Security automation has been a top trend in cyber over the past 10 years, and it’s easy to see why.
Most people know automation tools by one of two names:
· Security Orchestration and Automated Response (SOAR)
· Robotic Process Automation (RPA)
We’ve been doing this long enough to remember when the acronym was A&O: automation and orchestration. The message in those early days was largely focused on analysts and how they spent a lot of time doing repetitive tasks that can be automated. A&O tools offered an easier way for SOC to implement automation though playbooks leveraging prebuilt connectors.
Since then, security automation has largely delivered on this promise to automate away common repetitive tasks.
At a certain point however, the claims and the acronyms started to reflect the aspirations of what organizations wanted from automation. Specifically, SOC alert analysis and automated incident response. Unfortunately, capabilities of the technologies largely remained the same and proved limited in meeting this new ambition.
SOAR automation, which at its core is a decision tree playbook, can be highly effective managing process that meet three criteria:
1. The process being automated has a well-defined trigger condition
2. The process has a small set of well-defined outcomes, with minimal edge cases
3. The process will be trigged many times (this is what delivers the ROI)
A playbook can be really effective at triaging phishing emails or managing threat intelligence. However, arbitrary alert triage continues to be its white whale.
If you break down the process an alert triage analyst follows, you’ll find:
1. There are many different starting points from 100’s of different possible alert use cases
2. There are an immense number of edge cases and nuance for each individual alert
While the analysts themselves are very effective at working the alert triage process, the process itself violates two of the tenants of what is needed to build an effective automation playbook.
This makes sense if you think of a playbook as a codification of knowledge. You wouldn’t accept the assumption that a 20-step playbook could possibly encode the knowledge of a good cyber analyst.
So what does this mean for the future of alert triage? Enter the next gen of cyber alert triage automation.
This category which has begun to emerge is a specialized niche automation that looks more like a unified alert analysis pipeline that relies on models to capture the decision process of an analyst. In this way, not only can automation collect relevant contextual data, but it can choose how to do so, and then decide with a full understanding of the event if a threat is present or not, without having to rely on a playbook that most likely does not encompass all the decision branches necessary to come to this nuanced conclusion.
We have seen that both playbook automation and cyber alert triage can have their place in an enterprise’s security stack. But when it comes to alert triage, AI cyber analysts can help an enterprise react to cyber alerts faster, more accurately, and more consistently.
