Cover Feature Story
Thwarting SOC challenges with automation orchestration
F By Samantha Humphries
or fans of The Rocky Horror Picture Show, the phrase âtime is fleetingâ can forever only be heard in the dulcet tones of Richard OâBrien. And as one such fan, as I started to write this article, it immediately stuck as todayâs earworm (if this is also now you, youâre welcome). Time is something we talk about a lot in the security industry - dwell time, time to detect, time to investigate, time to respond, where on earth did the time go? Time is our most valued commodity, and yet we never seem to have enough of it. Where we spend our time matters a great deal, and we are constantly being measured against the clock. Throughout this article, time will certainly feature a good amount, with the goal to help your organisation find ways of clawing back those precious hours so that your security operations team can better focus their expertise.
The enemy of the SOC: ghost chasing False positives have been the bane of the security industry since, well, the beginning of the security industry. Something that looks, smells, and even tastes bad can result in being benign. Whether caused by some messy code, incomplete threat intelligence information, or a misdetection by a security vendor, false positives can be incredibly timeconsuming, not to mention costly. SOC (Security Operations Centre) analysts know this only too well. Hours and even days can be lost chasing such ghosts, whilst alerts and investigations continue to
38 | Australian Cyber Security Magazine
grow in the seemingly endless work queue. A single overenthusiastic anti-virus detection or a loose SIEM correlation rule alert requires the same due diligence as a real attack, and in some cases can be harder to prove. Ruling out such an event as being a misfire requires a high level of certainty, and arguably bravery, on the part of the analyst. Should it be found to be a true positive later, the outcomes are often not bright. There are never enough hours in the SOC day to get to everything, and ensuring analysts focus on the right things is vital to an organisationâs security posture. I would hang my proverbial hat on the fact that there is no SOC on the planet where analysts of any level of seniority are sitting around waiting for something to happen. In a recent SIEM productivity research report by the Ponemon Institute, performed on behalf of Exabeam, respondents stated that on average their security operations teams spent 25% of their time investigating false positives. With an eight-person SOC team (which is below the average size reported in the SANS Institute âCommon and Best Practices for Security Operations Centers: Results of the 2019 SOC Surveyâ) thatâs the equivalent of two fulltime employees. Highly skilled full-time employees, who donât grow on treesâŚ.
The magical highly-skilled analyst tree Oh, if only such a thing existed. Unfortunately,
