Automation can’t be just about running the process, but must include three important stages
I’ve written a lot about the challenges their Security Operations Centers (SOCs) face with respect to data, systems and people as they transform to become detection and response organizations. The key elements required include relevant and prioritized data, bi-directional integration across systems, and passive and active collaboration. What brings it all together, particularly given the shortage of security personnel, is automation.
New product categories have emerged to tackle the automation challenge, including Security Orchestration, Automation and Response (SOAR) platforms and tools and Extended Detection and Response (XDR) solutions. But the truth is, the security industry’s approach to automation has overlooked the vastly different needs of detection and response use cases because the focus has been on defining a process and automating the steps needed to complete that process. That works fine if you’re in a static environment doing the same thing over and over again. But for detection and response, which is dynamic and variable, that’s not the case. What is learned from performing an action is far more important than the action itself, so you need to look at inputs and outputs to the process.