Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

02:00 PM
Chris Schueler
Chris Schueler
Connect Directly
E-Mail vvv

Automation: Friend of the SOC Analyst

Faced by increasingly sophisticated threats, organizations are realizing the benefits of automation in their cybersecurity programs.

Automation, artificial intelligence (AI), and machine learning (ML) are rapidly transforming nearly every industry, and cybersecurity is no exception. Automation in cybersecurity is growing so fast that analyst firm Gartner predicts that by 2021 a full 70% of enterprise organizations with a dedicated security operations center (SOC) will have security orchestration, automation, and response (SOAR) capabilities. That growth is remarkable given that less than 5% had these capabilities as recently as 2018.

Automation always raises concerns about peoples' livelihoods, but cybersecurity professionals shouldn't worry about automation making their jobs obsolete. On the contrary, automation, AI, and ML will bring tremendous benefits to SOCs, helping alleviate the growing global cybersecurity skills shortage and enabling the industry to improve threat-hunting capabilities and response times.

Cybercriminals Are Already Using Automation
The challenge today is that our adversaries have widely embraced automation. Hackers have realized that they don't just need scale, they need speed — and automation lets them launch sophisticated, fully automated attacks that spread malcode fast. Using automation, cybercriminals can quickly and easily spread malware strains that can hide within an organization's network, looking for vulnerabilities and automatically executing commands when it finds them. Cybercriminals even use automation to make their spearphishing campaigns more convincing, leveraging AI algorithms to impersonate targeted individuals in email conversations and tricking their co-workers into disclosing sensitive information.

Fortunately, AI is also helping those of us on the right side of the law to automate our responses and improve our defenses. Here are two examples:

Automating and Augmenting Time-Consuming Security Tasks
As Internet of Things-connected devices proliferate throughout enterprises and the attack surface grows, the volume of data that SOC analysts must search through when threat hunting has grown exponentially. Simultaneously, attackers are employing more sophisticated obfuscation techniques, making our work more challenging and time-consuming. All this is occurring at the same time the industry is facing unprecedented shortages of skilled cybersecurity professionals, with nearly 3 million unfilled cybersecurity positions around the globe.

With automation, under-resourced SOCs can more quickly analyze vast data sets to look for patterns and anomalies that may indicate a breach, triage and prioritize alerts, and automate response measures. Automating the more minute, time-consuming tasks that are heavy in data analysis enables SOC analysts to spend their time on the more meaningful activities that require higher-level thinking and decision-making. Whereas AI identifies the anomaly, SOC analysts use their experience and creative-thinking skills to understand the meaning of the threat — asking important questions such as whether we've seen this threat actor before or if this is a likely type of attack in this industry. Following these types of investigative threads enables a SOC analyst to get better results, often allowing us to identify and quickly contain zero-days or close vulnerabilities before nefarious attackers identify them.

Delivering Greater Flexibility and Faster Response Times
In addition to enhancing threat hunting, automation enables us to speed our response and remediation time while also providing SOC analysts greater flexibility in terms of how they respond.

Traditionally, without automation, once a SOC analyst identifies a threat, he or she must perform a time-consuming series of actions involving numerous technology platforms and devices in order to stop, contain, and remediate that threat. For example, he or she may need to make manual updates to block the threat at the firewall, as well as add the bad URL to the web security gateway product, not to mention killing the process on each infected endpoint, potentially needing to remove file systems on infected laptops, etc.

Each of these actions involves a different technology platform or system, so the SOC analyst may need to enlist the help of two or three other members of the cybersecurity team who have knowledge of each of those platforms. On top of that, change tickets must be annotated and pushed up the chain of command through multiple layers of reviews and approvals. In that way, something that should be fairly straightforward can become time-consuming and complex. As a result, a single event can often take several hours or even a full day to contain and remediate.

With automated orchestration tools, when SOC analysts are alerted to a threat, they can take action no matter where they're located and can respond much faster. Imagine being away from the office and receiving an alert on your smartphone that a threat has been identified. With the tap of a button, you can automatically begin an entire series of decisions, approvals, and actions to stop, block, contain, and remediate the threat. The automated solution can communicate with all the different platforms and systems in the organization, making the necessary changes on each to fix the issue. It can automatically create and submit change requests through the appropriate review and approval processes, automatically updating change logs for compliance purposes. The entire process is completed much more quickly and can be done from anywhere, making the SOC analyst's life easier while better protecting the organization's environment.

With the increasing sophistication of threats and ever-growing attack surface, organizations of all sizes are realizing the benefits of automation in their cybersecurity programs. However they go about it, cybersecurity professionals must embrace automation, AI, and ML soon. These technologies won't replace the need for SOC analysts, but they will ease the workload and maximize talent. By improving threat-hunting capabilities and speeding response times, automation is poised to revolutionize the cybersecurity industry, helping SOC analysts keep pace with the ever-evolving nature of tomorrow's threat landscape. 

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's story: "Meet FPGA: The Tiny, Powerful, Hackable Bit of Silicon at the Heart of IoT."

Chris Schueler is Chief Executive Officer at Simeio Solutions where he drives the overall vision and strategy. He is a proven leader with extensive experience in go-to-market operations and product development in the managed security services space.  He joined Simeio ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/23/2019 | 4:46:40 PM
Re: Geek squad support
Thanks @Geeksquad for the commentb and feedback. I'm pretty passionate about this as I've spent nearly 20yrs just in/with security operations and we have always struggled with load....automation can appear on the outside as opposing forces to an analyst.  Specifically, how automation is going to replace jobs, but in reality, it is going to allow people to grow and do higher level work which is NOT being done!  I will be writting more on this soon.  
Geek Squad
Geek Squad,
User Rank: Apprentice
9/9/2019 | 2:18:10 AM
Geek squad support

Thanks for the informative article. This is one of the best resources I have found in quite some time. Nicely written and great info, I really thank you for sharing it.


Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-24
A potential vulnerability has been identified in HPE OneView Global Dashboard release 2.31 which could lead to a local disclosure of privileged information. HPE has provided an update to OneView Global Dashboard. The issue is resolved in 2.32.
PUBLISHED: 2021-06-24
Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 1...
PUBLISHED: 2021-06-24
URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.
PUBLISHED: 2021-06-24
The vgacon subsystem in the Linux kernel before 5.8.10 mishandles software scrollback. There is a vgacon_scrolldelta out-of-bounds read, aka CID-973c096f6a85.
PUBLISHED: 2021-06-24
A vulnerability in agent program of HelpU remote control solution could allow an authenticated remote attacker to execute arbitrary commands This vulnerability is due to insufficient input santization when communicating customer process.