SOAR Playbooks

Outside of football, the term “playbook” is well understood by a relatively small group of security automation ninjas. In many larger enterprises with extensive security teams, automating mundane and repetitive security tasks has been a priority for a few years. Few organizations, large or small, can throw unlimited numbers of analysts at security problems. Because much of the response required to security incidents is repetitive, mundane, and mind-numbingly robotic, this has been fertile ground for automation.

The SOAR space was born with the promise of connecting to a wide range of existing security tools and building automation playbooks to improve incident response. Early SOAR products were a bit like Henry Ford’s Model T factory. If you’re making a million identical cars, every step can be automated, refined, and made incredibly efficient. But building the equipment and processes for this type of automation was expensive, and unaffordable for smaller scale manufacturing.

Automating security processes can be equally complex, expensive, and requires a lot of specialized expertise. Add to this that security isn’t as predictable, or single-tracked as a car factory, so there’s a constant need for tuning, learning, and adjusting to new threats.

Complex SOAR playbooks can be very sophisticated, with lots of twists and turns, allowing repetitive tasks to be performed at machine speed, with reliable results every time. If used effectively, SOAR can save enormous amounts of time and money for tasks, such as threat detection, alert triage, case enrichment, and incident response. But building these playbooks isn’t for everyone. Essentially, playbooks have become complex software, that requires specialized developers to write, test, and maintain.

Enter No-Code Automation

To begin to address this, many software vendors, including security, have sought to develop “no-code” options to make advanced tools more accessible to non-experts. Using more intuitive and visual interfaces, these tools have successfully lowered the entry bar and allowed security professionals to define and implement policies without delving down to the code level.

While no-code automation is a positive step in helping with how we implement security policies and playbooks, it doesn’t help with defining what we need to protect. Considerable expertise and tribal knowledge of an organization’s infrastructure and processes is still needed to build effective playbooks.

For example, at LogicHub, we have built hundreds of advanced playbooks for customers using our platform or MDR services. A good playbook that connects to multiple systems, consolidates alerts, enriches cases, and delivers actionable results for customers can take weeks to develop, test, and refine. The benefits are significant, but the cost-of-entry is still high.

Using AI for Detection and Response

What is beginning to change this dynamic is the introduction of AI and machine learning into security processes. By blending expert systems with deep neural net architecture, at LogicHub we have led in applying “decision automation” to security. Where basic automation is good at taking over repetitive tasks, AI takes it much further; learning what is normal for an organization at a highly granular level, then continually adapting as new information and feedback from analysts is received.

This is especially effective for threat hunting, where rather than dealing with thousands of alerts, we need to find needles-in-haystacks from billions of security events. Where humans quickly get overwhelmed by the sheer quantity, AI systems can break this down into smaller decision factors, automate analysis, combine results, and continually improve – all at machine speeds.

eBook: The Definitive Guide to AI and Automation Powered Detection and Response
Why Your Next SOC Assistants Are Bots (and Your Networks Will Be More Secure Than Ever)

Next Step: Automate the Automation

Outside of security, it’s clear that AI has passed a tipping point and is becoming both widespread and practical. As the technology moves beyond hype, it is becoming an integral component of most software systems.

That begs the meta question – why not automate the automation? In other words, can we use AI/ML tools to reduce the complexity and skill required to create automation playbooks? This is precisely what we have developed at LogicHub and are launching as part of our platform.

Forrester analyst Allie Mellen joins LogicHub as a featured guest speaker to discuss the evolution of SOAR technology and how AI can enable a new generation of solutions for the SOC. Please join us on May 19th at 8:00am PT / 11:00am ET!

As our team continues to develop a wide range of complex playbooks for customers, we have applied our AI engine to learn from these playbooks, understand how they are structured and define the typical data sources and types of decisions security analysts typically need to make.

The outcome of this is a bot-based system that automates the process of building playbooks. Essentially, our AI-bots interactively guide the user by asking a series of questions, fetching relevant fields of data, baselining normal activity, and defining scoring models and thresholds for creating alerts and cases. The process then solicits feedback from the human user on an ongoing basis to validate scoring and eliminate false positives.

In testing this with our customers, we have seen dramatic time savings. Playbooks that would have taken hours to produce can be built in minutes, and tests and tuning that would take days to weeks can be done in a few hours.

Leading up to the RSA 2022 Conference in June, we will be discussing and demonstrating this new technology in a series of webinars. Please join us on May 19th at 8:00am PT / 11:00am ET when Forrester analyst Allie Mellen discussing the evolution of SOAR technology and how AI can enable a new generation of solutions.

LogicHub harnesses the power of AI and automation for superior detection and response at a fraction of the cost. From small teams with security challenges, to large teams automating SOCs, LogicHub makes advanced detection and response easy and effective for everyone.

Blog

Related Posts

May 20, 2022 Willy Leichter

Automating Threat Detection: Three Case Studies

Demystifying the technology with case studies of AI security in action Many automation tools, such...

Learn More

May 17, 2022 Willy Leichter

It's Time to Put AI to Work in Security

While we’ve been talking about and imagining artificial intelligence for years, it only has...

Learn More

May 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: May 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

May 9, 2022 Tessa Mishoe

Bad Luck: BlackCat Ransomware Bulletin

Blackcat Ransomware On April 19th of 2022, the FBI Cyber Division released a flash bulletin...

Learn More

May 6, 2022 Kumar Saurabh

Let Humans Be Humans and AI Be AI

LogicHub’s unique decision automation technology can build clients the ultimate security playbook...

Learn More

May 3, 2022 Kumar Saurabh

How to Build a Threat Detection Playbook In 15 Minutes or Less

Automating a threat-hunting playbook with the help of AI Many threat-hunting playbooks we build for...

Learn More

April 29, 2022 Tessa Mishoe

Integrating Better: What Can Integrations Do For Me?

Introduction Within the realm of security, there are many different toolsets and opinions on what...

Learn More

April 27, 2022 Willy Leichter

Beyond No-Code: Using AI for Guided Security Automation

SOAR Playbooks Outside of football, the term “playbook” is well understood by a relatively small...

Learn More

April 21, 2022 Willy Leichter

Goodbye Lonely SIEM, Hello MDR

When updating your systems from a pure Security Information Event Management (SIEM), choosing the...

Learn More

April 15, 2022 Tessa Mishoe

LogicHub Security Roundup: April 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More