Published: July 8, 2021, 9:15am

One of the common misconceptions companies have when it comes to SOAR (Security Orchestration and Automation Response) platforms is that they will replace some, or even all, of their personnel.  However, according to the 2020 SANS Automation and Integration Survey, only 5% of responding organizations expect even a small (emphasis mine) reduction in staffing. In fact, many expect an increase in staffing. In many ways this makes sense, because integrating orchestration and automation or a SOAR product (where response is included) is intended to increase the efficiency of staff, not replace staff. There are three primary reasons a SOAR can do this:

1. The ability to commoditize skills and knowledge

2. The ability to standardize input/output information (between processes/teams/tools)

3. The ability to improve/enhance/speed up analyst decision making

Let’s talk about each of these individually.

The Ability to Commoditize Skills and Knowledge

It is a given that even the most efficient and skilled SOC will contain personnel with a variety of skills and knowledge. That range is often an advantage because it allows the members to approach analysis from multiple angles and find solutions by leveraging a range of experiences. However, this becomes a liability when only one or two people know how to solve specific classes of problems. Instead of being able to work on multiple problems in parallel, these individuals become a bottleneck for the entire staff’s workflow. If you are familiar with The Phoenix Project (authored by Gene Kim, George Spafford, and Kevin Behr), these people are your Brent. In the book, Brent is that guy, the resident IT guru whose help was needed by everyone because only he knew how to fix anything, meaning every project/repair/task went through him. This made him the lynchpin and single point of failure for every IT effort. The solution to fixing this issue was to break down Brent’s knowledge and methods so that multiple people could learn and utilize what Brent knew. 

Organizations need to do the same when implementing SOAR. Deconstruct the “what”,“how” and “why” of your centers of expertise, and integrate as much of that knowledge and skill as possible into your SOAR. This allows you to distribute the knowledge and scale these skills across your organization. This is not a simple task; it will take time, and it will have to be done in stages. But as you make progress, the benefits will show in higher quality analysis, faster and more accurate diagnosis, increased confidence among staff, and less stress on the overburdened worker(s). 

NOTE: it is important that the WHY mentioned above is included in the SOAR playbook/runbook and is visible to the analysts to ensure they understand the purpose of the work and aren’t just following rote steps.

The Ability to Standardize Input/Output Information

Efficient interactions between entities require the precise exchange of information. The more that information is standardized, the easier and faster it is for that information to be received and processed. This is why data formats like JSON have increased in popularity. JSON (when properly formatted, don’t get me started down that rabbit hole) is an open standard that allows the source to write data with high confidence that the destination will be able to consume and understand that data. But that’s only at the machine level. The problem with humans is we are lazy and often random in how we pass information. What I mean by this is that we assume the receiver knows the same things we know, and we frequently add extra, unnecessary data simply because we happen to have it handy. Additionally, we filter our consumption through such variants as our biases, our unique knowledge, whatever is on our mind at that time, and our past experiences. This removes the certainty that the information sent was received in the manner – and with the context – intended. When only humans are involved, this issue can be fixed by a zoom call or email asking for clarification, and the workflow is delayed but ultimately continues. But when machines are expecting data, if that data does not show up or is in the wrong format, the workflow stops. Neither scenario is ideal. 

Integrating a SOAR allows every entity in a workflow, whether human or machine, to define the data required to complete its tasks and dictate the format in which that data must be presented. Then, the previous step can be configured to collect and generate that data correctly. Whether the receiver is a machine (i.e., a Help Desk application creating a ticket) or a different team (IR team), they have the correct and complete information to begin their tasks immediately. The workflow continues unabated with minimal loopbacks. 

The Ability to Improve, Enhance, and Speed Up Analyst Decision Making

Despite what many organizations and people think, SOAR rarely involves human-free processes. According to both a 2018 study by Gartner referenced by Anton Chuvakin in his webcast Prepare Your Security Operations for Orchestration and Automation Tools and the 2020 SANS study mentioned above, organizations are fully automating only a minority of tasks. SANS puts that number at 9% of overall tasks–up from 5.1% in 2019–and those were only done after months of planning, testing, approvals, and documentation. So with 91% of workflows requiring human/analyst interaction, the focus shifts to minimizing the time an analyst reviews the issue and maximizing the accuracy of the decision by that analyst. 

The SOAR accomplishes this by enabling an organization to standardize and enhance information. We’ve already talked about one way standardized information helps security processes and procedures. Additionally, when information is presented in a standard way each time, the analyst/machine doesn’t waste valuable time repeatedly searching for the same data or need multiple parsers to be written – at the cost of compute time and power – so the data can be extracted. The ability to add contextual information gives analysts an overall view of what the data is and why it is or is not important. When contextual information is provided alongside the standardized data, decisions can be made right away. 

Here’s a simple illustration: Think about driving a modern car. Where do you look for the speedometer? On the dashboard directly in front of you, and some speedometers will even provide the speed limit of the road you are on. It takes mere microseconds to glance down and instantly know if the speed camera you just passed will be sending you mail in a few days.

Now, imagine someone putting the speedometer below the audio system in the central console. And they put it in feet per minute, but they didn’t label it as such, so you only have a number. And they didn’t tell you how fast you are allowed to go. In a situation like this, you would have to: 

1. Spend time searching for the speedometer display,

2. Do the calculations to convert the number to something usable,

3. Look for a road sign displaying the speed limit.

And you’d have to do all that before you can make the simple decision to speed up or slow down.

When standardized, contextualized information is sent through the SOAR workflow, it performs the tasks efficiently, and the entity ingesting the SOAR’s output can quickly digest that data and make accurate, fast decisions. Therefore, you should determine what additional context the human or machine needs to make better, faster decisions and configure the SOAR to collect and generate that data. 

Security spending continues to increase, and the percentage being spent on automation is increasing (66% of respondents reporting an increase in 2021) right along with it. This means that it is important to design and implement new solutions so that immediate ROI is achievable, and long-term process improvements continually add value. This requires moving from the quick wins of automating repetitive, monotonous steps with yes/no decisions to integrating unique skills and knowledge so they can be distributed and scaled throughout the organization. As alerts and the malicious activity behind them continue to increase, implementing these steps will make your SOAR a force multiplier and augment your staff’s efficiency. When SOAR is done right, alert fatigue is reduced, and analysts enjoy their jobs again, which means they stay longer. And then maybe, just maybe, we can finally stop worrying about mythological staff reductions.

References:

2020 SANS Automation and Integration Survey: https://www.sans.org/reading-room/whitepapers/analyst/2020-automation-integration-survey-39575 (free registration required)

Prepare Your Security Operations for Orchestration and Automation Tools Webinar Anton Chuvakin

Global Cybersecurity Spending to Soar 10% in 2021: https://www.infosecurity-magazine.com/news/global-cybersecurity-spending-to/