Whether your security team consists of a pair of IT managers sharing a corner office or a distributed Security Operations Center (SOC) spanning the globe, efficiency is the key to a successful threat detection and response program. SOC automation—the process of automating and optimizing your security programs—is the ultimate efficiency.
The best solution to industry-wide struggles with threat detection and response is to increase efficiency using Security information & Event Management (SIEM) and Security Orchestration and Automation & Response (SOAR) platforms.
Not only does SOC automation improve your security posture, it improves the job of a security analyst. It enables security analysts to achieve more, in less time, while still allowing for human decision-making when it’s most critical. Rather than relying on point-to-point integrations for your technology stack, SOC automation empowers you to build out your various processes, as well as connects you with the right people and technology to achieve your security goals. SOC automation is a thoroughly comprehensive solution that offers a reprieve from pain points that plague modern security teams.
For example, the IT ecosystem that security professionals must monitor and respond to grows more complex and sophisticated each day. Today’s security teams are monitoring hundreds of applications, multiple clouds, on-premises assets, and remote endpoints. That’s a lot of data. And with more data comes more alerts. Analysts are drowning in unmanageable–often false positive–alerts. DarkReading has found that 40% of organizations can’t act on at least a quarter of their security alerts.
And for most organizations, the solution isn’t as simple as hiring another analyst–just look at the 3.5 million unfilled cybersecurity positions around the world. The cyber world is a buyer’s market, and that’s not changing anytime soon. So it’s no surprise that investigations are taking way too long. A recent Ponemon study found that it takes 206 days on average to identify a data breach post-attack and another 73 days to remediate the incident. While attacks happen in minutes, a typical response will take your team months.
In short, security teams are under-resourced and over-leveraged, while threats continue to grow exponentially and become more sophisticated every day. With a SOAR platform you are more easily able to learn from the idiosyncrasies of your organization’s environment, continuously amassing knowledge about how to best detect and respond to future cyber threats.
More and more security teams are leveraging automation solutions to eliminate redundant and manual processes, expedite response, and accelerate operations. Gartner predicted in 2019 that by year-end 2022, 30% of organizations with a security team larger than five people will leverage SOAR tools in their security operations (up from less than 5% today). In 2020 they fleshed out this forecast, predicting that such an appetite will result in the overall SOAR market hitting $550 Million USD by 2023—a compound annual growth rate of 14.9%.
This may have something to do with the ROI of automation—which is significant. Rapid7 has found that automation, when compared to manual processes, can reduce the time and cost of security analysis & response by 83%. This number might shift based on a specific organization’s needs, but that calculation illustrates how a SOC can offload a good chunk of their workload, enabling analysts to be much more efficient, freeing them up to do what they are actually paid for.
Security teams can automate tasks as simple as looking up an internal hostname or IP address, just to assign it a name or other classification. Alternatively, teams who are farther along their automation journey can orchestrate massively complex workflows, involving multiple teams and decision points. In between, most teams find it helpful to focus on automating, integrating, and simplifying the tasks, tools, and processes they use every day. Below, you can find some workflows that can help you get up and running with automation, as well as examples of some more complex use cases that you might consider when your security team has established itself as automation aficionados.
Today’s security teams are receiving an average of 12,000 security alerts per day. Bouncing between tools when SIEM alerts roll in every day is mind-numbing work that disguises the value of Tier 1 cyber analysts. Orchestration and automation solutions can help you accelerate detection by enriching the quality of the security alerts you receive and automatically weeding out many false positives.
Automatically enrich your security alerts with important information, such as geo-IP lookups, domain analysis, malware detonation, and more. Orchestrate your favorite threat intelligence platforms, or use a variety of free and open source tools to ensure your team is equipped with the context they need to take action. This will give your team more time and greater context to tackle actual threats.
Key outcomes of alert enrichment include:
Technologies: WhoIs, VirusTotal, Recorded Future, Anomali, Cisco Umbrella, Team Cymru, Threat Quotient
Existing Workflows: OSINT & Recorded Future
When it comes to KPIs, time is paramount. Teams are always striving to reduce the time between security alert generation and resolution down to a theoretical null. A Distributed Alerting strategy avoids alert fatigue and staffing issues in the SOC by immediately bringing up alerts into the Slack instance of the person who generated it. Augmented with multi-factor authentication (MFA), analysts spend less time dealing with multiple alerts and more time triaging true positives due to a better signal-to-noise ratio.
Distributed alerting streamlines business operations, resulting in more collaboration and efficiency. For example, you can trigger actions to push alerts, incident notifications, comments, and other data to solutions like JIRA or Slack. Automation can also deliver alerts that come in from your security tools straight into your chat applications, as well as delegate tasks back to other connected tools. Such integrations allow your team to maintain maximum uptime without having to be physically present in the SOC to keep your organization safe. In short, distributed alerting allows you to:
Technologies: MS Teams, Slack, Jira, SNOW, PagerDuty, SMTP, Duo Auth, Okta Auth
Existing Workflows: Malicious Hash Remediation with CB Response, Suspicious User Login with IDR and Slack Chatops
Compromised user credentials are a common thread among security incidents and breaches—across both organizations and threat actors. User containment workflows help you disrupt the attacker’s kill chain by preventing them from using compromised user credentials for infiltration and lateral movement. Some highlights of such a use case include:
Technologies: Active Directory/LDAP, Azure AD, AWS IAM, Okta, Duo, Office 365
Existing Workflows: User Containment
Endpoint containment is a key strategy for endpoint threat detection and response. With automation, you can quickly quarantine a threat by disconnecting a vulnerable endpoint from your network—as soon as a critical alert is generated. Endpoint containment empowers your team to:
Technologies: Cylance, Symantec, Crowdstrike, SentinelOne, VMWare, Cb EDR, Trend Micro
Existing Workflows: Asset Quarantine and Blacklist Hash
Firewall technologies are essential to an organization’s security posture, but are often a pain to manually manipulate. Automatic configuration changes, as well as ChatOps workflows that allows teams to protect against threats without leaving Slack or Microsoft Teams, are a game-changer.
Firewall Containment can empower your security operations team to:
Technologies: Fortinet Fortigate, Palo Alto Panorama, Checkpoint NGFW, Sonicwall, Cisco ASA [Coming Soon], Cisco Sourcefire [Coming Soon]
Existing Workflows: Firewall Blocks
Threat hunting is time consuming and demands a highly technical skill set that most organizations, for better or worse, have to consider a luxury. According to a recent SANS Institute study, only 31% of organizations have staff dedicated to hunting threats. But being proactive in this area can enable your analysts to better uncover and defend against complex advanced persistent threats (APTs)—which are almost guaranteed to succeed and can allow hackers to wreak widespread havoc. Automation lowers the barrier to threat-hunting as well as bolsters your team’s ability to compete with today’s most-capable adversaries.
Rapid7’s platforms allow you to:
Existing Workflows: Splunk App SSH Alert IP Enrichment
Security teams are bogged down by an overabundance of ransomware, viruses, spyware, and more. Automating the investigation and containment of malware gets the job done before it does significant damage to your network. Here are some key features of this workflow:
Technologies: VirusTotal, Hybrid Analysis, Cuckoo, Palo Alto Wildfire, VMRay, Cortex, JIRA
Effectively leveraging SIEM and SOAR solutions starts with understanding the day-to-day problems your team faces. Any SOC that can pinpoint the pain points in their established workflows —and is willing and able to address them—should consider an automation solution. Believe it or not, organizations of all sizes and from countless industries can see improvements to both their efficacy and efficiency with SOAR + SEIM. Over 8,500 customers rely on Rapid7’s platforms such as InsightConnect and InsightIDR to improve security outcomes and securely advance their organizations.
Not surprisingly, InsightConnect offers a growing library of over 300 integrations. We recognize Insight products are far from the only tools in your team’s tech stack, after all. The specific technologies your team relies on may be as diverse as our customer base. That’s why any and all of these can be swapped out or “daisy-chained” together based on your team’s needs—no coding required. That means many different needs can be met for many kinds of organizations –with relative ease. That’s a lot of upside.
Automation is a journey, not a destination. It’s important to remember that SOAR + SIEM require some customization and regular maintenance. They will make your job easier and your organization safer, but your team must have the will, bandwidth, and appetite to make some adjustments as well as regularly monitor a new framework.
Furthermore, every SOC has a unique set of needs and resources, as well as their own special risk tolerance. The learning curve that’s inherent to any SaaS could lead to some inconvenience, or even disruption. Kinks will be sorted out, insights will inspire new ideas, and easy wins will lead to more complex workflows. This is why it’s critical to establish an incremental plan for your team’s automation journey. Start small and win big!
Finally, as with any transition, your whole team needs to be all in on this adventure—all stakeholders should understand your goals, so that everyone can reap the rewards. It’s probably not difficult to illustrate to your team how certain processes could be more efficient, but if anyone needs more convincing, just remind them that Rapid7 is here for you. You won’t ever feel alone. Whether you need to sketch out your first workflow or sort out a complex challenge, we’re your partners on your automation journey.
Rapid7 offers two key solutions on as part of its InsightCloud platform to support SOC Automation:
The bottom line is that together, Rapid7’s SOAR and SIEM platforms improve visibility, reduce alert fatigue, automate containment, and improve investigation handling -- a complete solution for the needs of a modern security operations team.
Hilltop Holdings, a mid-sized financial services holding company, is a great example of an automation success story. They have subscribed to InsightIDR specifically for log collection, because they realized that user behavioral analytics was no longer just nice-to-have—it became a requirement. They next signed onto InsightConnect to automate, for example, the phishing email triage process.
In a Q&A with Rapid7 from 2020, Hilltop’s Director of Security Operations, Andrew Edwards, remarked on the value that the combination of InsightConnect and InsightIDR holds. “In a space like security operations, it’s incredibly valuable to have that single pane of glass,” he shared. “You waste time trying to navigate multiple platforms in order to administer or respond to threats or gain insight into what’s going on within the environment. It reduces your time to respond, and it reduces your time to detect or contain. And all of those solutions integrate into each other so that you can see a more holistic view of what’s going on if you’re using a single platform.”
According to Edwards, Hilltop’s team has reduced the amount of time spent on phishing triage from 77 hours a week to 3 minutes! “The only time we spend is digesting the data that has come out of the reporting solution in order to make a determination on whether it’s malicious spam or legitimate,” he recalled, illustrating how his team’s expertise is not only still essential to Hilltop’s security, but put to much better use.
But Hilltop isn’t stopping there. “I would like to leverage InsightConnect in the future to integrate or bridge the gap in between our firewalls and our detection solution, or our monitoring solution, or our endpoint security solution, to be able to share threat intelligence and IoCs across multiple platforms,” remarked Edwards.
Hillwood Development is a commercial real estate firm that develops and acquires premier industrial properties across North America and Europe. They have used InsightConnect and InsightIDR to make their security operations more fluid, as part of a broader effort to achieve integration, automation, and orchestration.
Like Hilltop, Hillside is very happy with the ability of Rapid7’s platforms to integrate and simplify diverse technologies. “InsightIDR does a great job of taking the logs from our other solutions to not only ingest them but alert them or utilize the data for user behavior analytics,” Tony Hamil, a Senior Cybersecurity Engineer for Hilltop, explained in another blog post. “This has allowed us to use InsightIDR as our source of truth for alerts, data, and user activity so we can quickly figure out what’s going on. And now that InsightConnect integrates with InsightIDR, I can see whether a user has done lateral movement and can disable them or kick them off the network, giving us more capabilities on the same platform without the need to jump through multiple platforms.”
One of Hillwood’s greatest achievements with InsightConnect addresses one of their biggest challenges -- user and asset management. “When employees join or leave our company, we needed to onboard and offboard them from an IT and security perspective,” Edwards indicated. With InsightConnect, that entire process has been automated at Hillwood -- everything happens seamlessly.
“Our success is determined by if we lost any data, revenue, or reputation. If that hasn’t happened, I consider that a success,” concluded Edward. “And since we have Rapid7’s products, these issues are usually stopped or blocked before anything malicious happens."