Customize Where It Matters, Automate the Rest

Nov 10, 2023The Hacker NewsThreat Intelligence / SecOps

The SecOps

There is a seemingly never-ending quest to find the right security tools that offer the right capabilities for your organization.

SOC teams tend to spend about a third of their day of events that do not pose any threat to their organization, and this facilitates the adoption of automated solutions to replace (or supplement) inefficient and cumbersome SIEMs.

With approx 80% of these threats as is typical for most organizations, SOCs today can rely on automation to cover this large percentage of threat signals.

However, while it is true that automation can greatly improve the efficiency and effectiveness of security teams, it cannot cover all use cases and respond flawlessly.

Recently released GigaOm Radar for Autonomous Security Operations Center (SOC)they correctly state that “the SOC is not—and should not be—completely autonomous.”

As many vendors try to challenge the dominant players in the SIEM category, demand is growing for solutions that offer automation, which can cover 80%, while also offering customization capabilities to cover cases of special use – the remaining 20%.

The SecOps
Automation can free up valuable time for security teams, so they can spend most of their time on use cases that are unique to their organization.

THE 80%: AUTOMATION

With the continued proliferation of global data creation, organizations will inevitably see an increase in the number of alerts handled by security teams.

This may seem daunting for overworked security teams, but the vendor’s advanced offerings implement automation at various stages of the SOC workflow, helping teams improve their speed and effectiveness.

The four main phases in which we see automation are:

  • Entering and Normalizing Data: Automating data entry and normalization enables teams to process large amounts of data from different sources efficiently, establishing a strong foundation for subsequent automated processes.
  • Detection: Shifting the responsibility of creating a significant part of the identification rules allows security analysts to concentrate on threats that are unique to their organization or market segment.
  • Investigation: Automation eases the burden of manual and repetitive tasks, speeding up investigation and triage processes.
  • answer: Automated responses to known and discovered threats facilitate rapid and accurate mitigation. This may include connection to case management, SOAR solutions, ITSM, etc.

Modern SIEM vendors, such as Hunters, use pre-defined detection rules, integrate threat intelligence feeds, and automatically refine and cross-correlate leads. These automated processes alleviate a lot of tedious work, empowering security teams to quickly manage the majority of alerts.

The SecOps
Automatic enhancement and cross-correlation create comprehensive stories, making tracking lateral movements more efficient.

THE 20%: CUSTOMIZATION

Although automating the above stages of the workflow has gone a long way in improving efficiencies for many SOCs, the need for a certain level of customization will always remain.

Every organization has unique needs and requirements depending on industry use cases or company specifics. This means that although automated and built-in capabilities can address 80% of the total use cases and tasks, additional capabilities are needed to cover the remaining 20%.

“Customization” can mean many different things, but the main requirement for security teams is that they have both the flexibility to cover unique use cases and the ability to scale their capabilities. Let’s look at some examples of use cases where this can be useful:

  • Ingesting a custom data source: every organization has multiple data sources that they consume with different log formats. Many vendors may not have pre-built integrations to pull from every single data source, so if a vendor offers that capability, it can be a huge plus. This is especially true for organizations that currently use (or will soon move to) data lakes to maintain data for multiple purposes.
  • Detection-as-code: it’s become a big buzzword in the security industry, but for good reason. Detection-as-code offers a variety of advantages for detection engineers, such as an improved and efficient development lifecycle, and for large organizations to more effectively manage multi-tenancy environments. If you’re not familiar with the concept, detection-as-code uses APIs and deployment pipelines to provide the desired auditing capabilities, making the development lifecycle for security operations closer to traditional software development. . This approach improves processes to help teams create higher quality alerts or reuse code within your organization so you don’t have to build each new detector from scratch. It also helps drive detection engineering the rest of the development lifecycle, removing the need to manually test and deploy detectors.
  • Scalable business context: Whether it’s entities with a certain level of sensitivity (like crown jewels), data from different business units or different geographies, or siled data from different sources, it takes a lot of time and effort to integrate information in a way that is understandable and actionable. Using a SIEM alternative that gives you the ability to manage all of this through an API brings expanded efficiencies and scalability that not every vendor provides.

Conclusion

Building an effective SOC has always been, and will continue to be, a nuanced endeavor.

There is no one size fits all solution when it comes to security tools. It is important to offer ways for organizations to not only customize for their use cases, but it is important that they are able to integrate this “customization” with existing automation capabilities offered by vendors.

It has become imperative to find vendors that can offer the same hands-on approach to customizing devices, but do so in a way that reinforces the autonomous features of their devices. offering

SIEM replacement vendors such as Hunters, named GigaOm leaders previously mentioned report of autonomous SOC, known for their easy-to-use and pre-built capabilities. And, to ensure they serve the needs of security teams, new customization features continue to be added that allow organizations to tailor their security strategy to their unique needs.

Covering 80% is important, but addressing the remaining 20% ​​will put your security team ahead of the rest.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment