By now, the benefits of Security Orchestration, Automation and Response (SOAR) systems are obvious to just about every CISO and security analyst. The benefits for Security Operations Centers (SOCs) include:
- Automating tasks to help even SOCs with limited staff to increase productivity exponentially
- Automating basic security triage, so that alerts are handled comprehensively and important alerts (like those that foretold the Target data breach of 2015) are never overlooked because of staff workloads
- Freeing security analysts to work on non-repetitive tasks, such as proactive threat hunting and collaboration with business units, once routine operations are automated, improving the SOC’s overall effectiveness
- Achieving operational excellence by replacing ad hoc processes with documented, automated, and consistently performed best practices
Current SOAR Solutions Only Available to the Top 1% of Enterprises
But while SOCs recognize the benefits of SOAR systems, they can also cite any of a long list of obstacles that can either limit the effectiveness of a SOAR deployment or make a SOAR deployment seem too impractical to pursue at all.
What are these obstacles? Here’s a quick list:
- Many SOAR systems are too expensive. Powerful new technologies are often exorbitantly priced when they’re introduced. Automobiles were once affordable only by rich hobbyists. Eventually, they became affordable necessities for every household. Many SOAR systems today are only affordable to SOCs with large budgets. Others SOCs have to make do without.
- SOAR systems require programming, but most SOC teams lack developers. Many SOAR systems require users to write Python to build playbooks and integrate with other security tools and applications. The vast majority of SOC teams lack Python programming skills and the time to take on new integration work, so the requirement for programming becomes a show-stopper.
- So-called out-of-the-box integrations are too limited. SOARs need to be integrated with security tools so they can collect alerts and other data from them and issue commands to them, orchestrating responses to threats. Some SOAR vendors offer built-in integrations, but SOCs soon discover integrations don’t include functions for the tasks and features they depend on. Too often, SOCs find themselves having to build integrations themselves or hire outside experts to build integrations not provided by vendors.
- APIs from security tools are too limited. Further complicating the challenge of integrating SOARs with security tools is the limitation of many security tools’ APIs. These tools might offer APIs for a few basic operations—enough to pass muster in a demo—but not enough to support effective automation of their operations. (In our experience working with enterprise SOCs, we’ve found that only about 30% of their security tools’ functions are available in APIs). Without APIs to leverage, security automation ends up relying on browser-based commands. Either analysts continue issuing these commands themselves in browsers, or security automation solutions need to expand their features to support browser-based automation. So far, most SOAR systems remain weak in this area of automation.
- SOCs believe that their processes are too ad hoc or specialized to be automated. We hear this objection from many security analysts. They’re convinced that what they do is too unique or complicated to be documented. And if it can’t be documented, it can’t be automated.
- SOCs lack the time needed to build and fine-tune automations themselves. Building automation takes time. It takes sustained attention and some trial and error. Unfortunately, most SOCs are so busy scrambling through their triage queues that they can’t spare the hours or days that would save them weeks or months over the course of the year.
This last point bears elaboration.
It’s relevant not just to the small SOC teams of two to five people. A CISO leading a 30-person security team recently told me: “I have two people working on Phishing triage full time. If I could spend 20 hours to dedicate to automation, I can save those two FTEs, but I don’t have time to dedicate 20 hours for automation.”
This CISO is hardly alone in feeling resource-constrained.
With security threats increasing in number and sophistication, every SOC I know of has people putting in long days trying to keep their organization safe. They don’t see any way they could find time to sit down and begin documenting their processes and insights so that knowledge can be applied to automating data collection, data analysis, and operational responses.
Introducing Security Automation on Demand
At LogicHub, we know how busy SOCs are, and we understand their objections to taking on new security automation projects. Many SOAR systems are expensive while also being limited in functionality. And documenting procedures can seem like a daunting task, especially if you’re not used to it.
But we’d like to offer SOCs more than our sympathy. We’d like to offer a solution.
That’s why today we’re introducing LogicHub Automation on Demand. This is a new offering that delivers fully automated SOC playbooks, combining the LogicHub Security Automation Platform along with neatly packaged services to build the integrations and implement the automation that’s most important to a SOC.
Our promise is this: We’ll deliver working integration and automated playbooks in just two weeks for a fixed price. That includes building integrations for the tools you need, even if those tools don’t have APIs.
Here is how it works.
Step 1: One of our Security Automation experts will spend an hour with one or two of your analysts to document the most critical playbook or process they need automated.
Some SOC teams believe their processes are too ad hoc to be documented, but we find that once we sit down with analysts and begin asking questions about the tools they use and how they analyze threats, all their processes can actually be documented in a straightforward manner. It’s simply a matter of spending a few hours and asking the right questions. Then, because these processes are documented, they can be automated.
Step 2: Once documented, we submit the playbook for automation to our security automation experts who have years of SOC expertise and also know the LogicHub platform inside-out.
Step 3: 14 days later, our experts build an end-to-end automated playbook and deliver it with the LogicHub platform. They will even help you deploy the playbook into your production environment, and even manage it.
Sounds incredible? It’s true. Finally a solution that is making security automation practical and affordable for even the busiest SOC.
Talk to one of our security automation experts today to learn how LogicHub Automation on Demand can help your SOC reduce its workload and increase its effectiveness in just two weeks.
