Content

Why it’s so difficult for SOC teams to trust automation

In the complex corporate security environment, automation is increasingly the "go-to" answer for organizations lost in a sea of alerts, logs and data. For many, it's the only way to address their most critical processes and it's what keeps them moving from task to task in a fluid manner. But there is a danger in putting too much faith into automation and orchestration alone. Organizations often turn to automation looking for a technological cure-all for their security woes, yet many security professionals are wary of handing off their most critical processes to a black box that cannot make up for the human intellect element. 

...automation must strike a balance between convenience and intellect, complementing and augmenting the human element, rather than replacing it.

I view automation as an important component of effective security operations, but not the end all be all. For CISO's struggling to make critical decisions over product and processes, what is the right balance of automation? How do I incorporate automation into existing processes and workflow? How do I trust what alerts are addressed by a black box vs. my analyst team?

To address these challenges, automation must strike a balance between convenience and intellect, complementing and augmenting the human element, rather than replacing it. In other words, semi-automation, in which team's impact processes, and create the opportunity to define and refine the playbook's rules. Teams know their own organization better than any template ever could, so automation needs to be a dynamic, malleable entity to be effective, with people influencing and overseeing the process. Doing this effectively requires the ability to navigate across the security infrastructure. Teams need tight integration with other security tools - the tighter the integration of all tools from end to end, the greater the ability to traverse between automation and human investigation.

Only with this tight coupling of automation and human intervention will SOC teams embrace and “trust” the automation process.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds