based on parameters security teams set, it’s easier and faster for analysts to identify relationships and detect malicious activity across the enterprise.
Investigation. Automating many of the initial and repetitive aspects of detection accelerates the investigation process, which is best driven by humans. Bringing intuition, memory, learning and experience to the process, analysts contextualize correlated data with internal and external enrichment sources, such as the identity of the impacted user and the MITRE ATT&CK framework. For instance, if targets include the finance department, human resources or the C-suite, this could indicate a more serious threat. From there, they can pivot to external data sources like MITRE ATT&CK that describe campaigns, adversaries and their tactics, techniques and procedures (TTPs), to learn more about the malware and then expand the search further. If they discover an indicator is associated with a specific campaign or adversary, are there associated artifacts to look for in other tools to confirm the presence of malicious activity? What other intelligence can be deployed to the infrastructure for future blocking? This complex level of investigation requires human effort augmented by automation. It’s the most effective and efficient way to validate data and findings, connect the dots and reveal a broader picture that includes all impacted systems, versus a single incident on a single system.
Response. Now, the SOC is poised to execute a comprehensive response. Here too, certain aspects can be automated, like translating and sending data back to the tools across the defensive grid to update policies, rules and signatures. But depending on the security control and the recommended response, sometimes a human is required to review and validate the recommendations within the context of their own environment before executing. And when it comes to critical, legacy systems such as those that are pervasive across industrial environments, a human must walk through the process to make sure any actions will have no operational impact and, if so, identify and implement a compensating control. Closing the loop, a modern approach to response must also include the ability to capture and store data from the response for learning and improvement. This should include automated updates to data and actions, as well as analysts adding comments about their observations.
There is a reason why security teams have shied away from automation for many years; things can break. But when automation is consciously balanced between humans and machines, we can ensure teams always have the best tool for the job. And when coupled with a data-driven approach to security supported by an open integration framework, the SOC has the foundation it needs to work more efficiently and thoroughly to better manage risk today and in the future.