How SOC Automation Supports Analysts in Securing the Country

The security operations center (SOC) has become the critical hub of Federal agencies’ cyber readiness. SOC analysts keep agencies safely up and running – determining the size and impact of incidents, utilizing threat intelligence, implementing response procedures and collaborating with other staff to address issues.

It’s a big job that can mix both complicated analysis and tedious tasks. That’s why it can be a good fit for security orchestration, automation and response (SOAR) platforms, which can optimize a SOC’s output by automating the mundane tasks analysts regularly perform.

Obstacles to SOC Effectiveness

In a SOC, the process of triaging alarms can stretch into more than a week, especially if the tools used to gather related artifacts and data aren’t integrated. Analysts spend hours on highly repetitive tasks, reviewing and comparing alerts across multiple screens and windows. With terabytes of alerts received per day, analysts can’t keep up.

Most SOC teams aggregate data to create actionable, high-fidelity logs that provide a limited view of an incident’s true impact. But agencies’ siloed need-to-know policies on information-sharing can significantly limit SOC analysts’ visibility into the tools generating the vast amounts of threat data. That makes an accurate situational assessment challenging.

Meanwhile, SOC metrics like incidents handled per hour can incentivize the wrong behavior by motivating analysts to focus on false positives or cherry-picking incidents they can close fast. Analysts should be solving actual problems, not processing tickets.

The New Human-Machine Symbiosis

Security orchestration, automation and response (SOAR) platforms can change that dynamic. A SOAR acts as a central hub that connects the many disparate security tools feeding typical alarms. It optimizes the SOC’s output by automating the mundane, tedious processes analysts normally perform – reviewing and assessing threat intelligence data, determining what is actionable and assigning the information to the right analyst for resolution, but nowhere else.

When done manually, those tasks can take more than a week, depending on the complexity of the problem. Meanwhile, the agency remains vulnerable or could even already be under attack. Tightly integrating a SOAR with a threat intelligence platform can reduce the process to hours or even minutes.

While automation can rapidly assess indicators of compromise (IOCs), analysts’ subject matter expertise is vital for reviewing and interpreting the data. SOC analysts can ensure that alarms coming from similar sources are identified so they can avoid wasting effort on what is really the same problem. They must also determine the “blast radius” of an issue, since a single incident can quickly spread once inside the network.

SOAR can perform the analytics instantly, arming analysts with the data they need for preventive and corrective work. That includes the vitally important task of incident root cause analysis, where analysts’ subject matter expertise and skills are perhaps most valuable. Determining how and why an incident occurred is the single best way to ensure it doesn’t happen again.

A Virtuous Talent Circle

Automating processes can also help ensure that junior analysts have the correct insight to make the best determination as quickly as possible and flag issues for more experienced analysts.

Since automation relieves SOC analysts of hours of wearisome and mundane tasks, it gives them time to develop and document processes for the complex work they perform. Automated processes can then guide junior analysts in skills development and growth.

With lower-level tasks being reliably managed with automation, senior analysts will have more capacity to improve the SOC, devise more repeatable complex workflows, improve the root cause analysis process and standardize responses to ensure repeatable outcomes. They’ll also have more bandwidth to share knowledge and coach the juniors – it’s a win for everyone, allowing more time and people for higher level analysis and fewer requirements for the basic level analysis that can now be addressed through automation.

Embracing the Opportunity

Automation can drive these many benefits and more. It begins with automating well-defined processes as they exist. There is no need to re-engineer established practices when automation is introduced. SOC leaders can adopt a SOAR platform if none is already in place, and use it to align metrics to desired mission outcomes.

Over time, revising and enhancing processes and knowledge management systems by leveraging the benefits of automation, will help develop junior engineers while easing the demands on senior team members. That will improve results and retention across the team and lead to a much more successful SOC. Ultimately, that means greater safety and security for the nation.

About John A. Davis
Retired U.S. Army Major General John A. Davis is the Vice President of Public Sector at Palo Alto Networks