Friend of Foe: How Automation is Changing Security Operations

Back to all articles

security operations

Almost every Security Operations Center (SOC), regardless of vertical or maturity level, has reported nearly identical concerns regarding their overall detection and remediation capabilities. Two of the top reported concerns include the lack of qualified security professionals and an unmanageable amount of security alerts without context or actionable value. Year after year these items continue to be at the top of every organization’s security concerns, and until recently, there hadn’t been a viable solution to this common problem.

Is Automation the Solution?

Over the last few years the security community has really begun to rally around this problem to develop a solution. By utilizing the power of automation and leveraging the advanced capabilities found in today’s network and security solutions, security teams can finally gain the support they need to accomplish their security goals.

However, the very mention of the word “automation”, in any industry, has been met with some level of apprehension. While working as a SIEM Engineer for a large Managed Security Service Provider (MSSP), the SOC team were asked to start submitting aspects of our jobs which consumed the most of our time, as well as ideas on how these tasks could possibly be automated. After a team meeting, we started to discuss the topic between ourselves. Even though at times we would struggle to manage all of our day to day responsibilities, we all expressed concern on how this was going to impact our jobs and if there would still be need for us in the future.

Good or Bad?

Somewhere along the way, automation has gained a bad reputation. Even those who could really benefit from its assistance are weary of its adoption, due to fear that it will eliminate jobs or will be too complex of a task to effectively operationalize.

After spending some time brainstorming, the team came up with a list of job functions and ideas on how to build automation around them. Our management took our list and began to implement the ideas.

All through the implementation process, we remained apprehensive but hopeful. As more of the changes began to get rolled out, we started to notice some of its benefits right away. By building more automation processes into our correlation engine and daily duties, we were able to complete more tuning tasks, reduce the overall event generation, and spend more quality time with our clients to gain greater insight into their security programs and collaborate on future projects.

Automation provided for another benefit, senior analysts and SOC engineers were able to focus more time on documentation to provide to junior analysts. By supplying analysts with a robust library of knowledge, they were better informed on exploit techniques and common patterns, and gained valuable knowledge from their more experienced colleagues. This benefit translated into fewer escalations to senior staff and overall empowerment of our junior analysts.

Senior management also began to recognize benefits from these changes. We were able to supply more relevant metrics which drove organizational changes, such as securing increased funding for more analysts, development and adoption of greater technologies, and better overall positioning of current staff. Needless to say, our initial fears and concerns began to fade away and we were finally able to see how automation was going to change the future of our jobs and the industry.

Evolving Response Efforts Through Automation

The future is already at our doorstep. With more pressure being placed on SOCs to not only alert to a potential security incident, but to also respond in real-time, the use of automation as a conduit to elicit action on behalf of an individual is unavoidable. As the demand for an accelerated response solution continues to grow, organizations are focusing their attention towards Security Orchestration, Automation and Response (SOAR) technologies.

SOAR provides organizations with the power to not only automate their security processes, but to also execute actions across their environment without the need for human interaction. This evolution in security solutions is a game changer for Security Operations Teams. The assistance provided through automated handling of incidents and the ability to act on their results without the need for an analyst’s intervention will provide a trickle down effect which will benefit all aspects of the organization.

As this technology continues to be adopted, security professionals, within today’s enterprises and MSSPs alike, will begin to realize its benefits. Their job duties will evolve from continuous fire fighting to proactive response efforts through the development of stronger processes and procedures. It is only natural for anyone, not just security professionals, to be apprehensive about the adoption of automation, but as its benefits continue to be realized, we will find that automation is our friend, not our foe.

Do you want to see automation in action and the associated benefits it can have on your security operations? Get in touch and ask for your personalized demo, or apply for your free Community Edition of IncMan SOAR and get started today.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo