Automation: Friend of the SOC AnalystFaced by increasingly sophisticated threats, organizations are realizing the benefits of automation in their cybersecurity programs.
Automation, artificial intelligence (AI), and machine learning (ML) are rapidly transforming nearly every industry, and cybersecurity is no exception. Automation in cybersecurity is growing so fast that analyst firm Gartner predicts that by 2021 a full 70% of enterprise organizations with a dedicated security operations center (SOC) will have security orchestration, automation, and response (SOAR) capabilities. That growth is remarkable given that less than 5% had these capabilities as recently as 2018.
Automation always raises concerns about peoples' livelihoods, but cybersecurity professionals shouldn't worry about automation making their jobs obsolete. On the contrary, automation, AI, and ML will bring tremendous benefits to SOCs, helping alleviate the growing global cybersecurity skills shortage and enabling the industry to improve threat-hunting capabilities and response times.
Cybercriminals Are Already Using Automation
The challenge today is that our adversaries have widely embraced automation. Hackers have realized that they don't just need scale, they need speed — and automation lets them launch sophisticated, fully automated attacks that spread malcode fast. Using automation, cybercriminals can quickly and easily spread malware strains that can hide within an organization's network, looking for vulnerabilities and automatically executing commands when it finds them. Cybercriminals even use automation to make their spearphishing campaigns more convincing, leveraging AI algorithms to impersonate targeted individuals in email conversations and tricking their co-workers into disclosing sensitive information.
Fortunately, AI is also helping those of us on the right side of the law to automate our responses and improve our defenses. Here are two examples:
Automating and Augmenting Time-Consuming Security Tasks
As Internet of Things-connected devices proliferate throughout enterprises and the attack surface grows, the volume of data that SOC analysts must search through when threat hunting has grown exponentially. Simultaneously, attackers are employing more sophisticated obfuscation techniques, making our work more challenging and time-consuming. All this is occurring at the same time the industry is facing unprecedented shortages of skilled cybersecurity professionals, with nearly 3 million unfilled cybersecurity positions around the globe.
With automation, under-resourced SOCs can more quickly analyze vast data sets to look for patterns and anomalies that may indicate a breach, triage and prioritize alerts, and automate response measures. Automating the more minute, time-consuming tasks that are heavy in data analysis enables SOC analysts to spend their time on the more meaningful activities that require higher-level thinking and decision-making. Whereas AI identifies the anomaly, SOC analysts use their experience and creative-thinking skills to understand the meaning of the threat — asking important questions such as whether we've seen this threat actor before or if this is a likely type of attack in this industry. Following these types of investigative threads enables a SOC analyst to get better results, often allowing us to identify and quickly contain zero-days or close vulnerabilities before nefarious attackers identify them.
Delivering Greater Flexibility and Faster Response Times
In addition to enhancing threat hunting, automation enables us to speed our response and remediation time while also providing SOC analysts greater flexibility in terms of how they respond.
Traditionally, without automation, once a SOC analyst identifies a threat, he or she must perform a time-consuming series of actions involving numerous technology platforms and devices in order to stop, contain, and remediate that threat. For example, he or she may need to make manual updates to block the threat at the firewall, as well as add the bad URL to the web security gateway product, not to mention killing the process on each infected endpoint, potentially needing to remove file systems on infected laptops, etc.
Each of these actions involves a different technology platform or system, so the SOC analyst may need to enlist the help of two or three other members of the cybersecurity team who have knowledge of each of those platforms. On top of that, change tickets must be annotated and pushed up the chain of command through multiple layers of reviews and approvals. In that way, something that should be fairly straightforward can become time-consuming and complex. As a result, a single event can often take several hours or even a full day to contain and remediate.
With automated orchestration tools, when SOC analysts are alerted to a threat, they can take action no matter where they're located and can respond much faster. Imagine being away from the office and receiving an alert on your smartphone that a threat has been identified. With the tap of a button, you can automatically begin an entire series of decisions, approvals, and actions to stop, block, contain, and remediate the threat. The automated solution can communicate with all the different platforms and systems in the organization, making the necessary changes on each to fix the issue. It can automatically create and submit change requests through the appropriate review and approval processes, automatically updating change logs for compliance purposes. The entire process is completed much more quickly and can be done from anywhere, making the SOC analyst's life easier while better protecting the organization's environment.
With the increasing sophistication of threats and ever-growing attack surface, organizations of all sizes are realizing the benefits of automation in their cybersecurity programs. However they go about it, cybersecurity professionals must embrace automation, AI, and ML soon. These technologies won't replace the need for SOC analysts, but they will ease the workload and maximize talent. By improving threat-hunting capabilities and speeding response times, automation is poised to revolutionize the cybersecurity industry, helping SOC analysts keep pace with the ever-evolving nature of tomorrow's threat landscape.
Chris Schueler is senior vice president of managed security services at Trustwave where he is responsible for managed security services, the global network of Trustwave Advanced Security Operations Centers and Trustwave SpiderLabs Incident Response. Chris joined Trustwave ... View Full Bio