By now, the benefits of Security Orchestration, Automation and Response (SOAR) systems are obvious to just about every CISO and security analyst. The benefits for Security Operations Centers (SOCs) include:

  • Automating tasks to help even SOCs with limited staff to increase productivity exponentially
  • Automating basic security triage, so that alerts are handled comprehensively and important alerts (like those that foretold the Target data breach of 2015) are never overlooked because of staff workloads
  • Freeing security analysts to work on non-repetitive tasks, such as proactive threat hunting and collaboration with business units, once routine operations are automated, improving the SOC’s overall effectiveness
  • Achieving operational excellence by replacing ad hoc processes with documented, automated, and consistently performed best practices

Current SOAR Solutions Only Available to the Top 1% of Enterprises

But while SOCs recognize the benefits of SOAR systems, they can also cite any of a long list of obstacles that can either limit the effectiveness of a SOAR deployment or make a SOAR deployment seem too impractical to pursue at all.

What are these obstacles? Here’s a quick list:

  • Many SOAR systems are too expensive. Powerful new technologies are often exorbitantly priced when they’re introduced. Automobiles were once affordable only by rich hobbyists. Eventually, they became affordable necessities for every household. Many SOAR systems today are only affordable to SOCs with large budgets. Others SOCs have to make do without.
  • SOAR systems require programming, but most SOC teams lack developers. Many SOAR systems require users to write Python to build playbooks and integrate with other security tools and applications. The vast majority of SOC teams lack Python programming skills and the time to take on new integration work, so the requirement for programming becomes a show-stopper.
  • So-called out-of-the-box integrations are too limited. SOARs need to be integrated with security tools so they can collect alerts and other data from them and issue commands to them, orchestrating responses to threats. Some SOAR vendors offer built-in integrations, but SOCs soon discover integrations don’t include functions for the tasks and features they depend on. Too often, SOCs find themselves having to build integrations themselves or hire outside experts to build integrations not provided by vendors.
  • APIs from security tools are too limited. Further complicating the challenge of integrating SOARs with security tools is the limitation of many security tools’ APIs. These tools might offer APIs for a few basic operations—enough to pass muster in a demo—but not enough to support effective automation of their operations. (In our experience working with enterprise SOCs, we’ve found that only about 30% of their security tools’ functions are available in APIs). Without APIs to leverage, security automation ends up relying on browser-based commands. Either analysts continue issuing these commands themselves in browsers, or security automation solutions need to expand their features to support browser-based automation. So far, most SOAR systems remain weak in this area of automation.
  • SOCs believe that their processes are too ad hoc or specialized to be automated. We hear this objection from many security analysts. They’re convinced that what they do is too unique or complicated to be documented. And if it can’t be documented, it can’t be automated.
  • SOCs lack the time needed to build and fine-tune automations themselves. Building automation takes time. It takes sustained attention and some trial and error. Unfortunately, most SOCs are so busy scrambling through their triage queues that they can’t spare the hours or days that would save them weeks or months over the course of the year.

This last point bears elaboration.

It’s relevant not just to the small SOC teams of two to five people. A CISO leading a 30-person security team recently told me: “I have two people working on Phishing triage full time. If I could spend 20 hours to dedicate to automation, I can save those two FTEs, but I don’t have time to dedicate 20 hours for automation.”

This CISO is hardly alone in feeling resource-constrained.

With security threats increasing in number and sophistication, every SOC I know of has people putting in long days trying to keep their organization safe. They don’t see any way they could find time to sit down and begin documenting their processes and insights so that knowledge can be applied to automating data collection, data analysis, and operational responses.

Introducing Security Automation on Demand

At LogicHub, we know how busy SOCs are, and we understand their objections to taking on new security automation projects. Many SOAR systems are expensive while also being limited in functionality. And documenting procedures can seem like a daunting task, especially if you’re not used to it.

But we’d like to offer SOCs more than our sympathy. We’d like to offer a solution.

That’s why today we’re introducing LogicHub Automation on Demand. This is a new offering that delivers fully automated SOC playbooks, combining the LogicHub Security Automation Platform along with neatly packaged services to build the integrations and implement the automation that’s most important to a SOC.

Our promise is this: We’ll deliver working integration and automated playbooks in just two weeks for a fixed price. That includes building integrations for the tools you need, even if those tools don’t have APIs.

Here is how it works.

Step 1: One of our Security Automation experts will spend an hour with one or two of your analysts to document the most critical playbook or process they need automated.

Some SOC teams believe their processes are too ad hoc to be documented, but we find that once we sit down with analysts and begin asking questions about the tools they use and how they analyze threats, all their processes can actually be documented in a straightforward manner. It’s simply a matter of spending a few hours and asking the right questions. Then, because these processes are documented, they can be automated.

Step 2: Once documented, we submit the playbook for automation to our security automation experts who have years of SOC expertise and also know the LogicHub platform inside-out.

Step 3: 14 days later, our experts build an end-to-end automated playbook and deliver it with the LogicHub platform. They will even help you deploy the playbook into your production environment, and even manage it.

Sounds incredible? It’s true. Finally a solution that is making security automation practical and affordable for even the busiest SOC.

Talk to one of our security automation experts today to learn how LogicHub Automation on Demand can help your SOC reduce its workload and increase its effectiveness in just two weeks.

Blog

Related Posts

May 20, 2022 Willy Leichter

Automating Threat Detection: Three Case Studies

Demystifying the technology with case studies of AI security in action Many automation tools, such...

Learn More

May 17, 2022 Willy Leichter

It's Time to Put AI to Work in Security

While we’ve been talking about and imagining artificial intelligence for years, it only has...

Learn More

May 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: May 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

May 9, 2022 Tessa Mishoe

Bad Luck: BlackCat Ransomware Bulletin

Blackcat Ransomware On April 19th of 2022, the FBI Cyber Division released a flash bulletin...

Learn More

May 6, 2022 Kumar Saurabh

Let Humans Be Humans and AI Be AI

LogicHub’s unique decision automation technology can build clients the ultimate security playbook...

Learn More

May 3, 2022 Kumar Saurabh

How to Build a Threat Detection Playbook In 15 Minutes or Less

Automating a threat-hunting playbook with the help of AI Many threat-hunting playbooks we build for...

Learn More

April 29, 2022 Tessa Mishoe

Integrating Better: What Can Integrations Do For Me?

Introduction Within the realm of security, there are many different toolsets and opinions on what...

Learn More

April 27, 2022 Willy Leichter

Beyond No-Code: Using AI for Guided Security Automation

SOAR Playbooks Outside of football, the term “playbook” is well understood by a relatively small...

Learn More

April 21, 2022 Willy Leichter

Goodbye Lonely SIEM, Hello MDR

When updating your systems from a pure Security Information Event Management (SIEM), choosing the...

Learn More

April 15, 2022 Tessa Mishoe

LogicHub Security Roundup: April 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More