Security Operations / By Jason Mical You’ve probably heard by now that we face a severe shortage of cybersecurity professionals with the skills and experience necessary to effectively defend against today’s—and tomorrow’s—threats. Cybersecurity Ventures estimates there will be 3.5 million unfilled jobs globally by 2021. Fortunately, there are key areas of the SOC workflow that can be automated to take advantage of security analyst intuition and act as a force multiplier. The Incident Investigation and Response Workflow Most security incident investigations follow a common process. There are prescribed steps that virtually every security analyst uses as a basic framework to uncover and analyze relevant details. There is also another crucial element—the intuition of the analyst. As the analyst goes through the incident investigation and response workflow, there are multiple directions they can take depending on what they find and where the evidence leads. Part of the issue that organizations face—especially with the looming shortage of skilled cybersecurity professionals—is duplication of effort and the fact that not all analysts have the same set of skills or intuition. Even when dealing with a similar incident, analysts are starting from scratch and performing redundant investigation and analysis to reinvent the proverbial wheel. Security Automation and Orchestration Falls Short This is where artificial intelligence and automation make a significant difference. One way organizations are addressing the volume of security events and the shortage of skilled cybersecurity professionals is through SOAR (security orchestration, automation and response) solutions. The basic premise of SOAR is that it is able to implement playbooks to automate the response for specific alerts against specific technologies. That is fine for known issues—issues that the SOAR vendor has previously identified and for which it has developed detection and response capabilities. Unfortunately, it doesn’t work for new, previously unseen issues. Capturing Security Analyst Intuition What about new or emerging threats that a SOAR solution would miss? Many organizations have at least one analyst who is skilled and knows how to conduct triage and investigation. But one individual cannot do it all. You need to be able to capture those insights so less experienced analysts can benefit from the expert’s knowledge. As a skilled security analyst goes through investigation and incident response, they will perform a variety of routine or mundane steps to explore the available information. They will discover indicators of exploit or compromise they deem valuable or worth further exploration. Eventually, they will uncover the threat and take steps to remediate it. You can capitalize on that security analyst intuition. Devo records every step of the workflow as the analyst goes through the incident investigation and response process. If they are satisfied with the results, they can save the steps to capture and record the entire workflow. Devo provides a framework for intelligence sharing. The indicators associated with a given threat can be leveraged internally, and they can be shared with the broader community. Information can be anonymized and shared with the Devo community, or with information sharing and collaboration frameworks such as MISP. Automating Cybersecurity Workflow When you are responding to a security incident, speed is crucial. The faster you can identify a threat and take action, the more likely you will avoid—or at least minimize—any potential fallout. The ability to recognize previous patterns and indicators and initiate a curated, automated response enables junior analysts to take advantage of and learn from more experienced security analysts and, even more importantly, improves cybersecurity for the organization. The recorded workflow is comprised of keywords, labels and useful case notes collected to help navigate similar future incidents. Artifacts from the investigation are automatically gathered and archived as well. The platform automates redundant, repeatable actions. It also automatically enriches data using established sources of information to help analysts make better decisions. At the same time, analysts still play an important role and are not locked into a given response or workflow. The saved workflows guide analysts and help them navigate through the triage process. At any point, though, analysts have the freedom to break from the workflow guidance and act on their own intuition. By learning successful analyst behaviors and recording the workflow, organizations can automate investigations, improve decision-making, and accelerate the onboarding of new security analysts.