Taming the Security Alert Tsunami with Automation

by in Security

Are you running a Security Operations Center (SOC) that handles hundreds or thousands of alerts? Are your analysts unable to cope with a tsunami of events and eventually get burnt out? Are they unable to zero in on events of interest at speed and scale?

If the answers to any of the above questions is a yes, it is probably time to consider adding automation to your SOC ecosystem.

Now a days, most of the modern next generation SOC platforms like ArcSight come with a native Security Orchestration Automation and Remediation (SOAR) capabilities. While automation does make things simpler in the long term, it needs a lot of careful planning and a clear strategy.

Security Automation > What, When, Where and How

Taming the Security Alert Tsunami with AutomationIf you feel lost trying to figure out where to get started with this, you are not the only one.

To identify tasks or activities that can be automated, you need to start with an inventory of tasks and activities that your L1 function does, and out of those, identify the tasks that are repeatable in nature and have reversible outcomes.

Typically tasks in which you can use SOAR broadly fall under these categories.

  • Enrichment: add context or additional information to the event that is being collected, this is typically by far the most popular SOAR use case.
    • e.g., finds hash of the file, do a ‘who is’ look up, find details of a user on LDAP
  • Orchestration: start or stop a certain service or process on an end point
    • e.g., finds hash of the file, do a ‘who is’ look up
  • Remediation: take an action to contain or correct an incident  
    • e.g., disable user on a directory
  • Case management: tracking of end-to-end triage process
    • e.g., tagging findings, evidence, documentation, and triage process management  
  • Reporting: reporting of SOC’s operational parameters
    • e.g., Heat maps, situation reports etc.

Points to watch out for while implementing SOAR

Automation works best in mature and stable environments. While SOAR solutions make your SOC function more efficiently it is not a replacement for your L1/L2 function. Below are the three common pitfalls you need to watch out for while implementing a SOAR platform in your SOC.

Trying to automate everything at one go

With so many manual processes and staff in short supply, it can be tempting to go all in on security automation. But if you are just starting out, identify processes that are prime candidates for automation and implement automation in those areas first. From there you can determine how to continue forward on the automation component of your journey.

Also, it is practically impossible to automate everything. Many of the complex cases still need the hands-on, critical thinking that can only come from an experienced and well-trained security analyst. So, any SOAR implementation is always about finding the right balance of machine-led and analyst-led activities for your particular SOC.

Not mapping out incident response processes

Only the processes that have predictable and reversible outcomes can be considered for automation. SOAR solutions can be used to automate security operations processes, however, automation applied in an unplanned and uncontrolled manner can result in complete chaos. To avoid this pitfall, security operations teams need to devote considerable time to outlining and mapping their processes before building playbooks.

Incident response processes that are ‘cast in stone’

You cannot get everything right the first time. Even if you have devoted a lot of time and energy designing a particular incident response playbook, there is still a good chance it will not turn out to be perfect. Besides, the tactics, techniques, and procedures (TTPs) of cyberthreats evolve with time. Thus, you need to adapt and incorporate changes accordingly.

Expecting SOAR to be a wonder drug

There is no magic cure for all the challenges security operations teams face. SOAR holds the promise of driving process improvement, increasing efficiency and maximizing effectiveness for enterprise SOCs. As such, as you embark upon a SOAR implementation project, be sure to be clear on how it can best enable your team to maximize the use of the security tools you already have, empower your existing team, and inject new structure to your processes and techniques. 

More information:

See how to SOAR your SecOps efficiently and automate repetitive security activities to reduce response times in our new ArcSight demo, filmed at Micro Focus Universe.

Have technical questions about Security Operations? Visit the ArcSight User Discussion Forum. Keep up with the latest Tips & Info about Security Operations. Do you have an Idea or Product Enhancement Request about ArcSight? Submit it in the Idea Exchange. We’d love to hear your thoughts on this blog. Log in or register to comment below.

Labels:

Security Operations
Anonymous