By many accounts, Security Automation and Orchestration (SA&O) has been a hot topic among Information Security (InfoSec) professionals since 2016. With all that interest comes operations teams trying to figure out how to get started with the technology. It seems fitting as 2018 gets underway, then, that we offer up some advice for taking your first steps toward leveraging automation and orchestration in your practice.
As Paul Davis, our VP of Services Delivery often says, “One of the keys to success is identifying the right use cases.” Yet, it’s tough to automate any use case that you haven’t documented. So one place to start is with getting existing workflows onto paper.
Next, try to identify security use cases that will deliver measurable impact when automation and orchestration come into play. This will allow you to iterate your processes over time using concrete data points to improve efficiency. Here are three helpful tips to help you identify great use cases for security automation and orchestration.
Tip 1: Start small with utility playbooks
Your initial use cases don’t have to have huge and complex automation playbooks powering them. Small utility playbooks, which represent a limited set of automation tasks, can often provide a great deal of value. One example is checking an IP across multiple reputation services and computing a weighted reputation score. Another might be to create or update a ticketing system. The key concept here is to automate key parts of a larger workflow so that you’re able to work more efficiently and avoid context switching, as well as the need to copy and paste across multiple interfaces.
Tip 2: Identify time-consuming and highly-repetitive workflows
Examine your operations plans for end-to-end workflows that your team members are manually executing over and over with little variation. For example, triaging suspected phishing emails commonly follows a prescriptive set of steps. You can automate the repetitive actions, like enriching an event with reputation data from a threat intelligence service, then insert your staff into the workflow afterward so they can make a close or escalation decision. Playbook automation can pick up again after a decision is made and continue executing tasks based on the decision. Over time, you may choose to fully automate the workflow using embedded decision-making logic once you’ve gained confidence. The benefit of this approach is that it allows you to focus your analysts, which are always in high demand, onto more complex issues.
Tip 3: Identify key metrics to monitor
It’s important to define a set of metrics that can be used to gauge and report on the effect of automation and orchestration within the SOC. One common metric is Mean Time to Resolution (MTTR), which is the amount of time from detection to satisfactory resolution. This metric should decrease as a result of the efficiencies gained through security automation and orchestration. Other metrics include analyst productivity (e.g. events or cases closed per shift), adherence to service level agreements (SLAs) and others. The key is to demonstrate, likely to executive management, that you’re getting the benefits expected and that improvement can be measured over time.
Hopefully, this post has given you some ideas on how to get started with security automation and orchestration. Looking for additional resources, tips, and advice? Be sure to check out other SOC Automation Best Practices posts here on the Splunk blog.