For Security Analysts working in a Security Operations Center (SOC), one of the biggest issues is alert fatigue. Poorly tuned alerts lead to an overload of information, where an ocean of false positives can drown out the true malicious activity. The alerts themselves often consist of raw log data, which an analyst must manually sort through to determine what happened. Once the analyst has made their decision, the myriad of additional steps to remediate a threat and then create and send a report to the involved parties can take hours. These issues can all be mitigated with security automation.
When we talk about automation, the goal is not to completely replace the analyst. We are instead trying to empower the analysts to more quickly and effectively complete their investigations. When an analyst sees an alert, the most relevant data from that alert should be immediately visible, with additional enrichment where applicable. When an analyst must escalate an alert, the relevant information should be automatically pulled into a template which can be quickly handed off. By becoming familiar with high-level security automation concepts, you will be better equipped to automate tasks within your own analyst workflow.
SOAR stands for Security Orchestration, Automation and Response. A SOAR platform plays a similar role in a SOC’s toolset to a SIEM tool (Security Information and Event Management), being a place to aggregate and manage alerts. The difference is that SOAR platforms are specifically focused on automation of analyst workflows, often with an emphasis on “no-code” playbooks, allowing you to create complex automation scripts in the frontend, without any coding expertise required. Some SOAR platforms, such as Splunk Phantom, are simply an extension of an existing SIEM tool. Other tools are more platform agnostic, allowing a more diverse suite of tools to be integrated into automated workflows. I recommend reading the Gartner 2020 Market Guide for SOAR Solutions for an in-depth analysis of SOAR products.
While a SOAR tool can provide great value when employed correctly, a dedicated automation platform is not necessarily required to begin automating SOC tasks. Chances are your existing alert management, ticketing, or other security tools already support some level of automation, and that is usually the best place to start. Always make sure you are making the most optimal use of your existing tools before you invest time and resources into a new tool. That said, the power of a properly implemented SOAR platform is not to be understated, enabling the automation of tons of use cases without writing a single line of code.
Picking Your Alert
The first step towards implementing automation is selecting an alert type to automate. When choosing an alert, some of the following considerations may apply. Which alerts generate the highest volume? Is there an alert type that generates many false positives or duplicates? Is there an alert type that takes disproportionate amounts of time to investigate? And is there an alert whose investigations steps consist of a set of clear, logical, repeatable steps? These alerts are prime candidates for automation and should be the first to be considered in this process.
Know Your Alert
Once you have selected your alert type to automate, it is time to familiarize yourself with that alert. Gather as many samples of that alert as you can and compare their data. You should have at least two or three instances of the alert, ideally with different outcomes, such as false positive, true positive, escalation, etc. What similarities do they share with each other? Are there any outliers? Which tool or device generates this alert, and what are the specific conditions that trigger it? If the alert generates duplicates or batches, which fields vary or remain constant? What format is the data stored in, and how is that data presented to the analyst? These insights will allow you to implement proper deduplication of alerts and parse out the most relevant data, saving time otherwise spent sorting through dozens of identical alerts.
Analyze Existing Workflow
Now that you are familiar with the alert data itself, the next step is to evaluate the investigation steps that were completed by the analyst while working the sample alerts. How long does it take on average to complete an investigation? Which steps tend to take the longest? Do any of the steps consist of logical, repeatable actions? Once you have answered these questions, it should begin to become clear where the biggest bottlenecks in your workflow are located. Targeting these bottlenecks will give the greatest return on your investment of resources.
Identify Specific Actions to Automate
When alert’s data is organized effectively, it can often be quickly determined whether an alert indicates malicious activity. However, the follow-up actions an analyst must take to mitigate a threat or further escalate an alert can be quite extensive and time-consuming. Lots of time is spent copying notes around, writing reports, pasting alert data into report templates, and sending that information out in an email or ticket. These actions can often be significantly sped up by automatically pulling alert data into a template that the user can quickly send to the relevant parties. Another example is searching through log data to further enrich an alert. Say you have detected a potential port scanning attack, and you want to check if any traffic was allowed into your internal network from the external IP address. You can set up a search template to automatically see if any traffic was allowed and take actions based on the findings. These relatively small changes add up to drastically decrease investigation time.
In the process of automating analyst workflows, it is important to not just trust the data and talk to the analysts themselves. After all, they are the ones who live with the processes put in place and are often all too familiar with the various bottlenecks in their workflow. The analysts are your best resource for identifying the most relevant automation use cases, as well as for feedback on the performance of existing automation capabilities. By continuously working with your analysts throughout the automation process, you can create a positive feedback loop that results in a much stronger and more mature operation.
Many companies make the mistake of diving into automation headfirst, buying an expensive SOAR tool and trying to integrate as many tools and processes as possible without considering where the real bottlenecks in their workflow are. This often results in an unstable platform that does not serve the needs of the analysts, sometimes even hindering operations when the automated tasks fail to function as intended or cause some unforeseen side-effects. By approaching security automation with a process-focused mindset and the analysts’ feedback at heart, you can create a workflow that works for you, not against you. Once you break the cycle of analyst fatigue and workflow woes, you can dedicate more time to alert development, tuning, research, and other activities that move your SOC forward.