One of the themes we discuss often on this blog is that in order to respond in kind to the speed and volume of security alerts organizations receive today they must begin automating some portion of their more repetitive processes. We have also stressed that automated security operations improve overall efficiency for security operations centers (SOCs) by freeing up time for Tier 2 and Tier 3 analysts to focus on hunting for complex attacks and creating new processes for resolving them.
The next logical question is: What processes should SOCs automate? No “one size fits all” answer exists; each organization must closely examine its own operations to determine which would save the most time if automated. There are, however, several repetitive, low-complexity tasks that almost all SOCs would benefit from turning over to an automation tool:
- False positive identification: The Ponemon Institute recently surveyed 630 IT security professionals and found that organizations waste a staggering 395 hours per week on average investigating false positives. The same study found that only 41 percent of organizations utilize automation tools that identify true threats; those that do leverage automated security operations estimated that, on average, 60 percent of malware containment can be handled without human intervention. Those numbers send an abundantly clear message—false positives are an enormous time drain and automation is an effective way to recover that time.
- Ticket generation: Copying and pasting information from support emails or detection tools—something many organizations still ask senior staffers to do—is simply not a good use of time. Rather, those experts should be spending their days developing new threat mitigation techniques or training junior team members to become significant contributors in the SOC. Ticket generation is perhaps the best example of a simple, repetitive task. As such, it is a natural choice for automation.
- Report generation: Monitoring key metrics is crucial for CISOs and CIOs looking to improve staff productivity and closely monitor overall efficiency in their SOC. Converting those metrics into reports and dashboard displays that convey the information clearly is also critically important—particularly when the C-suite requests a security update or evidence to justify a technology investment. Reporting is an important SOC function that should never be pushed to the back burner—but the process of distilling metrics into clear summaries doesn’t have to be completed manually, either.
Do you think your SOC could benefit from automated security operations and want to see the technology in action? Let’s get started!