Security operations centers (SOCs) are responsible for identifying, responding to, and mitigating cyber threats, and automation can be a powerful tool to help SOCs improve their efficiency and effectiveness.
Most enterprises extent of automation stops with their SIEM and SOAR investments. Where this should be just the starting point of your automation efforts especially when you’re an MSSP or an MDR provider and your core business is cyber defense and security operations, then it is imperative to try and automate as much of the repetitive tasks as possible to help reduce the burden from your analysts and other SOC personnel and help scale your operations.
At LMNTRIX, this is an ongoing effort for us as we deliver services to a global audience at scale ranging from SMBs to multi-national enterprises, we are always looking for ways to scale our operations. The automation we developed is written mostly in python in the form of bots that are integrated with one of our processes or our homegrown XDR platform.
There are several ways that bots can be used to automate tasks in a security operations center (SOC). The following are some of the ways we rely on bots to automate and scale our SOC:
- Incident response: We use bots extensively to automate the triage of security incidents, such as analyzing log data, identifying and isolating compromised systems, and escalating incidents to the appropriate team members via one of our incident management queues. In the same vein, bots are also used for active threat containment with integration with Nextgen firewalls, cloud based web and email security vendors such Zscaler, Netskope, Cisco Umbrella, Microsoft O365 Exchange and Mimecast as well as cloud vendors such as the AWS Network Firewall. Some of these tasks can be done using SOAR technology, however our experience shows that most enterprises would be lucky if they can get 5 use cases out of their very expensive SOAR investments.
- Threat intelligence: We use bots extensively to collect, analyze, and disseminate threat intelligence from various sources, such as threat feeds, twitter and social media. You could replicate much of what we have done here by investing in one of many Threat Intelligence Platforms (TIPs)
- Vulnerability management: We use bots to automate tasks such as scanning for vulnerabilities, identifying and prioritizing assets that need patching, and even testing the patching of vulnerabilities. This is an internal security requirement that ensures we remain compliant and certified to SOC2, PCI DSS, and ISO27001 standards.
- Compliance: As mentioned earlier, we also use bots to automate compliance-related tasks such as monitoring for changes to regulatory requirements and identifying any non-compliant systems or configurations. There are 3rd party dedicated tools that can also do this for you that actively looks for host and network changes and report on deviations.
- Automating Reporting: Our team has to report a lot of data to different levels of client persons, ranging from management reports to technical reports. Automated on-demand, monthly, and quarterly report generation is critical to allow our team to focus on more critical tasks and avoid human errors.
- Automating Manual Task: Finally, we use bots to automate many repetitive, time-consuming tasks, such as monitoring and analyzing logs and alerts, or monitoring network traffic, this way it increases the efficiency of our SOC team and they can focus on more critical task.
At LMNTRIX there is no concept of a SIEM, SOAR or any reliance on logs for threat management. We assume the client existing controls will be breached, so relying on their logs to detect the initial threat is ineffective – every single enterprise that is breached uses this old school method today. Where we collect logs it’s purely for post breach forensics.
This 1990’s SOC approach with analysts staring at SIEM consoles doesn’t scale and guarantees us missing the threat and the subsequent breach. This is why bots are critical in our operations, to help automate and scale our detection capability by validating the threats we detect using our XDR tech stack and the subsequent incident creation and client communication.
It is important to note that automation should be used as a supplement to, not a replacement for, human expertise and decision-making in the SOC. It’s also important to ensure that the automation is properly configured, integrated, and tested, and that its output is monitored, analysed, and actioned accordingly. To implement bots in a SOC, you can use pre-built solutions such as security incident and event management (SIEM) software, or you can create your own bots using programming languages such as Python or Java and security-specific libraries like OpenCV for computer vision, OpenSSL for encryption and libraries such as scikit-learn for machine learning. Finally, it’s important to ensure that the bots are properly secured and integrated with existing security tools and processes.