Am I ready to SOAR?
Finding the right time to invest in automation for a security program.
I was recently speaking with a group of security leaders about automation, when someone said "I don't think we're mature enough to look at SOAR yet, we have to solve a lot of other problems first."
To be honest, I totally understand that perspective. Cybersecurity vendors love inventing new acronyms and new categories to solve new problems, while the rest of us are still trying to make sure critical patches get applied within thirty days. I mean, just look at the definition of SOAR: "Security Orchestration, Automation, and Response" sounds like a team of 50 people at a Fortune 500 company.
While I've been a huge Tines fan for years, SOAR can definitely sound intimidating. Still, I think more teams are ready to start their security automation journey than they realize.
Myth: Security automation is something that "mature teams" do.
Fact: Security automation is how a team matures itself.
For small security teams (or solo security/IT/operations/everything practitioners), 95% of your daily processes are likely memorized or handled based on past experience. When a new team member joins, the process is passed down by word of mouth or through an onboarding Google Doc that quickly becomes obsolete.
For larger (but still less mature) security teams, you might have runbooks, but keeping them up to date with how you actually work is a challenge. Plus, every time an audit comes around, you have to generate a ton of artifacts to prove you're following your documented process.
You can probably see where I'm going with this. Security automation workflows are your team's self-documenting, evidence-generating processes! By investing in workflows rather than manual, labor-intensive runbooks, the cost of moving from "Managed" to "Defined" in a SOC-CMM capability goes down dramatically.
Myth: Automating everything is incredibly difficult.
Fact: Automating everything all at once is, in fact, incredibly difficult.
Some teams treat their security automation platform like a blank page in the novel they're writing: until they've completed the whole thing, it's not done. And just like writing a novel, it can be a little overwhelming to know where to begin.
The best teams I've seen treat their security automation platform like a set of code modules or slide templates. The building blocks accrue over time, such that every automation project makes the next automation incrementally faster and cheaper to create.
When I wrote my first-ever workflow, it was a simple one that called the Twitter API to see if BGPMon had detected any hijacked prefixes for our cloud providers' ASNs, and sent me an email if an alert triggered.
By the time I left that role, my team had written a 100+ step workflow that would automatically contact end users if anomalous activity was detected in any of their accounts, and terminate all sessions across multiple SaaS platforms if the user didn't reply within a specified period of time.
A lot of automations were written in between those two examples, of course. And many of those interim automations became the building blocks of more complex ones, particularly in incident response workflows. To be honest, I don't think we'd have been able to get our security automation off the ground if we hadn't started simple and iterated.
Myth: Automation requires a dedicated team.
Fact: Automation is everyone's responsibility.
Okay, so automating a workflow isn't as easy as opening a Google Doc and starting to type. But there's no reason a security analyst can't learn how to use a low- or no-code security automation platform - we ask SecOps folks to learn new EDR platforms, query languages, and data sources all the time.
In fact, I would argue that a democratized approach to automation is more likely to achieve positive outcomes over the long run than a dedicated team. After all, we don't outsource runbook writing (and when we do, the results are often so generic that they're not actually helpful for triaging alerts or resolving real-world incidents.)
While anyone should be able to contribute to security automation, I've found it's also helpful to have an automation champion who can mentor their teammates in effective workflow building (as a bonus, it's a great resume-builder for that person!)
So what are you waiting for? Time to start automating!