Automation, while hardly a new topic in the security operations field, is certainly having its time in the spotlight right now. And why not? Conditions are ripe for it. Security teams across the globe are being tasked to do more and more with the same level of resources, threats are becoming more sophisticated, and there’s something universally attractive about infusing the concepts of DevOps and Agile with the way we run our security operations.
“How do we do exponentially more work with linearly more effort?” said John Hubbard, SANS Instructor and course author. Automation is an easy answer to that question but easier said than done when it comes to injecting automation into the SOC. While tools like SOAR platforms are part of implementing automation, the other critical component is the decision behind what should and shouldn’t be automated.
“A lot of that comes down to whether you really understand the inputs and outputs of the particular thing you’re automating. Because if it goes wrong, it’s also going to go wrong with equal efficiency and makes a mess, like block things that shouldn’t be blocked,” John said, as an example.
And there’s a grey area, too, John added. On top of deciding what to automate, you also need to decide for which things there’s value in having human intervention. With phishing email detection, for example, if you’re automating the deletion of phishing emails from inboxes, if the automation engine makes the wrong call, then you’re deleting the wrong emails. So in these cases, automation might be applied to the whole process of identifying phishing attempts but then a human user verifies if the proposed action is correct, clicks a button, and then automation takes care of the rest. “There’s deciding, does a person need to make that call? Or can it just be scripted?” John said.
There are best practices when it comes to automating security operations, but every organization will have a unique environment and edge conditions that change the name of the game. A hospital will have different priorities than a government agency, for example, John said, “but everyone is on board with automation.” If the cost of a SOAR platform is prohibitively expensive, perhaps the goal becomes learning how to do without one. The new SANS course SEC586: Blue Team Operations: Defensive PowerShell, authored by SANS Certified Instructor Josh Johnson, was created to teach how to automate everything from regular hardening and auditing tasks to advanced defenses, arming students with the skills they need to do things on their own, or extend the skills and tools they already have.
Doing more with less is not just about where we are going from here, but how we will get there. “And what’s the right thing to measure to make sure you’re actually making progress toward your goals?” John said. “Metrics can be a struggle for almost every security team.”
This is one of the themes you’ll hear about at the SANS virtual Blue Team Summit, taking place September 9-10, which if you haven’t heard, has been opened up to the entire community for FREE. Of particular interest to those mulling over the intricacies of implementing automation in operations, will be the Day 2 keynote from Anton Chuvakin, Head of Solution Strategy Chronicle, Google Cloud. Can we REALLY 10X the SOC? Join 7,000+ blue teamers at the free Summit to find this out and more. Register here.