Short Staffed? Try Using SOAR to Augment Your Security Team

The tech world is grappling with an imbalance between skilled technical talent availability and demand, with far-reaching impacts. Combined with tightened budgets, staff shortages can leave your organization vulnerable to hacking and cyberattacks. Let’s look at just two of the industries being affected: higher education and state and local governments.

Institutions Are Feeling the Squeeze

EduCause recently conducted a survey to determine the effects of budgets and market shortages on cybersecurity staffing. When respondents were asked whether staffing issues have negatively impacted cybersecurity services, two-thirds (66%) stated they’ve had some or a lot of negative impact on cybersecurity services offered at their institution. Nearly as many (60%) reported some negative impacts on the privacy services offered.

When looking at the ability of these institutions to maintain appropriate staffing levels, recruit new talent, and retain current employees, we find that only a minority of organizations were able to create new positions and fill their existing ones. Surprisingly, a small majority retained their talent — a significant challenge in the current market where there’s a shortage of available skilled workers. Higher education institutions now have to compete with commercial entities, which can typically offer significantly higher pay.

^{Source: EduCause, The Cybersecurity and Privacy Workforce in Higher Education, 2023}

Local Governments Tighten Their Budgets

According to a joint Deloitte and National Association of State CIOs (NASCIO) report, in 2022 the average state cybersecurity expenditure as a percentage of the total IT budget was at most 10%, while federal agencies spent roughly 16% of their budget on cybersecurity. The survey revealed that the biggest institutional security issues were related to cybersecurity budget size, followed by the scarcity of cybersecurity skills and the continued usage of outdated technology in the face of new threats. According to Deloitte, 55% of states reported raising their cybersecurity budgets by no more than 5% in 2022 despite the growing threat.

Just as with universities, state and local government, IT salaries are also generally less competitive than private-sector salaries. According to the Bureau of Labor Statistics, in 2021 the private sector paid 35% higher on average than the state and local government sector. With more experienced resources, the gap is even wider. Public sector wages are often constrained by salary bands and caps, limiting the government’s ability to attract and retain IT staff.

Not being able to staff and hire enough people increases the risk of a cybersecurity incident for any institution. This is especially true when your cyber staff spend most of their time on recurring or repetitive tasks.

Targeting the Public Sector

State and local government and higher education institutions offer vital services and manage personally identifiable data, making them prime targets for cyberattacks. When vital government functions are compromised, they risk severely impairing operations and disclosing private data.

A government's rating may suffer from cyberattacks that seriously impair operations and financial performance as management's capacity to handle cyber risk is an asymmetric risk factor. Identifying and meeting IT employment needs may become even more difficult for local governments if they have a poor risk management and financial performance profile.

Unfortunately, cybercriminals are likely to exploit security vulnerabilities resulting from insufficient staffing. According to a recent survey, The State of Ransonware, by cybersecurity firm Sophos, ransomware attacks increased by 70% in 2021 compared to the previous year. And 82% of the respondents reported that ransomware significantly impacted their operations.

The Solution: SOAR

So, how can higher ed and state and local government entities mitigate these issues? One of the most effective ways to close the cyber security resource gap is by infusing automation into everyday workflows.

In most cyber jobs, at least one-third of regularly performed activities could be automated. Cyber workers can benefit significantly from automation by reducing the number of productivity-killing tasks they execute daily to keep the business running.

Security operations work is rife with monotonous, routine, repetitive tasks that, over time, can be mind-numbing — especially at the Tier 1 analyst level. Typically, security investigations and responses require the same steps or tasks to be manually executed for any given incident. These repetitive tasks offer the greatest opportunity for automation.

A recent survey from Splunk’s State of Security 2023 report found that security teams that used a SOAR tool improved efficiency by an average of 48% and productivity by about 53%. An overwhelming 97% of respondents said a SOAR tool allowed for managing an increased workload while maintaining the same size staff. This shows that a SOAR tool can help organizations directly address the problem of the public sector cybersecurity shortage.

The Splunk Approach

At Splunk, we look at cybersecurity operations through the lens of the OODA loop: observe, orient, decide and act. This framework was first used in the military and is based on the idea that whoever can execute through the OODA loop faster will win in battle. The same framework applies to cybersecurity. 

^{Source: Splunk SOAR first call deck}

Working from left to right, the security products that help teams observe are firewalls, IPS and endpoint security. These devices collect information and present it to security analysts to help them understand what’s happening in your environment.

Analysts then need to make sense of those observations. Applying some level of analytics allows them to draw conclusions, identify trends and understand context. Alerts are typically generated in these first two phases — from point products in the observe stage and analytical tools in the orient stage.

For most security teams, the decide and act phases still involve manual processes. The analyst needs to decide based on the alert they’ve received and then take action, whether that means blocking an IP on a firewall, investigating malware or blocking an executable on an endpoint. Automating the first two phases will save your security teams significant time to focus on these critical processes.

More Time for High-Value Work

We already know that automating repetitive tasks can increase analyst productivity by just over half. So, what could your cyber workers do with that time? 

• Do work that’s more valuable to the mission of your agency or organization.
• Focus on the more interesting and rewarding aspects of their jobs, which is a major factor in employee retention.
• Foster greater innovation for themselves and their teams

Where to Start: Top Automation Opportunities

With so many repetitive tasks on the security team’s plate, it’s hard to know where to start.

According to TechTarget, the top six automation opportunities for SOC workflows are: 

• Threat intelligence coordination
• Case management
• Vulnerability management
• Automated enrichment for remediation
• Threat hunting
• Incident response  

In all of these use cases, SOAR can automate the tedious, repetitive tasks your analysts spend significant time on each day — not only increasing efficiency and accuracy but also allowing you to cast a wider threat detection net by handling greater volumes of data. Let’s take a quick look at each one.

Threat Intelligence Coordination
A SOAR platform can help SOC teams do the heavy lifting when it comes to ingesting and aggregating the thousands of indicators of compromise (IOCs) that appear across your various tools and systems daily. Automation also helps to ensure nothing suspicious slips through the cracks. 

Case Management
Manually parsing through potential security threats that are detected by multiple tools is also a major time suck for analysts. Instead, let SOAR collate disparate data from multiple correlated events into a single view. Your case managers can then prioritize the most critical and for faster response, improving your overall security posture. 

Vulnerability Management
Automating vulnerability monitoring and simple responses will save your analysts considerable time and effort. SOAR can correlate threat data across multiple security tools to calculate risk and quickly prioritize responses — even with a large volume of data.

Automated Enrichment for Remediation
Enrichment of IOCs is the first step in responding to any incident. A SOAR platform can accelerate this process by obtaining context from various threat intelligence tools or enrichment databases, empowering your SOC team to triage and respond more efficiently and accurately. Enrich large volumes without compromising on depth.

Threat Hunting
This is one of the most important jobs your analysts do, but also the most time-consuming.

With a SOAR platform, you’re essentially automating threat hunting through the continuous detection of IOCs at scale, including probing for malware. Plus, SOAR can bring people into the loop for strategic decisions. 

Incident Response
Finally, automating remediation and response processes can help you avoid costs by targeting threats earlier. SOAR can automatically address common threats, including phishing, malware, DoS, web defacement, and ransomware.  

Common repetitive actions that are ripe for automation include adding indicators to watchlists and blocking malicious indicators, quarantining indicators and compromised endpoints, patching infrastructure hardware/software, deleting suspicious emails and blocking IPs, generating tickets and terminating user accounts. A SOAR platform can also automatically trigger antivirus scans or security compliance checks and provide alerts to specific analysts, employees, vendors, partners or customers.

Close the Staffing Gap With Splunk

Empower your cybersecurity team by leveraging automation. Invest in a SOAR tool to streamline routine tasks and increase efficiency, allowing you to maintain your services with fewer staff members. Don't wait until a cyberattack happens. Take action now and elevate your security defenses to the next level.