What Are You Willing to Automate?

We started a new series on the blog recently, designed to offer experience-based best practices for approaching SOC Automation.  While most understand the value of automation broadly, developing practical use cases is the first step in realizing the benefits of this emerging technology.

While the possibilities for automation are nearly endless, many start the journey with simple enrichment use cases (e.g. pre-processing an alert before someone in security operations begins to work it).

As users become more confident in automation, the use cases become more sophisticated.  Soon automation is addressing areas like threat hunting, and ultimately even response or remediation.

SANS recently published a study shedding light on what remediation activities people are willing to automate.  The table below shares the practices that respondents have in place to remediate incidents manually, with automation, or a mix of both. The top three practices in each category are highlighted and indicate that organizations use a myriad of remediation techniques in their environments.

SANS Table 4 .png

Though the data is presented in three distinct columns, I think reality is more of a spectrum with ‘manual’ on one side, ‘automated’ on the other, and ‘both’ filling the space between.  Factors like whether an action is routine or non-routine determine position on the spectrum (e.g. non-routine tasks are ill suited for automation).

When thinking about the spectrum, Phantom’s “human prompts” come to mind.  It’s a useful capability that allows the SOC team to move across the spectrum keeping administrators in, on or out of the loop.  When functioning as an “in the loop” platform, certain actions may need to be approved by an analyst before the platform completes its automation.  For example, a playbook might ingest and enrich threat intelligence before presenting it to an analyst for review.  With the analyst’s approval the playbook continues to execute, perhaps blocking an IP address at the firewall based on the intelligence.  In an “on the loop” scenario, the playbook is fully executed automatically, though the analyst has oversight and the ability to stop or even reverse a specific action.  An “out of the loop” deployment is where the platform automatically executes actions independent of human interaction with details tracked for post-automation reporting as needed.

Interested in seeing how Phantom can help your organization navigate the automation spectrum?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see the platform in action.

CP Morey
VP, Products & Marketing
Phantom