Security automation: Time for a new playbook

From increasingly sophisticated threats to the mad concoction of on-premise and cloud solutions that comprise most organizations’ IT infrastructure and the plethora of new IoT devices and a highly distributed workforce, enterprises and government agencies face a wide range of challenges that make cyber threat detection and response more difficult than ever before.

Simultaneously, the cybersecurity industry is facing a shortage of skilled workers, putting increasing strain on enterprise security teams and their ability to effectively identify and respond to threats.

Considering this contextual backdrop, Security Orchestration, Automation and Response (SOAR) products offer an appealing solution, promising efficiencies in detecting and responding to threats. However, organizations need to understand how these solutions can also introduce new challenges if not implemented correctly. Without proper planning, organizations adopting security automation tools can fall victim to common missteps that quickly lead to less efficiency and a weaker security posture.

Introducing SOAR

When introducing SOAR tools to an organization, the most important first step isn’t how the solution is configured, or the act of connecting it to other systems, or even determining what data sources it needs to integrate. The most important first step is having mature security processes on which to build. Simply taking the pre-built playbooks or automation scripts that SOAR vendors provide and plugging them into your environment will seldom yield the desired results.

Start by examining the processes and procedures your organization’s security team already has in place and identify the tasks that consume the majority of team member’s time. These will be the key use cases where SOAR can provide the most benefit by applying efficiency, speed and consistency. For example, in many organizations this might include processes such as looking up asset information or reviewing additional data points related to a security alert or a reported phishing email.

It could be the process of pulling data on what’s running in memory on a device and adding that detail to an existing incident management ticket to assist in an investigative decision. Or it could be isolating hosts or blocking an IP range on the network in order to stop a threat from spreading. These are all common use cases that can be effectively automated, but only if the underlying processes and procedures are mature and well-defined.

Different categories of automation require different levels of maturity in the underlying processes. If you plan to introduce any type of automated response – such as automated threat containment – you must be absolutely certain that the underlying processes are mature, or it could have a greater than intended impact the availability of systems and people. Mature processes are those that have been proven, measured, inspected and performed iteratively at volume that you can understand and account for any variance in the way it works.

In a mature process you also understand how actions will impact downstream systems. Otherwise, if you apply automation to a process that is not mature and an edge case occurs, your automation may cause your own denial of service, potentially impacting critical systems.

One of the best areas to begin applying automation is within an organization’s security operations center (SOC) to speed the process of pulling together threat intelligence and asset information from several different sources to aid in the investigative and triage process for threats. Because it involves information gathering rather than performing a response, this scenario introduces less risk while still providing significant gains in efficiency by quickly bringing data from various sources into one view for SOC analysts to interpret and make decisions.

A related area that can benefit from SOAR is incident management where applying SOAR tools to the process of gathering information, artifacts and audit logs related to incidents can not only speed responses but also help improve process maturity by ensuring consistent documentation and record collection is taking place during the incident management process.

I often encounter security professionals who have an idea of what they want to automate, and they jump straight into applying SOAR solutions around that idea – this can work, but often does not scratch the surface of the potential power of SOAR for the organization. Even when starting with a single use case, I recommend mapping out the idea into a process flow, then turning that process flow into a playbook for automation that can run in a supervised mode. That way, you have an iterative plan for how to mature that process before you run it in an autonomous mode (or iteratively less supervised modes).

Conclusion

Introducing SOAR to an organization’s security operations is rarely a simple undertaking, and the complexity should not be underestimated. If you don’t plan for adequate resources and expertise up-front to implement this technology, you won’t get the return on investment (ROI) you are expecting, and certainly not on the timeline expected.

The SOAR implementation must also be managed and maintained over time, as it will need to continually evolve as your environment changes. Organizations that don’t have the staff or the skill sets on their security team to adequately maintain the SOAR implementation may benefit from a consultative and managed services model that can keep it functioning properly over time.

Ultimately, automation should be viewed as an outcome amplifier for the security team – not as a replacement for the security team itself. With proper planning, you can identify the most mature processes that your team performs often and map out detailed playbooks for automating them. These will introduce the least risk and provide the most benefit by creating greater efficiencies, enhancing your security team’s skills and freeing up their time to perform higher-level functions.