A confluence of factors is driving the need for greater automation of security operations centers (SOCs). Primary among them are the growing sophistication of threats, the sheer volume of security-related data, the speed of threat propagation, a proliferation of security tools, and a critical shortage of staff with the necessary skills — a perennial problem in all things related to cybersecurity.
The trends have put tremendous pressure on enterprise security operations (SecOps) teams in recent years and have left many struggling with alert fatigue, staff burnout, and high attrition rates. Despite increased budgets and a greater recognition overall of the importance of the SOC, enterprise organizations on average still take a startling 277 days to detect a security breach. And more than 83% of organizations that experience a data breach get hit more than once.
Numerous tools are available for automating SOC functions. The most common are security information and event management (SIEM) platforms for aggregating and correlating data from multiple systems; security orchestration, automation, and response (SOAR) tools; endpoint detection and response products (EDR); and network detection and response tools.
Many organizations have deployed such technologies because they can respond to evolving threats more quickly than human analysts while monitoring systems on a continuous basis and freeing up human analysts from mundane, repetitive tasks so they can focus on higher-value work in the SOC. Many organizations are also using automation platforms to automate the collection and reporting of compliance-related data and to ensure consistent application of compliance controls.
Here are the key trends driving SecOps automation, its numerous benefits — and the five biggest challenges organizations face when automating their SOC. Learn from top experts and take action to avoid SecOps team burnout and improve your security posture.
[ Get the White Paper: How Automation and Orchestration Can Help Bridge the IT Security Skills Gap ]
The SOC landscape is changing in the automation age
Piyush Pandey, CEO at PathLock, said that automation can simplify and streamline the workflow associated with access reviews, which are an expensive, time-consuming activity that many organizations are required to perform as often as quarterly.
"Organizations are already leveraging automated workflow for review initiations, approvals, and closures, reducing manual effort, and enhancing efficiency."
—Piyush Pandey
Tamir Passi, senior product director at DoControl, said that automation is often a game changer for SecOps. "It's like having a tireless assistant that never sleeps, handling routine tasks and freeing up your team for complex challenges. Automation can process vast amounts of data in real time, something humans just can't match."
Passi points to alert triage, threat intel gathering, and access reviews as areas where automation can make a big impact in the SOC.
"Even if automation just preps the response for an analyst to trigger, you're saving tons of time. Imagine an analyst quickly reviewing and saying, 'Apply this action to all these cases.' Boom! Efficiency multiplied."
—Tamir Passi
Many organizations are betting on AI-based automation to help bolster SOC agility and response capabilities. A KPMG survey of 200 security leaders found that 66% of respondents said AI-based automation is critical to their ability to stay ahead of threats, that 38% hope that AI will help make their SOC more agile, and that 36% think AI will enable better measurement and reporting on security operations. Other benefits that respondents cited included improved employee experience, improved business resilience, and improved decision making in the SOC.
One area of high promise for AI and automation, Pandey said, is the AI-powered acceleration of the process of correlating and prioritizing alerts, thus reducing false positives and enabling faster incident response. Machine-learning algorithms and AI techniques can identify patterns, anomalies, and indicators of compromise, allowing security teams to respond swiftly and proactively to potential threats. A growing number of organizations are also hoping to leverage AI-enabled automation tools to deliver intelligent decisions around access policies and in areas such as privilege-elevation requests, Pandey said.
1. Having the right skill sets on your SecOps team
It's one thing to drop an automation technology into a SOC; it's another thing entirely to harness the benefits you are looking to derive from it. Automation tools can be hard to set up and configure correctly. It can take time and resources to tailor automation to an organization's specific needs. Joshua Knox, senior technical evangelist at ReversingLabs, said SOAR tools, for instance, can help automate key SOC functions.
"But it doesn't automate on its own. You need to have people on your team that understand how to build the automation into it. If you are a smaller organization, look for a platform that will work for what you need."
—Joshua Knox
Pandey said organizations need to keep in mind that the same factor that is driving the need for automation — the skills shortage — can also be the biggest hindrance to adoption. "Implementing automation in security operations requires skilled personnel who can design, implement, and manage automated solutions effectively," he said. "However, there is a shortage of cybersecurity professionals with the necessary expertise in automation technologies, data analysis, and scripting." This is especially true when implementing and managing automation tools that rely on the training of automation via large datasets, he added.
2. Maintaining and updating automation of the SOC
One mistake that SOCs often make is to assume that their job is done once they have deployed an automation technology, ReversingLabs' Knox said. The reality is it takes continuous effort to keep automation current with evolving threats and technologies, he says. That means regular testing and refinement of automated processes and continuous learn to keep on top of evolving automation tools and techniques.
"The job never ends. You can't automate and walk away. The job of tweaking never ends."
—Joshua Knox
3. Compliance and regulatory concerns over automation
When an organization deploys automated processes in the SOC, it needs to make sure to do it in a manner that complies with industry regulations and standards. Proper documentation and audit trails for automated actions are key.
Failing to monitor and audit provisioning activities can result in undetected security breaches, unauthorized access, or policy violations, Pandey said. It's essential to implement logging and monitoring mechanisms to track provisioning events, he said. Also important are having a process to review access logs regularly and performing periodic access reviews to ensure compliance and to identify any suspicious or inappropriate access patterns.
"Organizations must carefully assess the impact of automation on compliance, data privacy, and legal obligations to avoid potential liabilities."
—Piyush Pandey
Organizations in sectors such as finance, health care, and government are especially subject to strict requirements on security operations. "Introducing automation must consider these requirements and ensure that automated processes comply with relevant regulations," Pandey said.
4. The need for customization of automation functions
Even off-the shelf automation tools can yield better results in the SOC than purely manual processes because they often implement industry best practices and proven methodologies. Off-the-shelf tools are also typically more efficient, cost-effective, and scalable, as well as easier to maintain. However, if organizations want to derive the full benefits of automation, they often need to adapt off-the-shelf tools that meet their specific organizational requirements, Knox said.
There are many benefits to tailoring automated processes to specific organizational threats, infrastructure, and processes. Customization also allows organization to address scenarios that are specific to them or their industry, Knox said. Large companies can use their buying clout to get vendors of SOC automation technologies to customize products for them, but smaller organizations will need to figure out to a way to adapt their off-the-shelf automation tool for their specific needs, he added.
5. Culture and change management challenges
Two other barriers can be resistance to change from staff who are accustomed to manual processes and the need for a cultural shift to embrace automation in security operations. Ingrained habits and fear of the unknown can be difficult to overcome, as can reluctance to acquire new skills and knowledge about automation tools. Security professionals can also be hesitant to trust automated systems — and especially AI-enabled tools — for critical decisions, said DoControl's Passi.
"Honestly, [the biggest barriers are] often cultural. The key is to start small, show quick wins, and involve your team from the get-go. Once they see how it makes their lives easier, they'll be on board."
—Tamir Passi
Automation is essential for a modern SOC
Automation is key to modernizing your SOC — and keeping the best talent on your SecOps team. The best way for SOC leaders to make a case for automation is to focus on the numbers, Passi said. "Time saved, faster response times, improved accuracy — they all translate to cost savings and better security. Start with a pilot project and let the results speak for themselves."
"In today's threat landscape, automation isn't just nice to have; it's becoming essential. It's how we stay ahead of the bad guys without burning out our teams."
—Tamir Passi
Keep learning
- Learn how to do more with your SOAR with our Webinar: Enhance Your SOC With Threat Intelligence Enrichment.
- Get schooled by the lessons of Layer 8: See Dr. Jessica Barker on The Human Elements Driving Cyber Attacks.
- Go deep on e-discovery with our Webinar: Strengthening Malware Defenses in Legal Firms.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.