Security automation means a more efficient SOC, improving the bottom lineThe evolving threat landscape just gets more complex and brutal as time goes on. Targeted threats abound as advanced persistent threat campaigns, cyberwarfare, distributed denial of service attacks, and spearphishing. Meanwhile, zero-day vulnerabilities and exploits continue to be frequent occurrences. It’s a hostile cyber world out there, and it’s easy for organizations and enterprises to get overwhelmed. What if there was a solution that could be deployed that could cut down on the tedium that SOC analysts deal with? The right security automation tool can reduce your cases by 80%.
Maintaining security operations is absolutely essential, as preventing incidents is a lot less expensive than responding to them. If you conduct operations manually, that expense is not only monetary in value but also wasted time.
Improving the efficiency of your Security Operations Center (SOC)
False positive alerts are one of the biggest, most expensive problems faced by security operations. According to a Ponemon Institute study, organizations spend an average of nearly 21,000 labor hours per year dealing with false positive and false negative alerts, wasting about $1.3 million per year on inaccurate intelligence. An organization typically gets about 17,000 security alerts per week, over 80 percent of those are false, and only four percent are actually investigated. That leaves security professionals with little time to keep up with attackers, who are constantly learning and testing new ideas, or to investigate legitimate instances of anomalous network activity and suspicious authentication attempts.
17,000 80% 4% Alerts per week False alerts Alerts investigated
The situation is made worse by a lack of efficient metrics for tracking SOC performance. As noted in a recent blog post, the SANS Institute found in its 2018 Security Operations Survey that just slightly over half of SOCs provide metrics that can be useful in tracking the status and efficacy of their performance. Metrics that are particularly useful, such as the mean time to detect (MTTD) and mean time to respond (MTTR), are complex to the degree that they oftentimes limit SOCs’ ability to request further funding necessary for maximizing their performance against those metrics, thereby creating a catch-22. That challenge doesn’t even account for the inefficiency involved with blending dozens of security tools into a coherent, well-functioning ecosystem.
Good logging, effective IDS, and a properly configured SIEM with well-designed correlation rules can go a long way to decrease the volume of false positives. But you can reduce the distraction of false positives even further, thereby saving money, maximizing productivity, and allowing your analysts to spend more effort on what absolutely requires analysis from a human being.
Maximize your security analyst investment
The key is to implement more widely integrated and effective security automation. The right security automation platform reduces the amount of time and effort human security professionals have to spend engaging in tedious tasks. It also consists of an open and flexible architecture that allows for third-party integrations across an existing security infrastructure. With such a platform in place, infosec personnel can then commit more time to activities that require their specialized experience, training, and know-how. And it’s not just time and money that get wasted when humans do too much of the work that can more effectively be done with AI. Unlike machines, people get burned out. Overwork and stress can’t always be easily measured, but they’ll have a cumulatively disastrous effect on the efficiency of your SOC or MSSP.
According to Indeed, the average annual salary for a SOC analyst in the United States is $83,910. That’s not specifically for a market where cybersecurity professionals are higher paid, such as the San Francisco Bay Area, Seattle, or New York City. That’s an average for all of the United States. Also, that doesn’t include benefits, including expensive private health insurance. Plus, no one is at peak efficiency when they start a job because there’s always a learning curve related to a role in a particular company which is always unique. It’ll usually take a few months in a role for a new employee to be really adept at their job. Why go through the extra expense and hassle of having to hire additional analysts when the right SOAR solution can make the analysts you already have able to do a lot more? This is just one of many ways that security automation can not only improve your organization’s overall cybersecurity, but also start saving you money right away.
Use security automation to analyze cybersecurity alerts
Security automation can be integrated with your SIEM and intrusion detection systems. When a possible threat is detected, instead of immediately being sent to a security professional in the form of an alert, AI will analyze it and determine whether an SOC analyst needs to compare it against their existing threat intel to figure out what they’re looking at and determine its importance.
Advanced AI can analyze threat alerts with remarkable accuracy. Machine learning can make the whole security automation system smarter as the cyber threat landscape evolves. Then, as the landscape diversifies, the impact of AI or machine learning may differ according to factors that are specific to your organization, so there’s no one-size-fits-all approach. Good security automation fits your particular computer networks to a “T” through the power of well-designed playbooks for countless activities, needs, functions.
Invest your SOC Analysts in the right places
Good security automation yields impressive returns. With it, Siemplify has found your SOC can enjoy a 300% increase in caseload capacity. That’s done not by hiring more staff but by increasing SOC analyst productivity through standardized playbooks and workflows and automation of tedious tasks.
When SOC analysts spend less time triaging individual alerts and more time on the matters that truly require their attention, your SOC can enjoy an 80% case reduction. Even incident response can become much quicker, more effective, and more responsive. Good security automation drives down the mean time of responding to possible incidents, resulting in an approximately 70% reduction in MTTR. Your organization not only saves time and money; it also is more likely to deal with the security alerts and incidents that matter.
SOAR (security automation and response) works with SIEM (security information and event management) like peanut butter does with jelly. As cyber threats evolve beyond 2018, good SOAR will become an absolute must, thereby allowing SOCs to become a lot more efficient and effective. MSSPs monitor the security of many different clients simultaneously, so the benefits of SOAR are both exponential and cumulative.
To learn more about security operations challenges, read the key takeaways from the 2018 SANS survey here. Then, find out how Siemplify SOAR can improve your security operations and enable your SOC to apply automation to your existing security tools.
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.