By Kumar Saurabh, CEO, and Co-founder, LogicHub
Ransomware, IoT attacks, phishing, cloud vulnerabilities—there are plenty of reasons for the increase in SecOps workloads. To reduce this growing burden on security analysts, many SecOps teams are exploring new security architectures and uses of automation.
SecOps teams have a wealth of solutions—and acronyms—to choose from. They can evaluate Security Automation and Orchestration (SAO) products, Security Orchestration Automation and Response (SOAR) products (recommended by Gartner), or products based on a Security Operations and Analytics Platform Architecture (SOAPA) (recommended by ESG).
SAO, SOAR, and SOAPA vary in several ways, including how much they rely on orchestration and various types of automation.
How should a SecOps team decide which approach is right for them?
Differentiating analytics from automation
A good first step for cutting through the fog is to distinguish analytics from automation. Analytics is a tool that helps analysts with their manual investigations. It produces data and insights for evaluating alerts and IOCs. Most of an analyst’s time is unproductively spent on sifting out the false positives by having to investigate each one.
Today, analytics supports decision making by the analysts. However, intelligent automation must replace analytics with decision science. The automation itself needs to be advanced enough to accurately weed through the torrents of false positives and mark them as such. Analytics is not automation, and we should not be comparing them in the same bucket.
Orchestration is not enough
Orchestration connects the various components of a workflow. By bringing disparate systems together in a single of a pane of glass, orchestration reduces the number of stand-alone products an analyst has to login to and consult as part of doing his or her job. It also provides a mechanism to hand off tasks between different teams.
Orchestration solutions are task-oriented and geared to take actions such as isolating an endpoint from the network or opening a ticket in a case management system. They are most prominently used for incident response, as well as gathering investigative data.
These solutions help tie together the various steps and moving pieces in an investigation workflow. However, the act of determining whether an alert is a false positive still falls upon the analyst. In most customer situations, we see that analysts receive hundreds of alerts a day, and typically 90-95% of these will be false positives. The decision making the burden on analysts is still tremendously taxing, expensive, and unmanageable.
We fundamentally believe that automation can help analysts tremendously, not just with repetitive actions, but more impactfully with key decision making several dozen times a day.
Types of automation
Orchestration provides only a rudimentary form of automation. To reduce analysts’ workloads further, SecOps teams need smarter solutions that apply automation to the more challenging aspects of decision making.
When evaluating security automation products, it’s useful to reference Harvard Business Review’s three main types of automation. The ones that apply to security automation are:
● Robotic process automation
● Cognitive automation
Robotic process automation automates high-volume, low-complexity, and routine tasks. These tasks might be physical, such as installing a rivet, or they might be software-based, such as transforming a data set according to a set of rules and transferring the output to a file server.
Cognitive automation addresses complex, non-routine, creative, or exploratory tasks, which can involve pattern recognition on large data sets and decision-making based on the results of that pattern recognition. Cognitive automation has recently achieved major breakthroughs in areas as diverse as language translation (e.g., Google Translate) and vehicle navigation (e.g., self-driving cars).
Automation and secops
How are these various types of automation applied in today’s SecOps offerings?
The vast majority of automation in SecOps today is robotic process automation. For example, when an orchestration product processes a directive to close a specific firewall port or open a trouble ticket, that’s robotic process automation. A well-defined process has been performed quickly and efficiently, but the process itself hasn’t been changed or optimized, and the SecOps system itself learns nothing from the experience.
Robotic automation can help reduce workloads by minimizing “swivel chair” tasks. It can save analysts the trouble of opening trouble-tickets, changing firewall rules, and so on. But it cannot address the time-consuming challenges of analyzing billions of alerts to detect hidden threats.
To sort false positives from genuine security threats requires advanced cognitive abilities. A new generation of SecOps solutions applies cognitive automation to improve the accuracy of threat detection and thereby accelerate the mitigation of threats.
These new security automation products apply Machine Learning techniques to rapidly analyze SIEM alerts and other contextual data. Their deep ranking and correlation algorithms perform analysis far more sophisticated than the simple rule-based matching used by SIEM systems. These products can even take into account the context of events, which enables them to more easily identify false positives. Unlike robotic automation products that operate by rote, cognitive automation systems accept feedback and tuning from security analysts, so they can learn from experience and become more accurate over time.
Aligning intelligent automation with secops requirements
By differentiating automation from orchestration and robotic automation from cognitive automation, it’s possible to come up with a basic rubric for applying automation and orchestration to reduce workloads and improve outcomes in a SOC:
● Incident Response – Use orchestration that applies robotic automation to open tickets and make configuration changes to mitigate threats.
● Alert Triage –Orchestration is helpful for collecting investigative data, but for optimal results, use cognitive automation to distinguish false positives from genuine threats and to quickly understand those threats so they can be stopped.
● Threat Hunting – Rely on cognitive automation to perform sophisticated analysis at scale, discovering deep correlations to uncover unknown threats.
With this rubric in mind, SecOps teams can develop strategies for investing in new security technologies, confident that they have aligned new product capabilities with specific work requirements in the SOC.
If a SOC is overwhelmed by the volume of security alerts they are receiving, they should invest in cognitive automation. Automating the analysis of alerts can greatly speed the identification of false positives, dramatically reducing the number of alerts that analysts need to investigate. In some enterprises, cognitive automation has been able to reduce false positives by as much as 95%.
Additionally, if a SOC is concerned about detecting Zero-Day threats or data breaches that might leave a network vulnerable for weeks or months, then cognitive automation is a must. Machine Learning that goes beyond the rule-based analysis of SIEMs will be able to detect threats that most of today’s security products overlook.
In evaluating all these approaches and technologies, it’s important to consider not just what SOCs need today, but also what they’re likely to need in the future. Security attacks are more sophisticated and targeted than ever before. Enterprise networks are becoming more distributed and complex, and the number of connected devices is likely to explode as IoT becomes more mainstream. If security workloads are high now, they’re likely only to become higher in the coming months. Of course, an ideal solution would be one that spans all the uses cases for Threat Hunting, Alert Triage, as well as Incident Response.
SecOps teams should explore intelligent automation solutions today so they will be prepared for an even busier and more vulnerable future.
About the Author
Kumar Saurabh, CEO, and Co-founder, LogicHub. Kumar has 15 years of experience in the enterprise security and logs management space leading product development efforts at ArcSight and SumoLogic.
He has a passion for helping organizations improve the efficacy of their security operations, and personally witnessed the limitations of existing solutions in helping SOC analysts detect threats buried deep within mountains of alerts and events.
This frustration led him to co-found LogicHub™ to empower cyber analysts by building intelligence automation, not just analytics.