Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

02:00 PM
Chris Schueler
Chris Schueler
Connect Directly
E-Mail vvv

Automation: Friend of the SOC Analyst

Faced by increasingly sophisticated threats, organizations are realizing the benefits of automation in their cybersecurity programs.

Automation, artificial intelligence (AI), and machine learning (ML) are rapidly transforming nearly every industry, and cybersecurity is no exception. Automation in cybersecurity is growing so fast that analyst firm Gartner predicts that by 2021 a full 70% of enterprise organizations with a dedicated security operations center (SOC) will have security orchestration, automation, and response (SOAR) capabilities. That growth is remarkable given that less than 5% had these capabilities as recently as 2018.

Automation always raises concerns about peoples' livelihoods, but cybersecurity professionals shouldn't worry about automation making their jobs obsolete. On the contrary, automation, AI, and ML will bring tremendous benefits to SOCs, helping alleviate the growing global cybersecurity skills shortage and enabling the industry to improve threat-hunting capabilities and response times.

Cybercriminals Are Already Using Automation
The challenge today is that our adversaries have widely embraced automation. Hackers have realized that they don't just need scale, they need speed — and automation lets them launch sophisticated, fully automated attacks that spread malcode fast. Using automation, cybercriminals can quickly and easily spread malware strains that can hide within an organization's network, looking for vulnerabilities and automatically executing commands when it finds them. Cybercriminals even use automation to make their spearphishing campaigns more convincing, leveraging AI algorithms to impersonate targeted individuals in email conversations and tricking their co-workers into disclosing sensitive information.

Fortunately, AI is also helping those of us on the right side of the law to automate our responses and improve our defenses. Here are two examples:

Automating and Augmenting Time-Consuming Security Tasks
As Internet of Things-connected devices proliferate throughout enterprises and the attack surface grows, the volume of data that SOC analysts must search through when threat hunting has grown exponentially. Simultaneously, attackers are employing more sophisticated obfuscation techniques, making our work more challenging and time-consuming. All this is occurring at the same time the industry is facing unprecedented shortages of skilled cybersecurity professionals, with nearly 3 million unfilled cybersecurity positions around the globe.

With automation, under-resourced SOCs can more quickly analyze vast data sets to look for patterns and anomalies that may indicate a breach, triage and prioritize alerts, and automate response measures. Automating the more minute, time-consuming tasks that are heavy in data analysis enables SOC analysts to spend their time on the more meaningful activities that require higher-level thinking and decision-making. Whereas AI identifies the anomaly, SOC analysts use their experience and creative-thinking skills to understand the meaning of the threat — asking important questions such as whether we've seen this threat actor before or if this is a likely type of attack in this industry. Following these types of investigative threads enables a SOC analyst to get better results, often allowing us to identify and quickly contain zero-days or close vulnerabilities before nefarious attackers identify them.

Delivering Greater Flexibility and Faster Response Times
In addition to enhancing threat hunting, automation enables us to speed our response and remediation time while also providing SOC analysts greater flexibility in terms of how they respond.

Traditionally, without automation, once a SOC analyst identifies a threat, he or she must perform a time-consuming series of actions involving numerous technology platforms and devices in order to stop, contain, and remediate that threat. For example, he or she may need to make manual updates to block the threat at the firewall, as well as add the bad URL to the web security gateway product, not to mention killing the process on each infected endpoint, potentially needing to remove file systems on infected laptops, etc.

Each of these actions involves a different technology platform or system, so the SOC analyst may need to enlist the help of two or three other members of the cybersecurity team who have knowledge of each of those platforms. On top of that, change tickets must be annotated and pushed up the chain of command through multiple layers of reviews and approvals. In that way, something that should be fairly straightforward can become time-consuming and complex. As a result, a single event can often take several hours or even a full day to contain and remediate.

With automated orchestration tools, when SOC analysts are alerted to a threat, they can take action no matter where they're located and can respond much faster. Imagine being away from the office and receiving an alert on your smartphone that a threat has been identified. With the tap of a button, you can automatically begin an entire series of decisions, approvals, and actions to stop, block, contain, and remediate the threat. The automated solution can communicate with all the different platforms and systems in the organization, making the necessary changes on each to fix the issue. It can automatically create and submit change requests through the appropriate review and approval processes, automatically updating change logs for compliance purposes. The entire process is completed much more quickly and can be done from anywhere, making the SOC analyst's life easier while better protecting the organization's environment.

With the increasing sophistication of threats and ever-growing attack surface, organizations of all sizes are realizing the benefits of automation in their cybersecurity programs. However they go about it, cybersecurity professionals must embrace automation, AI, and ML soon. These technologies won't replace the need for SOC analysts, but they will ease the workload and maximize talent. By improving threat-hunting capabilities and speeding response times, automation is poised to revolutionize the cybersecurity industry, helping SOC analysts keep pace with the ever-evolving nature of tomorrow's threat landscape. 

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's story: "Meet FPGA: The Tiny, Powerful, Hackable Bit of Silicon at the Heart of IoT."

Chris Schueler is Chief Executive Officer at Simeio Solutions where he drives the overall vision and strategy. He is a proven leader with extensive experience in go-to-market operations and product development in the managed security services space.  He joined Simeio ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/23/2019 | 4:46:40 PM
Re: Geek squad support
Thanks @Geeksquad for the commentb and feedback. I'm pretty passionate about this as I've spent nearly 20yrs just in/with security operations and we have always struggled with load....automation can appear on the outside as opposing forces to an analyst.  Specifically, how automation is going to replace jobs, but in reality, it is going to allow people to grow and do higher level work which is NOT being done!  I will be writting more on this soon.  
Geek Squad
Geek Squad,
User Rank: Apprentice
9/9/2019 | 2:18:10 AM
Geek squad support

Thanks for the informative article. This is one of the best resources I have found in quite some time. Nicely written and great info, I really thank you for sharing it.


COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/30/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
PUBLISHED: 2020-10-29
Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp.
PUBLISHED: 2020-10-29
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.
PUBLISHED: 2020-10-29
Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors.