How we accidentally built an autonomous SOC

As the threat landscape and volume of data and systems that require protection both grow rapidly, security teams are increasingly turning to automation to more effectively manage their Security Operations Center (SOC). Our Managed Cyber Defence team recently presented their journey at the Palo Alto Networks Ignite 22 conference - telling the story of how the service we built to support our Incident Response work has rapidly evolved into a proactive, automation centric SOC service.

Why is automation so important in 2023?

A recent study from the Ponemon Institute identified that organisations who had effectively implemented automation in their security programme on average reduced the cost of a cyber security breach by over 60% - that alone is justification for most to pursue automation - but even more so it provides us the opportunity to stop those incidents from occurring in the first place.

Security teams very rarely, if ever, fail to identify the root cause of an incident.

It’s likely that the smoking gun is lurking within a log or data source that is buried amongst the terabytes of data being ingested into a security monitoring tool.
- the more pertinent question is now ‘why didn’t we spot this in real time?’.

There could be numerous answers to this; almost all of them are common problems we hear from SOC teams:

  • Noisy, poorly configured or static detection content
  • Sheer volume of data to analyse
  • Lots of time spent dealing with false positives
  • Commercial arrangements that disincentivise collecting more data
  • Shadow IT that the security team didn’t even know about

These challenges are nothing new, but add in the fact that responding to more advanced threats requires more sophisticated tools that collect even more data points than before, it leaves even the most experienced SOC teams with a headache that cannot be solved by simply adding more humans into the mix.

However, we have set to solving this problem for our teams and our clients.

Our journey from IR to SOC

When helping our clients through a live incident response we often find SOC teams struggling with all of those challenges and more - and we cannot rely on existing tools to perform effective response. We initially began to build a cloud based technology stack that could be deployed during an incident that would not only help us to contain the existing incident, but also expand the hunt for further areas of compromise and identify the root cause of the initial breach.

This approach, built on the Palo Alto Networks Cortex XDR & XSOAR platforms was focussed on using best in class technology to collect the highest volumes of data possible during an incident - coupled with bespoke threat intelligence and behavioural based detection content - to rapidly identify compromised assets. This volume of data and intelligence can be overwhelming though, and we turned to automation to ensure that we could effectively process this whilst still giving our on the ground IR team the breathing space to perform more sophisticated threat hunting.

Why traditional methods were failing and how we addressed these in incident response

Legacy untuned security tools

A combination of high fidelity alerts and automation means we could embrace more sources of telemetry without having to worry about the operational impact, giving our teams far more insight and context.

Over reliance on signature based detections

Behaviour based detection content driven by real life TTPs and continually updated allowed us to quickly distinguish malicious behaviour from the general noise of the estate.

Too much human time spent on low value activity

Time freed up to spend on in-depth analysis and free form threat hunting rather than dealing with a high number of false positives and low level or informational alerts.

Very quickly we realised that this is not just a formula for successful IR but if implemented in BAU processes is also the basis of an autonomous SOC - and our Managed Cyber Defence service was born.

The key ingredients for autonomous SOC

Whilst the benefits of automation are clear, it’s not always a straightforward journey. Over the last 5 years as our service has matured we have learned a number of lessons - that we have distilled down into what we believe are the 4 core ingredients of an effective modern SOC:

Extended Visibility

Collecting as much data as possible is key to effective automation - one of the main reasons we continue to utilise Cortex XDR as our platform of choice is the fact it collects between 10-20x the volume of data as competitive solutions - this is key for us to be able to work with in our detection engineering.

Behavioral Based Detection

High quality threat intelligence that focuses on more than just traditional atomic indicators of compromise and builds on the tactics, techniques and procedures (TTPs) of threat actors in the wild. This allows organisations to take rapid action on more advanced and novel threats.

High Fidelity Alerts

Good quality data and threat intelligence needs to be complemented by an effective detection engineering capability that maintains an effective repository of detection content - one which is ever evolving and feeding multiple security tools across the environment, orchestrated by your SOAR platform.

New World Skills

One of the most important lessons we have learned is that the skills you have today are not necessarily the ones you need tomorrow. Effective automation requires a heavy focus on building developer skill sets that can support both integration of tooling into your SOAR platform, and the development of automation playbooks. These teams need to work hand in hand with your SOC analysts and engineers who will be much closer to understanding the requirements of your SOAR platform.

In our experience where organisations are struggling with their SOAR journey, more often than not it’s because they are missing one or more of these fundamental building blocks. However, when you get it right, the benefits are huge!

The hidden benefits of SOAR

Ultimately reducing your mean time to detect and respond is often seen as the key benefit of SOAR but there are a number of other hidden benefits that can be equally important, especially in the context of a business case for investment.

The benefit to your security team in terms of wellbeing can be one of the prime benefits of SOAR - giving your SOC analysts more time to focus on higher value, more interesting work like freeform threat hunting, rather than dealing with an endless sea of false positives or informational alerts. Similarly, automating mundane tasks like shift handover give more time back, and all ultimately lead to better job satisfaction and reduced likelihood of fatigue or burnout that is all too common in SOC teams.

SOAR platforms also give security functions the chance to become more of a value creator to the rest of the IT organisations. Processes such as automating the population of a CMBD or supporting the automation of key business processes like user identity can drive huge benefits for teams outside of security - and give CISO’s the chance to show security function are not simply cost centres.

In a future Research Hub post we will delve deeper into how we use the XSOAR platform as part of our Managed Cyber Defence - and introduce you to Terrance - our automation bot and most productive SOC analyst!

If you would like to find out more about how MCD can support your journey towards SOC automation, or would like a demo of our services please contact Ross Foley.

Contact us

Ross Foley

Ross Foley

Cyber Security Managed Cyber Defence Lead Director, PwC United Kingdom

Tel: +44 (0)7843 330838

Follow us