I’m writing this one as it’s becoming increasingly relevant with the team I’m working in. After all, there’s only so much time in a day and money companies are willing to spend on people, so if you have your analysts, regardless of tier, spending their time on tasks which are menial, repetitive and just downright boring, they are not going to stick around. And skill gap or not, retaining people that know the business and want to invest their time in making it not only more secure, but also more efficient, isn’t something anywhere can afford to lose.
Who
Lets start with who should do this, after all, someone needs to.
For me, that answer is easy. Everyone. Don’t limit it to just your engineers, don’t keep your analysts out until you have what you think is a finished product, and don’t think seniority means they know what’s best. It doesn’t work, and i’m telling you that from experience. I’ve seen playbooks get delivered, handed over to “production” and the instant the analysts that actually do the work and are expected to use it get involved, it gets torn apart and actually does the opposite of what it’s intended to; it makes the task take longer. Ultimately, the best approach is probably to let your engineers build and maintain the integrations, whilst allowing the analysts to build the playbooks. This lets each of them focus on the part they already deal with day to day.
What
So now you’re asking yourself, “What should I automate?”
That answer is simple; everything you can. If you can take these tasks away from the analysts, you can not only speed up the resolution of incidents but you can task them to do more interesting investigations. Your analysts shouldn’t be spending 30 minutes having to deal with a phishing email or having to try and catch the employee who has suspicious software on their device during that employees working hours. Not only is it not feasible long term, it’s also frustrating to have to deal with and can result in missing the incidents that really matter.
However, you do need to prioritise. There’s no point exhausting effort trying to automate something if it rarely ever happens whilst leaving something that is at the top of your ticket count. So talk to your team, find out where their pain points are and take them away from them.
But don’t just stop at automating the alerting you get, keep it growing. Hunting for IOC’s which your analysts can use as the start of a thread to pull is another useful thing to automate, as it removes the mundane part and lets them get their teeth stuck into more interesting aspects of the job.
When
As soon as you can. The faster you work on getting something like this up and running, the sooner you can use your analysts to work on more interesting situations, to give them time to improve their skills , to allow them to interface with other areas of the business or to just make sure they aren’t spending their entire day jumping from incident to incident.
Why
We’ve been answering this one the whole way through the article.
Your analysts are the lifeblood of your incident response process. You don’t want them getting burnt out, you don’t want to lose them and you do want to find all the other suspicious behaviour going on in your estate that doesn’t set off alerts. Automation enables this.
How
So now you’re hopefully asking yourself “How do I do this?”
If you go to your favourite reseller you’re probably going to get told of all the amazing SOAR tools out there that are made for this type of thing, and for some teams that may well be the way you need to go. But that’s not where you have to start. For me, I started with Azure Logic Apps. It might not have integrations with security tools, but it does allow you to make HTTP requests, and everything out there now has an API you can send requests to in order to get answers. And chances are, it has integrations built in to areas you may otherwise not have had off the bat, like O365. I’ve used it to automate IOC hunting, deploying VM’s for exercising, queuing file retrieval for when the device is online and much more.
So give it a go! And watch your team thank you. 🙂