In today’s age of digital transformation, companies are trying to capitalize on the momentum by adding security operations automation and orchestration systems to their SIEM (Security Information and Event Management) platforms. Splunk acquired Phantom; IBM acquired Resilient; Rapid7 acquired Komand. These are all recent proofs of the rapid maturation of the market for security operations, automation, and orchestration.

• Security automation. It is the use of information technology for security event management and cyber incident response in place of manual processes.
• Security orchestration. Involves the integration of information and security technology tools designed to drive security information and streamline processes.

Trends Driving the Need for Automating Security Operations

These two trends drive the focus on automation and orchestration:

1. The lack of skilled security experts to support the need. According to the Cybersecurity Jobs Report, there will be more than three million unfilled cybersecurity positions by the year 2021.
2. The complexity, volume, and velocity of attacks also drive further investments in this market. Today’s information environments are vast and complex, often beyond the human capabilities when it comes to calculating, visualizing, and perceiving them. It is difficult to project risk accurately. As for velocity, there were situations when cyber attackers managed to move from an initial endpoint infection to total domain control within a day. The attacks transpire fast, and their volume continues to grow.

Automation Helps Transform Security Operations

Understaffed Security and Operations Center (SOC) teams cannot handle all the work. Security automation and orchestration can help transform security operations to remedy the situation.

• Simplifying the investigation process

With SOAR (Security, Operations, Analytics, and Reporting) tools, enterprises can have a unified repository for security app information. They make the security investigation easier and faster because they can investigate low-level security cases themselves. By escalating the most critical information, staff can intervene and detect the root cause of attacks much more natural.

• Quicker responses to security events

Today, security breaches and attacks are a matter of “when,” and not a matter of “if” anymore. Security teams must be able to detect the attack, stop it, and mitigate the damage as quickly as possible by using different tools. By integrating all the tools required by SOC teams, SOAR tools expedite this process as the security team has all the information in one place.

• Fewer manual processes and less time spent on false alarms

SOC team members spend much of their time handling manual tasks, while these cumbersome, repetitive tasks can automate with SOAR tools. Some analysts say that up to 80% of this remediation work can be automated. As for false alarms, they’re eating into SOC teams’ time which they could use more productively. When the staff gets so used to seeing alert notifications, they may fail to respond to real emergencies. SOAR tools can fix this by automating the responses to low-level alerts.

• Integration of threat intelligence sources and existing security tools

SOC teams typically use different security solutions from different vendors. However, these tools don’t necessarily work together. Some vendors even claim that their products support solutions from other vendors, but the integration between them is often more theoretical than practical. This integration performs in SOAR tools, and SOC teams can use them to:

1. Integrate their external threat intelligence with internal data analysis and collection.
2. Contextualize and correlate data through the output of several tools.

• Integration with IT operations tools

Other than security tools, SOAR tools also provide security analysts the insight into IT management tools such as configuration management systems, helpdesk systems, and asset databases.

• Minimizing damage from cyber attacks

With SOAR tools, security staff can investigate attacks and respond more quickly. These automation capabilities can help to mitigate the damage from cyber-attacks without human intervention. And when the team does need to get involved, they will have all the essential information about the attack.

Measuring the Success of Security Operations Automation

Measuring SOC efficiency and automation results are critical for gaining insights to find out where an enterprise should spend automation efforts to improve their security. An organization should seek:

• Automation outcomes. Automation teams are seeing a decrease in their TTX (time do detect, triage, remediate and others) and an increase in SOC investigator efficiency. Validating automation efforts is crucial to right size efforts. The number of security cases a defender can successfully resolve also goes up.
• Address top security offenders. Security response teams often experience repetitive tasks and signals. Over time, they can identify and track top security offenders to gain insights on what requires further automation or better monitoring, engineering, and controls solutions.
• Automate high-fidelity signals. Automation efforts should be spent on the right response processes and high-fidelity alerts. Determining true/false positive alerts allows you to measure detection efficacy because understanding false negatives enable you to detect security response and monitoring gaps.

Security operations automation and orchestration should be a high-priority issue for enterprise organizations. CISOs need to take a strategic approach and take their time to assess how it’s done today, collaborate with other organizations of similar industry and size to “compare notes,” and seek for quick automation wins. Security is a process, not a product. That’s why enterprises should start with simple process orchestration to gain their expertise with evolving technologies. By taking your time and focus, you will improve your operational efficiency and security efficiency.