What we've learned while automating SOCs

It's been over year since Avantgarde Partners has been building and managing security automation orchestration run books for our clients. We have learned quite a bit about not only the implementation process from a technical perspective, but also how it best adopted within an organization. This is especially relevant as a recent report indicated that 60% of security executives surveyed are planning SOC deployments within the next 12 months. With the shear number of information security vendors, expertly mapped out by Lawrence Pingree, a common platform for intercommunication is paramount.

Very early adopters of Security Orchestration & Automation Platforms (or as John Olstik calls SAOPAs) had concrete use cases and expectations of the technology. One of the more counter-intuative discoveries has been that companies with immature security processes actually reap the most benefit, as they are essentially forced to document what their Standard Operating Procedures (SOPs) for certain alerts should be for the first time. This step alone provides immediate value.

Other than a lack of allocate budget, SAO projects took a little time to gain traction because organizations became somewhat lost in the potential of what automation can bring. To combat that paralysis, it is prudent to focus on what functions or activities are taking up the most time, which is why a phishing investigation playbook has been highlighted by the more well-known SAOP vendors: Phantom, Demisto and ServiceNow. We have witnessed the time saved in automating the manual investigation and validation steps of a potentially phished email is anywhere between 30 minutes and 4 hours.

Once there is initial success, we have taken the approach to start up to a half dozen playbooks as an immediate second step, to get the first 80% of each play book developed. There tends to be delays caused by granting access, APIs that may require upgrades, or API limitations in general that require some creativity. This method of “SecDevOps” or “security at speed” initiates a pattern of iteration, then more iteration, then more iteration, which is the appropriate “continual improvement” to model to manage these platforms.

Lastly, another benefit in beginning the journey of security automation and orchestration with a more common playbook like phishing investigation, malware enrichment or even simple ticketing automation is to establish some early wins and begin reporting the metrics upward to management, as well as across departments. The next objective is to find other areas where repeated tasks can be automated, branching outside of security. We have found that the most successful deployments extend into areas outside the SOC and into IT, Networking, even HR, which tend to entrench the technology into the organization.

The benefits of security maturity capability by using SAOPs are real, but so is the effort to realize them. We have begun to take an approach of indexing security maturity levels (loosely) against the CMMI before our engagements to empirically measure improvement.