The 2020 Devo SOC Performance ReportTM presents security professionals’ responses to a variety of survey questions related to people, processes, and technologies within their security operations center (SOC). One of the more interesting topics in the report is the role security automation technologies can play in improving SOC performance and alleviating analyst stress caused by overwork and performing repetitive, mind-numbing tasks, which can lead to analyst burnout.
Respondents were asked to choose which actions they felt could alleviate the pain and frustration experienced by SOC teams. Automation was the top response.
This post covers three use cases SOC teams can address by automating analyst workflows:
- Detect previously seen “known threats” without analyst intervention
- Validate the severity of threats for proper prioritization and resolution
- Augment Tier-1 analysts to improve team retention and effectiveness
Use case #1: Detect already-known threats — without analyst intervention
The key to successfully deploying automation as part of a next-gen security information and event management (SIEM) solution is identifying the areas of SOC analyst workflow where automation can be most effective. One of the best use cases for automation in the SOC is detecting known threats—malicious code that has been seen previously. Security teams can build playbooks to effectively automate the mundane steps related to detecting those known threats. This gives analysts, especially well-paid senior analysts, more time to focus on higher-level, critical tasks.
Use case #2: Validate the severity of threats for proper prioritization
Threat actors use automation to deploy constantly changing advanced persistent threats (APT) in their unending effort to breach enterprise security. They automatically execute a flood of attacks and diversions that can overwhelm even the best human analysts. It’s time for SOCs to use automation to thwart these efforts and level the playing field.
Every SOC typically has an explicit incident-handling procedure in place, defining processes, procedures, and technologies. When analysts see threat activity, the SOC automation playbook goes into action to validate how serious a threat is and any damage it may have caused. Without an automation playbook, analysts would have to do a tremendous amount of manual work, such as searching firewall logs to see if all malicious activity was successfully blocked. This would give adversaries more time to accomplish their missions. Automation is a big step toward eliminating that advantage.
Use case #3: Augment and power up your Tier-1 analysts
When security analysts hear the word automation, they may jump to the conclusion that it means they will be replaced by machine learning and artificial intelligence technologies. That’s not what I’m proposing. I’m talking about how automation can augment analysts, particularly the Tier-1s who spend a lot of time glued to screens searching for threats and hoping they don’t miss anything that could cause a major problem.
Automation makes the SOC operate more effectively and efficiently, while freeing analysts from routine, boring tasks no one wants to do and which contribute to unacceptably high levels of burnout. Automating those mundane tasks enables analysts to do what they do best—focus on the threats that really matter to their organization.
Automation also can enhance junior analysts’ career development. Automating routine tasks gives Tier-1 analysts more time for training and development. It enables them to collaborate with experienced colleagues on the critical work of identifying and stopping the most dangerous threats. Organizations get a team of better trained, more experienced analysts who have greater job satisfaction. This means they are more likely to stay with the organization long term because they know they are making a meaningful contribution to its success.
For more insights on SOC technology, including how to supercharge analysts with the power of automation, download the new Devo eBook Building the Modern SOC.