Building a Superstar SOC with Automation and Standardization

When you have a team of security analysts that have a wide range of expertise, knowledge, and experience, it is natural to see the difference in the quality of work performed. One of the biggest challenges that security operation managers face when auditing the work performed is that some team members may execute different steps at different levels of rigor when investigating and remediating threats. This may have a negative impact on the organization’s overall security posture as some alerts may not be correctly or sufficiently investigated. Security teams also need to better equip junior members with the right resources so that they can add value to the team quickly. 

The Importance of Standardization in Security

If you ask any SOC manager, “What does a superstar SOC look like to you?”, they may respond with some of the following: 

• A superstar SOC is efficient. They are able to thoroughly investigate and remediate a large chunk of alerts coming in every single day without feeling constantly overwhelmed. 
• A superstar SOC is effective. They are spending more of their time on mission-critical alerts rather than mundane repetitive tasks. 
• A superstar SOC is a happy team. They have better work life balance and are not constantly burnt out by alert fatigue. 
  
  

There is no right formula to building a superstar SOC, but a proven strategy for helping analysts work more efficiently and effectively is to lay down the groundwork for creating standardized security procedures (SSPs). Standardized security procedures are a set of written, step-by-step instructions that catalog how every team member should perform routine operations. These procedures are straightforward, easy to follow, and iterative. Security teams may see a variety of benefits with putting SSPs in place (as detailed in the graphic below). 

Augmenting Standardized Processes with Automation

Once there are SSPs in place for one or two common threats, and your security team feels confident that these procedures will sufficiently cover all the necessary steps to ensure thorough investigation and remediation, your SOC is ready to add automation and orchestration to the workflow. 

Imagine you have a ten step procedure that you must follow to investigate and remediate a malware. Let’s say hypothetically that steps one through eight could be automated and the last two steps involve human decision making. The value of automation in this hypothetical scenario is that the analyst no longer has to manually perform all ten steps. Instead, they are only prompted to review the automated work and then manually perform two steps to close out the incident. This saves the analyst and the SOC more time to attend to more mission-critical tasks. Automation can be added to supplement any of the steps within the standardized process to reduce the mean time to respond. 

Want to build a superstar SOC that is high performing, efficient, and effective? Learn how to create standard security procedures and automate mundane repetitive tasks through our e-book, "The Essential Guide to Foundational Security Procedures."

----------------------------------------------------
Thanks!
Kelly Huang