Welcome to the SOCAutomator’s blog. Mike and I are here to talk about the importance of automation in incident response. We’ll talk about the theory of automation as well as practical examples of how you can apply automation to your environment.
Your first question might be “Why should I automate?” There are many answers to that question.
- It will improve your operational efficiency. Automation reduces the time it takes to respond to threats (TTR). And as we know, speed is one of the most important factors in containing an attack.
- It will make your SOC better. Automation doesn’t get tired. It doesn’t think “Oh, I’ve seen this before. I know what to do.” Automation applies the same rules and logic every time – at 2 p.m. on a Tuesday or 2 a.m. on Saturday.
- You will be able to automate tasks the analyst should do during the investigation process such as correlating other events and metrics from other security tools, annotate the incident by creating at ticket while populating relevant data.
- Automation can programmatically assess risk and help bubble to the top the high priority incidences for prioritization of response.
Your second question might be “Won’t I automate myself out of a job?”
- No. This will reduce the time you spend on manual tasks. This will free time to focus on higher value activities.
- It can help scale your team. We’re all doing more work with fewer people these days. Automation can work in your favor in fighting alert fatigue.
Another concern we hear is “What if automate the wrong thing and get in trouble? Like what if I disable my CEO’s account and it’s a false alert?”
- Let’s be honest. That is a possibility, but you must weigh the risks of being wrong with being right. Would you rather let a bad actor loose in your environment for however long it takes you to confirm the incident? You must ask yourself “How risk averse am I?”
- To try and limit Number 1 happening, start with already-known threats that you are confident with automating. For example, our Password Spray detection has a 98% chance of being a true alert. That might be one you feel comfortable automating.
We hope you’ll join us on this journey. Please let us know what questions or concerns you have about automation. We want this to be a place where we can all learn from each other.
You must log in to post a comment.