Keep Humans in the Loop in SOC Operations

Humans have a well-deserved reputation for being the weakest link in the cybersecurity of any size organization. Whether it's an IT specialist misconfiguring a firewall setting, a DevOps engineer failing to secure a cloud storage bucket, or a hapless business user falling for a phishing scam, the vast majority of cybersecurity breaches are primarily caused by human error creating exploitable vulnerabilities. The result is many avoidable weaknesses being pursued by criminal opportunists enabled by cheap, plentiful cybercrime tools of the trade.

Thankfully, the humans working in the security operations center (SOC), the Tier 1 and Tier 2 analysts on the front line of cyber defense, are the strongest link in cybersecurity operations. They must be kept in the loop, ideally performing higher-value tasks than keeping "eyes on the glass" to review security telemetry.

Tools for Assisting, Not Replacing, Humans

Looking to technology to help us secure technology is the right approach. The servers, Web applications, endpoints, network devices, and security measures in a company's digital landscape produce massive volumes of security telemetry and alerts that must be monitored and analyzed, but most turn out to be benign.

Identifying the meaningful alerts in high-volume event streams is the perfect job for correlation rules and unsupervised machine learning (ML) algorithms that combine human knowledge and threat intelligence with continuous learning and improvement. Machines can handle the speed and scale required for the initial screening of the high-volume stream of event logs and alerts. Also, algorithms don't get tired or have a lapse in attention, go on vacation, or call in sick.

Automating this facet of SOC operations allows these AI-based tools to do the tedious work of sifting out false positives and correlating and surfacing real alerts in real time. Automation can also go a step further, applying rules in playbooks to enrich alerts with context (which machine or user, what happened, when), contain suspicious activity in the network, and trigger an automatic response in well-defined use cases.

The result can be minimizing the volume of alerts by a factor of 10 or more, from 10,000 a day to 1,000 or less. This noise reduction saves up to 50% of expert SOC labor, dramatically increasing SOC efficiency and effectiveness.

Humans Are the Ones Who Catch the Cybercriminals in Action

This type of automation frees expert human analysts to use their experience, skills, intuition, and problem solving in the hunt for cybercriminals active in your environment. The automation feeds junior SOC analysts who triage the findings by applying human intelligence to recognizing patterns, evaluating anomalies, eliminating false positives, and identifying alerts that need further human assessment.

For example, John in HR typically accesses two databases during regular business hours. An alert comes through that John has accessed a third database on a Saturday. Only a human can determine if this new behavior is anomalous but nonthreatening. After the SOC analyst notifies the IT department about the unexpected database activity, IT confirms that John has been granted temporary access to the additional data, which is HR-related.

After triage by junior SOC analysts, high-priority alerts are forwarded to SOC senior analysts. These skilled security specialists are charged with investigating the alerts and identifying where an attack is coming from, the cybercrime groups behind the attack, methods they are using, lateral movement observed, and the dwell time of attackers. SOC experts also propose strategies for mitigation and eradication.

Humans are most essential when identifying attacks that cut across different systems, applications, and access methods. It was skilled humans who uncovered new activity on the part of Hafnium. The nation-state cybercriminals had been exploiting vulnerabilities in Microsoft Exchange servers to steal emails, compromise networks, and move laterally in affected organizations. These incursions took place for three months prior to discoveries credited by Microsoft to researchers at security firms Volexity and Dubex.

Key Takeaways

Organizations of any size, but particularly midsize and larger enterprises, can benefit from having their SOCs use artificial intelligence, unsupervised ML, and automation to remove the burden of first-level event log screening from junior analysts and provide intelligence that senior analysts can use in investigations. Such automation is necessary to handle the ever-increasing volume, velocity, and variety of security telemetry. It cannot, however, eliminate the need for the expert human analyst.

SOC analysts need not be concerned about job security in the face of ML and automation. Rather, they should welcome the improved productivity and freedom automation provides to use their intelligence and creativity for higher-value activities such as research, threat analysis, remediation, and threat hunting.