Outside of football, the term “playbook” is well understood by a relatively small group of security automation ninjas. In many larger enterprises with extensive security teams, automating mundane and repetitive security tasks has been a priority for a few years. Few organizations, large or small, can throw unlimited numbers of analysts at security problems. Because much of the response required to security incidents is repetitive, mundane, and mind-numbingly robotic, this has been fertile ground for automation.
The SOAR space was born with the promise of connecting to a wide range of existing security tools and building automation playbooks to improve incident response. Early SOAR products were a bit like Henry Ford’s Model T factory. If you’re making a million identical cars, every step can be automated, refined, and made incredibly efficient. But building the equipment and processes for this type of automation was expensive, and unaffordable for smaller scale manufacturing.
Automating security processes can be equally complex, expensive, and requires a lot of specialized expertise. Add to this that security isn’t as predictable, or single-tracked as a car factory, so there’s a constant need for tuning, learning, and adjusting to new threats.
Complex SOAR playbooks can be very sophisticated, with lots of twists and turns, allowing repetitive tasks to be performed at machine speed, with reliable results every time. If used effectively, SOAR can save enormous amounts of time and money for tasks, such as threat detection, alert triage, case enrichment, and incident response. But building these playbooks isn’t for everyone. Essentially, playbooks have become complex software, that requires specialized developers to write, test, and maintain.
Enter No-Code Automation
To begin to address this, many software vendors, including security, have sought to develop “no-code” options to make advanced tools more accessible to non-experts. Using more intuitive and visual interfaces, these tools have successfully lowered the entry bar and allowed security professionals to define and implement policies without delving down to the code level.
While no-code automation is a positive step in helping with how we implement security policies and playbooks, it doesn’t help with defining what we need to protect. Considerable expertise and tribal knowledge of an organization’s infrastructure and processes is still needed to build effective playbooks.
For example, at LogicHub, we have built hundreds of advanced playbooks for customers using our platform or MDR services. A good playbook that connects to multiple systems, consolidates alerts, enriches cases, and delivers actionable results for customers can take weeks to develop, test, and refine. The benefits are significant, but the cost-of-entry is still high.
Using AI for Detection and Response
What is beginning to change this dynamic is the introduction of AI and machine learning into security processes. By blending expert systems with deep neural net architecture, at LogicHub we have led in applying “decision automation” to security. Where basic automation is good at taking over repetitive tasks, AI takes it much further; learning what is normal for an organization at a highly granular level, then continually adapting as new information and feedback from analysts is received.
This is especially effective for threat hunting, where rather than dealing with thousands of alerts, we need to find needles-in-haystacks from billions of security events. Where humans quickly get overwhelmed by the sheer quantity, AI systems can break this down into smaller decision factors, automate analysis, combine results, and continually improve – all at machine speeds.
Outside of security, it’s clear that AI has passed a tipping point and is becoming both widespread and practical. As the technology moves beyond hype, it is becoming an integral component of most software systems.
That begs the meta question – why not automate the automation? In other words, can we use AI/ML tools to reduce the complexity and skill required to create automation playbooks? This is precisely what we have developed at LogicHub and are launching as part of our platform.
Forrester analyst Allie Mellen joins LogicHub as a featured guest speaker to discuss the evolution of SOAR technology and how AI can enable a new generation of solutions for the SOC. Please join us on May 19th at 8:00am PT / 11:00am ET!
As our team continues to develop a wide range of complex playbooks for customers, we have applied our AI engine to learn from these playbooks, understand how they are structured and define the typical data sources and types of decisions security analysts typically need to make.
The outcome of this is a bot-based system that automates the process of building playbooks. Essentially, our AI-bots interactively guide the user by asking a series of questions, fetching relevant fields of data, baselining normal activity, and defining scoring models and thresholds for creating alerts and cases. The process then solicits feedback from the human user on an ongoing basis to validate scoring and eliminate false positives.
In testing this with our customers, we have seen dramatic time savings. Playbooks that would have taken hours to produce can be built in minutes, and tests and tuning that would take days to weeks can be done in a few hours.