Automating SOC operations: tips for embarking on an XDR journey
February 2023 by Gigi Schumm de ThreatQuotient , Vibin Shaju, de Trellix, spécialiste du XDR et Mike Saurbaugh, de Cofense
Cybersecurity automation is a hot topic as organisations wrestle with the challenges of increasing attack volumes, cybersecurity skill shortages, and how to make the best use of limited resources to protect the enterprise. However, when it comes to implementing automation with a target of achieving XDR, it can be hard to know where to start and how to build a case for investment.
In our recent webinar, ThreatQuotient’s Gigi Schumm chaired a discussion with two experts in automating cybersecurity, Vibin Shaju from XDR specialists Trellix and Mike Saurbaugh from email security firm Cofense. Vibin and Mike shared valuable insight on what we mean by automation, the key drivers behind it, and tips for getting started.
What’s the value proposition for cybersecurity automation?
At its heart, IT has always been about automation. We use technology to complete tasks faster and more accurately, whether by sending an email rather than a physical letter or completing calculations through spreadsheets rather than with an abacus. When it comes to cybersecurity, it has been common practice to create small, individual automated solutions to small problems. The issue is that now our security problems have grown exponentially, and we need bigger and more intelligent automation solutions such as XDR that, crucially, place the right value on human expertise. Vibin explained: “We cannot have expensive, hard-to-find human resources doing repetitive tasks that machines are more suited to; we want to make sure the people in the SOC focus on key areas where human interpretation of context is important. We don’t want humans doing repetitive tasks that lead to burnout.”
Automation can also help reduce the signal-to-noise ratio and maintain the SOC’s reputation for being able to act in a rapid time frame. Mike points to the example of phishing, where a great use case for automation is identifying genuinely suspicious emails among the high volume of alerts so the SOC can prioritise its focus areas. This means attacks can be identified more quickly, limiting the time the adversary has within the network.
When correctly implemented, automation frees analysts to concentrate on higher value activities and ultimately have a more fulfilling, less mundane role. In turn, this helps organisations retain cybersecurity talent. This is central to the value proposition of automation, alongside the improvements in effectiveness and efficiency that are also key drivers for automation adoption.
Should we automate everything?
There is a temptation to think that if a little of something is good, more of it must be better, but is this true of automation?
No, says, Vibin. Before you start down the path of automation, you need to know where you’re starting from and what to prioritise. He recommends businesses undertake a SOC analysis to understand where the team is spending the most time and whether this is an area that can be automated, or whether a change in strategy is needed. For example, he explained: “If I am seeing a lot of detection coming from the web proxy, is there something wrong with my strategy for protecting web traffic? Or do I not have the right tech in place when it comes to email if a lot of alerts are coming from that area?”
Armed with this data, the SOC is better placed to identify targets for automation. But should the SOC just hand over the whole process from identification to remediation?
Mike advised that before you let automation take over, you need to have confidence in the credibility of the data that is driving the decision and the consequent action that will be taken. If you are confident that the information you’re getting is accurate, you can set up an automated process to act on that data, such as quarantining endpoints of blocking at the firewall. Initially, you will need human oversight to sanity-check the actions and outcomes, but once you have configured it the right way, with good data, you can let automation take over. Mike advises a crawl-walk-run approach that keeps people involved at the outset, but uses them in the most valuable way, saying: “This is about finding creative ways to use your people better based on the information you have.”
On the topic of data, it must be meaningful and relevant to the industry the business operates in. Both Vibin and Gigi agreed that quality data beats quantity every time, and it can be used to prioritise responses to vulnerabilities and threats.
How to build the budget case for automation and identify ROI opportunities
To secure budget for automation investment, you need a clear picture of what you will achieve and a sense of what drivers will appeal to budget holders.
Managing headcount is a key area where organisations typically focus, and here Mike advises building a case that documents where employees are currently spending a large amount of time and where - rather than hiring additional personnel - the burden can be lifted through automation.
Investment in managed services is also an option here. Where in-house resources are struggling to manage their workload, a case can be made for outsourcing aspects of the SOC so in-house analysts need only be involved when there is a material issue to manage. This frees up their time and increases the human resources available.
Quantifying the expected benefits of deploying automation is also a useful tactic. By automating vulnerability management, for example, organisations can reduce the time between exposure and protection, thereby limiting the risk to the business. With risk management becoming a key area of board focus, this can be a compelling argument for investing in intelligent automation.
Where to start with automation?
Rolling out cybersecurity automation can seem a daunting prospect, but our panel agreed that it is a journey, not a destination, and should be approached that way.
“You don’t have to buy anything – start small,” advised Vibin. “Work with what is there and get the right processes in place. Once you have right processes in place around what you have already invested in, then you can consider buying the more advanced solutions if you see the need.”
“XDR is not a technology,” he continued. “It cannot be bought; it is a journey with many components.”
Mike agreed, saying: “You need a build versus buy mentality. Organisations have a lot of products, so make sure you have exhausted those before you look for anything else. Find where you have gaps in what you’re doing today.”
Gigi also noted that overcoming team and data siloes is a key step toward effective automation: “Having the ability to bring all that data together, to have the fuller picture and get context, that is where we see the real benefits.”