- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
“The most dangerous phrase in the language is: We’ve always done it this way.” — Admiral Grace Hopper
You've heard of automation or, at the very least, it has impacted your life — with or without your knowledge. As a security professional, perhaps you even currently write scripts in your language of choice, or have licensed a product that enables automation (i.e., Cortex XSOAR)? Thanks to integrated software solutions such as Application Programming Interfaces (APIs), retrieving and passing information between applications is now easier than ever, and it has propelled businesses forward only to leave competitors behind. However, is automation always the right path for a security operations center? Surprisingly, the question still lingers for many security professionals — why automate?
Time for a riddle: I can crawl, I can fly, I have hands but no legs or wings either. What am I? The answer is: Time. I'd like to challenge you, as a security professional, to walk through your average work day. Do you find yourself pressing the same buttons in a GUI, or typing the same email responses to end users, or updating the same spreadsheets? If you answered Yes to any of these questions, you would be a prime beneficiary for automation. Here are some of the reasons why automation is growing in popularity:
Let's take a look at some of these examples that correspond with the questions above:
Is there a correlation between the actions above? You bet. All of these actions are great candidates for automation. However, the question is: should these actions be automated? This is a question that varies between individuals and businesses. Start with a use case definition (UCD) of an incident response process, such as the UCD template provided by Palo Alto Networks, to really understand what an analyst's actions will be from incident creation to incident closure.
Still not sure what should be automated? Here is a general starting point: "Automate the persistent tasks first, then the mundane". Focus on the tasks that are easily repeatable, and then tackle the boring tasks later.
It might make sense to automate sending a generic email with dynamic data to an end user as part of an incident, but what if data collection is required from the end user, which is then imported into a ticketing application? An end user could be on leave, traveling, or out of office. If a service level agreement (SLA) calls for the incident to be closed within 4 hours, automation will not be able to fix missing user input -- unless we program a proper timed response.
Mean Time to Detect (MTTD) and Mean Time to Response (MTTR) metrics can be easily disrupted when a script or automation hangs — even worse when no one has knowledge of it hanging. Similar to the what in automation, the when is equally as important and should be determined at the business level. All incident types are not created equally.
Now that we have some ideas of What, Why, and When to automate -- the big question is: How?
And what exactly is SOAR, anyways? This Cortex article — What is SOAR? — provides a good summary, but in short:
Security orchestration, automation and response (SOAR) technology helps coordinate, execute and automate tasks between various people and tools all within a single platform. This allows organizations to not only quickly respond to cybersecurity attacks but also observe, understand and prevent future incidents, thus improving their overall security posture.
What are some alternatives to using a SOAR application?
When first starting to look for automation use cases, simple scripts written in a user-friendly language such as Python can be an effective tool in your SOC arsenal. Many online services, such as VirusTotal and Hybrid Analysis, provide free APIs with software development kits (SDKs) supported in multiple languages. Most security products, such as Palo Alto Networks Next Generation Firewalls (NGFWs), also provide an API interface to be able to block malicious indicators or dynamically create firewall rules through the use of automation.
By going down this avenue, there are multiple factors to consider:
It's important to differentiate between a SIEM and a SOAR platform, as this question is often brought up when exploring products. Both platforms aggregate event data from various sources. The difference is the action taken in both platforms. When a configured alert fires in a SIEM platform, it's up to the analyst to determine the next path in an investigation. This normally includes pivoting between threat intelligence feeds and other third-party sources to correlate the event data in the SIEM. With a SOAR platform, the investigation path workflows are either fully or semi-automated; beginning incident triage and applying remediation processes – keeping the whole workflow inside a single application. In short, a SOAR platform starts where the capabilities of a SIEM end.
Is your company ready for a SOAR product? You guessed it: it depends. You should be able to confidently answer Yes to the questions below:
As a prior security engineer and security analyst, I understand the typical pain points of a SOC environment, as well as the frustrations of a SOC analyst. These are some of the challenges I faced working in a SOC, even with a development background:
It's truly a breath of fresh air to be able to assist Palo Alto Networks customers with Cortex XSOAR, which solves many of these problems including, but not limited to:
Whether you are utilizing command line scripts, or using a full-fledged SOAR platform, automation can produce the results that your business needs to eliminate the mundane and focus on the important tasks. Automation is not; however, a simple band-aid. It’s important to understand the capabilities and limitations of automation in your environment, how you manage to utilize it, and how well you can define your current processes.
“Automation applied to an inefficient operation will magnify the inefficiency.” — Bill Gates
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Likes |
---|---|
5 Likes | |
3 Likes | |
2 Likes | |
1 Like | |
1 Like |