Automation, in my opinion, is now, more than ever, a crucial component in keeping on top of the day-to-day tasks of an SOC.
The volume and sophistication of threats are increasing daily, and all too often, I encounter analyst teams stuck in a revolving cycle of having too many alerts and not enough time or expertise to handle them. Unfortunately, this can result in alarms being lost in the noise.
I will add a plug here to let you into a well-known secret - LogRhythm's technology directly addresses alarm fatigue. Imagine a typical organisation that has around 15 security solutions in their infrastructure, all generating information... and alerts. Frankly, it's not effective to have this in an SOC - your analysts are going to spend more time trying to make sense of multiple products and interfaces, than dealing with the alert. And a single alert from say, a firewall, may not necessarily represent a high risk or high priority. Therefore, having a centralised platform with risk-based prioritisation to operate from makes perfect sense.
I have encountered a few security professionals who are stand-offish around automation and others who welcome it with open arms.
From my encounters, I have concluded an important factor to consider is how we incorporate automation into workflows and processes that already exist but at this point, manually. For security professionals who don't yet have confidence in a fully-automated incident response, SAO (Security Automation & Orchestration) can assist in finding a balance that will complement human intervention and speed-up SOC processes quite dramatically. For the organisations that welcome full automation, we are already seeing great results.
Let's take LogRhythm's PIE as an example (Phishing Intelligence Engine). It can help streamline and automate the entire process of tracking, analysing and responding to phishing emails. PIE helps fight one of the most commonly used methods for network infiltration - the phishing attack.
PIE is an open-source PowerShell framework that integrates with the LogRhythm platform to help provide phishing attack detection and response. Built around Office 365, PIE evaluates message trace logs for malicious content and responds as threats are identified or emails are reported.
The PIE framework consists of multiple PowerShell scripts that work together with the LogRhythm Platform to automate detection and response to phishing cyberattacks.
PIE plugs security gaps through a number of unique features and capabilities including:
- Determining email risk by analysing subjects, senders, and recipients using RegEx, Threat Feed Correlation and various API integrations to sandboxing tools
- Automatically responding to attacks by quarantining mail, blocking senders and checking embedded links for potential threats
- Performing sandbox analytics on all automatically-flagged email attachments and embedded links
- Employing dynamic integration with LogRhythm Case Management or other project management tools and metrics tracking
- Preventing sensitive data loss and validating corporate email security controls
PIE is a prime example of how analysts can leverage tighter integrations with existing solutions and security tools to complement what would be quite a mundane and time-consuming response process.
As we continue to develop capabilities such as PIE, I believe SOC processes will become more and more automated and organisations will gain trust in the process, freeing up analysts to focus on higher priority tasks. I'm eager to see this technology develop and would love to hear from our customers on how they are automating.
The Phishing Intelligence Engine (PIE) is a framework that will assist with the detection and response to phishing attacks. An Active Defense framework built around Office 365, that continuously evaluates Message Trace logs for malicious contents, and dynamically responds as threats are identified or emails are reported.