Security operations centers (SOCs) are the epicenter of cyber defense. They are staffed with well-trained security professionals who take a hands-on approach to monitoring, detecting and responding to attacks. But as artificial intelligence (AI), machine learning and automation tools make their way into your security environment, what will be the impact? Will you have to lay off 30 percent of your employees? Turns out, intelligent automation will actually strengthen your SOC staff.
SOCs have conventionally been structured around three tiers of analysts who detect, investigate and respond to incidents:
- Tier 1 analysts receive day-to-day alerts. Much of the work they currently carry out is repetitive information-gathering before deciding whether the alerts warrant further effort from higher tiers or whether Tier 1 analysts can respond according to a defined playbook.
- Tier 2 and 3 analysts perform successively deeper analyses and more sophisticated responses.
Tier 1 carries out the kind of work that security orchestration automation and response (SOAR) tools aim to automate to create intelligent security operations for cyber defense. Automation has advantages in terms of consistency, scale, worker costs and availability of resources in a challenging labor market. Disadvantages are less tangible but can involve delays in engaging human skills, adaptability and knowledge of an organization, and being dependent on the quality and completeness of the playbooks used.
SOC automation gives security managers the chance to do a better job, not simply a cheaper one. You should be aiming to combine the rigor and efficiency of automation with human intuition, versatility and pattern recognition to improve your organization.
If successful, you could eliminate your Tier 1 staff, but you could also redeploy them, adding more depth and breadth to your security posture. Options include:
- Maintaining the SOAR system’s effectiveness
- Increased staffing to eliminate potential bottlenecks at tiers 2 and 3
- Better content development, improving the strategy and implementation of information to be gathered, determining what to look for and how to respond
- Expanded scope for responding to attacks. Currently SOC coverage is often limited by the ability to absorb events rather than the boundaries of the organization.
- Improved threat hunting. So much effort goes into examining suspicious patterns that there is often no time to look for more nebulous patterns or to search for particular attack groups or techniques. This might change, though typical Tier 1 analysts may not be able to step straight into these activities.
There are also other less obvious impacts. Tier 1 is often part of an analyst career progression — a training ground for roles you will continue to need. Senior analyst roles require diligence, ownership, reliability, determination and knowledge of the organization, which can be tested and trained at Tier 1. However, senior roles also require flair, intuition, out-of-the-box thinking, inquisitiveness, adaptability and independence — all qualities that the drudgery of current Tier 1 duties do little to promote. What will your organization’s SOC entry-level jobs be, and how will you help analysts develop skills?
Where does that leave us?
- Some degree of automation is a foregone conclusion.
- Human factors are important for an efficient SOC. Give thought to the impact on SOC team structure, career progression, recruitment and training environments.
- Additional effort will be needed during the initial automation deployment.
- Headcount reduction is an option, but you will have to deploy some resources with additional skills, potentially at a more senior level, to monitor and tune the automation tools.
- Analysts should be organized so a standard part of their role is to maintain and improve the automation. Encourage them to question the quality and completeness of the information obtained and to think of ways of improving it.
- Consider redeploying resources into more productive activities. Automate away the drudgery, automate for scale, and use human resources for those more advanced security tasks you have had to previously pass up as you focused on the basics.
- Sell more interesting activities and increased productivity as an advantage of automation, but ensure that these are not merely empty words.
This is not simply a technology deployment. Have a plan that considers the other factors mentioned here, and make sure your SOC manager has the ability and support to manage this change.
As security leaders consider the future of SOCs, it is well worth considering moving to a security platform with intelligent automation. Even if you are not ready to jump right now, you should start building a vision of what you want and how you will achieve it.