How to Use SOC Automation Tools for Powering Modern Security Operations.
Most Security Operations Center(SOC) struggle with deluge of alerts, false positives as well as keeping analysts productive. Some SOC’s try to handle thousands of alerts per day. An analyst is supposed to investigate these alerts quicky, perform complete investigation and suggest response actions.
As you can imagine, this is a tedious task if done manually. SOC’s already struggle to find analysts with right skill set. A SOAR Platform or SOC Automation tool like Securaa helps you to automate the daily response routines that investigate each of these alerts automatically and response actions are conducted automatically. Here is the suggested approach that can be used for SOC Automation:
1. Review SIEM Usecase Library: All the existing use cases in your SIEM should be properly reviewed. This means you should know the purpose of each use case, conditions it detects as well as response plan. Mapping SIEM Use cases to MITRE’s ATT&CK Framework is a good approach. Ex- Insider threat detection can be a use case. This use case might be applicable to various systems detecting various possible scenarios of threats. This use case alone can comprise of multiple rules or logic. The response plan for each Incident category is fully documented and approved by cyber security and other relevant stake holders in the organization. This process to create standardized response plan for each use case could take time and typically done as part of SIEM/SOC Maturity process. You might also want to define different SLA’s to each incident category. Pls refer to www.mitre.org for more details on possible usecases and detection logic.
2. Create Playbooks: For each incident category there could be a playbook defined that automates each task defined as part of response plan. These playbooks can use full automation(all the tasks are automated) or be Semi automated( use some tasks are automated where as others are manual) or manual(all the tasks manually responded). This is completely dependent on the use case. Most often use case that require external party inputs like data from Legal teams could be manual in nature.
3. Map SIEM Usecases to SOAR Incident Categories: Each detection alert in SIEM, UEBA or other such technologies has to map to incident categories defined in the SOAR platform. The automation can be done on tasks related to various categories of actions Like enrichment, Escalation or Mitigation.
4. Track the most commonly used Tasks/Playbooks that are used by SOAR tool.
5. Also track SOC KPIs’ like Mean Time to Acknowledge(MTTA), Mean Time to Respond(MTTR) and Mean Time to Detect(MTTD). You will see improvement in them as you automate most of the use cases.
This entire approach should target to achieve complete automation in due course as the SOC team gets used to the tool. Its recommended to start with the most common usecases that are reported by SIEM. You can get the list of usecase using the reporting function in your SIEM.
Some Security functions might not have a well defined approach for SIEM usecases also. If that’s the case, then the first focus should be to define them properly. Remember, SOAR’s function is to automate security response by orchestrating with various third party technologies. If your usecase are not clear in SIEM then SOC Automation Will not be effective at all.
Lets look at how Securaa uses this approach for SOC automation.
1) Create Playbooks
Securaa’s easy to use Drag and Drop interface allows analys to turn response plans to playbooks. Analyst has to drag drop individual tasks from integrations and decide on conditions. A sample example is shown below.
2) Map SIEM Usecase to SOAR Incident Categories
Securaa allows you to create custom incident categories. You can also assign SLAs for each category also. This means that for a category of alert, the analyst is supposed to resolve it faster. Ex- DDoS on internet facing business application should be resolved faster compared to password reset for a vendor account.
The next step is to map incident categories to a particular playbook. For this analysts can create pre processing rules in securaa. The following example shows a simple rule that checks for the string “Brute Force” in in coming alert/case and runs a specific playbook.
3) Tracking Most common Tasks and Playbooks.
Securaa provide native dashboard listing such data as shown below
4) Track SOC KPI’s
Securaa provides various KPI’s(Key Performance Indicators) for security operations. It also tracks if the KPI’s are improving or deteriorating. This provides a good base for cyber security leadership to check maturity and track ROI.
Please remember SOAR’s main function is to provide automation to your currently well defined manual procedures. If there are no procedures in place, please focus on building them first.
Please reach out to firstname.lastname@example.org for any questions.