SOC Automation: Good or Evil?

Thursday, May 24, 2018

John Moran


Many security operations centers (SOCs) face the same recurring problem — too many alerts and too few people to handle them. Over time, the problem worsens because the number of devices generating alerts increases at a much faster rate than the number of people available to analyze them. Consequently, alerts that truly matter can get buried in the noise.

Most companies look at this problem and see only two solutions:  decrease the number of alerts, or increase the number of staff. Luckily, there’s a third option: automation, which can greatly maximize the efficiency of analysts’ time

Traditionally, automation has been viewed as an all-or-nothing proposition. But, times change. Companies can implement automation at various points of the incident response process to free analysts from mundane, repetitive tasks, while maintaining human control over how they monitor and react to alerts. Ultimately, the goal should be to strike a balance between low-risk processes that can be automated with minimal impact and the higher-risk ones that need to be handled by analysts.

Before launching into some level of SOC automation, the following should be considered: 1) Is the organization winning or losing the cyber battle?; 2) if it is winning, does it have the right tools to continue doing so?; and 3) if its is losing: what should it do?

Whether an organization is winning or losing, understanding the pros and cons of automation is critical to any project’s success.

Benefits of Automation

Automation has typically been favored in low-impact environments, but it has been frowned upon in high-impact environments such as utility and healthcare because of the negative impact false positives can cause.

The main benefits of SOC automation include:

  • More consistent response to alerts and tickets
  • Higher volume of ticket closure and response to incidents
  • Better focus by analysts on higher priority items
  • Improved visibility into what is happening
  • Coverage of a larger area and a larger number of tickets

Downsides of Automation

Nothing is more taxing than dealing with a false positive, which happens when a system interprets legitimate activity and flags it as an attack. In some industries, a false positive can disrupt business processes resulting in lost revenue, downtime for industrial organizations and even put lives at risk in hospital settings.

Major downsides include:

  • Shutting down operations
  • Misclassifying an attack so the wrong action is taken
  • Automating tickets that should have been handled manually
  • Missing key information or data
  • Making the wrong or inappropriate decision

Best Practices for Automation

In the past, companies typically looked at automation’s potential downsides and then decided to avoid it because doing so seemed safer. However, today, more companies are realizing that if they do not implement some degree of automation, they increase their chances of missing an attack, which could cause more damage than the negative effects of automation.

Given this scenario, security practitioners should look at adopting the following best practices for automation.

Create a Thorough Strategy

The plan should address the following key questions:

  • What areas generate the most alerts?
  • What alerts take up most of the analysts’ time?
  • Which responses are very structured and which ones do the analysts respond to in a predictable way?
  • Can an automated playbook be used to handle certain events?

Take a Measured Approach

One of the key rules of security is to always avoid extremes. For example, automating everything can open a can of worms — forcing security executives to justify the approach by claiming analysts could not keep up with the tickets.

Finding a balance by automating tasks/tickets that are manually intensive, are highly repeatable, and distract analysts from important  functions -- is a good starting point. Automation should allow the company to improve SOC efficiency while maintaining acceptable levels of risk — both on the operational side and the security side.

The trick is to manage and control false positives, not eliminate them.

Know, and Don’t Automate, Tasks that Require Human Analysis

These include alerts that affect:

  • Critical applications or systems
  • Business process, financial and operational systems
  • Systems that contain large amounts of sensitive data
  • Large-scale compromise indicators


The need for SOC automation is increasing in urgency since adversaries are also harnessing software and hardware to develop and carry out attacks. Consequently, the velocity and sophistication of threats is rising. Keeping pace with programmatic attacks inevitably requires automating certain SOC functions and processes. Following the recommendations outlined above can help determine those that should be automated, and those that shouldn't.

About the author: John Moran is Senior Product Manager for DFLabs and a security operations and incident response expert. He has served as a senior incident response analyst for NTT Security, computer forensic analyst for the Maine State Police Computer Crimes Unit and computer forensics task force officer for the US Department of Homeland Security. John currently holds GCFA, CFCE, EnCE, CEH, CHFI, CCLO, CCPA, A+, Net+, and Security+ certifications.

Possibly Related Articles:
Infosec Island Enterprise Security
Automation SOC cyber-attack security operations center
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.