SOAR Playbooks

Outside of football, the term “playbook” is well understood by a relatively small group of security automation ninjas. In many larger enterprises with extensive security teams, automating mundane and repetitive security tasks has been a priority for a few years. Few organizations, large or small, can throw unlimited numbers of analysts at security problems. Because much of the response required to security incidents is repetitive, mundane, and mind-numbingly robotic, this has been fertile ground for automation.

The SOAR space was born with the promise of connecting to a wide range of existing security tools and building automation playbooks to improve incident response. Early SOAR products were a bit like Henry Ford’s Model T factory. If you’re making a million identical cars, every step can be automated, refined, and made incredibly efficient. But building the equipment and processes for this type of automation was expensive, and unaffordable for smaller scale manufacturing.

Automating security processes can be equally complex, expensive, and requires a lot of specialized expertise. Add to this that security isn’t as predictable, or single-tracked as a car factory, so there’s a constant need for tuning, learning, and adjusting to new threats.

Complex SOAR playbooks can be very sophisticated, with lots of twists and turns, allowing repetitive tasks to be performed at machine speed, with reliable results every time. If used effectively, SOAR can save enormous amounts of time and money for tasks, such as threat detection, alert triage, case enrichment, and incident response. But building these playbooks isn’t for everyone. Essentially, playbooks have become complex software, that requires specialized developers to write, test, and maintain.

Enter No-Code Automation

To begin to address this, many software vendors, including security, have sought to develop “no-code” options to make advanced tools more accessible to non-experts. Using more intuitive and visual interfaces, these tools have successfully lowered the entry bar and allowed security professionals to define and implement policies without delving down to the code level.

While no-code automation is a positive step in helping with how we implement security policies and playbooks, it doesn’t help with defining what we need to protect. Considerable expertise and tribal knowledge of an organization’s infrastructure and processes is still needed to build effective playbooks.

For example, at LogicHub, we have built hundreds of advanced playbooks for customers using our platform or MDR services. A good playbook that connects to multiple systems, consolidates alerts, enriches cases, and delivers actionable results for customers can take weeks to develop, test, and refine. The benefits are significant, but the cost-of-entry is still high.

Using AI for Detection and Response

What is beginning to change this dynamic is the introduction of AI and machine learning into security processes. By blending expert systems with deep neural net architecture, at LogicHub we have led in applying “decision automation” to security. Where basic automation is good at taking over repetitive tasks, AI takes it much further; learning what is normal for an organization at a highly granular level, then continually adapting as new information and feedback from analysts is received.

This is especially effective for threat hunting, where rather than dealing with thousands of alerts, we need to find needles-in-haystacks from billions of security events. Where humans quickly get overwhelmed by the sheer quantity, AI systems can break this down into smaller decision factors, automate analysis, combine results, and continually improve – all at machine speeds.

eBook: The Definitive Guide to AI and Automation Powered Detection and Response
Why Your Next SOC Assistants Are Bots (and Your Networks Will Be More Secure Than Ever)

Next Step: Automate the Automation

Outside of security, it’s clear that AI has passed a tipping point and is becoming both widespread and practical. As the technology moves beyond hype, it is becoming an integral component of most software systems.

That begs the meta question – why not automate the automation? In other words, can we use AI/ML tools to reduce the complexity and skill required to create automation playbooks? This is precisely what we have developed at LogicHub and are launching as part of our platform.

Forrester analyst Allie Mellen joins LogicHub as a featured guest speaker to discuss the evolution of SOAR technology and how AI can enable a new generation of solutions for the SOC. Please join us on May 19th at 8:00am PT / 11:00am ET!

As our team continues to develop a wide range of complex playbooks for customers, we have applied our AI engine to learn from these playbooks, understand how they are structured and define the typical data sources and types of decisions security analysts typically need to make.

The outcome of this is a bot-based system that automates the process of building playbooks. Essentially, our AI-bots interactively guide the user by asking a series of questions, fetching relevant fields of data, baselining normal activity, and defining scoring models and thresholds for creating alerts and cases. The process then solicits feedback from the human user on an ongoing basis to validate scoring and eliminate false positives.

In testing this with our customers, we have seen dramatic time savings. Playbooks that would have taken hours to produce can be built in minutes, and tests and tuning that would take days to weeks can be done in a few hours.

Leading up to the RSA 2022 Conference in June, we will be discussing and demonstrating this new technology in a series of webinars. Please join us on May 19th at 8:00am PT / 11:00am ET when Forrester analyst Allie Mellen discussing the evolution of SOAR technology and how AI can enable a new generation of solutions.

LogicHub harnesses the power of AI and automation for superior detection and response at a fraction of the cost. From small teams with security challenges, to large teams automating SOCs, LogicHub makes advanced detection and response easy and effective for everyone.


Related Posts

September 13, 2022 Kumar Saurabh

Why No Code Solutions Are a Double-Edged Sword

Most out-of-the-box security automation is based on a simple logic — essentially, if “this”...

Learn More

August 16, 2022 Willy Leichter

Understanding MDR, XDR, EDR and TDR

A program with proper threat detection and response (TDR) has two key pillars: understanding the...

Learn More

August 9, 2022 Willy Leichter

Intuition vs. Automation: What Man and Machine Bring to Data Security

Cybersecurity experts Colin Henderson and Ray Espinoza share their take on the automation-driven...

Learn More

August 2, 2022 Anthony Morris

Using AI/ML to Create Better Security Detections

The blue-team challenge Ask any person who has interacted with a security operations center (SOC)...

Learn More

July 26, 2022 Willy Leichter

How to Select the Right MDR Service

It can be difficult to understand the differences between the various managed detection and...

Learn More

July 21, 2022 Willy Leichter

The Evolving Role of the SOC Analyst

As the cyber threat landscape evolves, so does the role of the security operations center (SOC)...

Learn More

July 19, 2022 Kumar Saurabh

Life, Liberty, and the Pursuit of Security

As cyber threats evolve, organizations of all sizes need to ramp up their security efforts....

Learn More

July 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: July 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

July 12, 2022 Willy Leichter

Security Tools Need to Get with the API Program

No cloud API is an island The evolution of cloud services has coincided with the development of...

Learn More

July 6, 2022 Willy Leichter

Why the Rush to MDR?

LogicHub recently published a survey conducted by Osterman Research, looking at changing trends and...

Learn More