I have worked with many different SOC teams, and the degree to which they use automation varies greatly. In my experience, teams effectively utilizing automation can notably decrease response times to security alerts and incidents while increasing the depth, quality and consistency of alert triage investigation and response. Teams employing automation for alert triage, investigation, incident response and security operations in general have achieved very meaningful efficiencies - cutting down on mundane, rote repetitive work. This allows human analysts to concentrate on more complex and novel aspects of security threat management, demanding nuanced judgment, much deeper analysis and expertise.
There are five categories into which the levels of automation usage typically fall.
Level 1 - Manual: Teams that do things manually without an explicit initiative to automate workflows where possible.
Level 2 - Mostly Manual, Some Automation: Teams that do things manually but have invested in an automation platform to automate the most tedious tasks. The most common use case I have seen here is enrichment using an automation platform.
Level 3- Semi-Manual, Mostly Automated: Teams that use automation to eliminate a large chunk of manual work. Such teams can demonstrate very significant savings in manual efforts per quarter.
Level 4 - Augmentation: The next level focuses on things that cannot be fully automated. Whenever there is human effort involved, the time taken to process that alert, case, or task can easily be in minutes, and the total time taken to respond creeps into hours from minutes. Constantly looking at manual work and focusing on augmentation—where the humans in the loop become more productive and reliable—can yield not just cost savings but considerably improve the quality, consistency, and response times.
Level 5: Autonomous: At this stage, machines or automation excel at performing tasks more effectively than nearly any human. In this world, analysts primarily act as supervisors or escalation points for agents that can outperform human operators in the vast majority of tasks.
The factors for balancing automation deployments
There are a few factors that we are trying to balance as we go from Level 1 to Level 5. The most obvious ones are:
- Talent Level of the Team: Some teams simply do not have the DNA in-house to automate playbooks. This is true of most small—to medium-sized companies. Cybersecurity teams at most such enterprises can barely afford 1 or 2 full-time analysts. Such teams typically end up having MDRs, but not all MDR vendors provide the same quality of automation. Many times, an MDR is nothing more than an outsourced team of analysts.
- Cost - As you push for higher quality and faster response times, the cost inevitably starts to creep up. The judicious application of automation can yield cost savings while improving the quality and responsiveness of a SOC. A simple cost-benefit analysis of most common tasks - and investing in automating tasks where the ROI is very obvious - yields good results. For example, by automation of the 25 most common types of alerts, one of the security teams I worked with reduced their workload by 80%+.
- Skills required for automation - 80-90% of security analysts do not feel they can automate 80% of the tasks - even if those tasks are repetitive. They can teach those tasks to another analyst, but being able to automate those with SOAR platforms seems a bit too hard. Two things get in the way - most SOAR platforms end up sacrificing power for ease of use, and analysts find themselves lacking in development skills. This is one issue that recent advances in AI (especially LLMs) can help alleviate.
- Adaptability: If a task requires a high level of adaptability, iteration, and planning, human analysts are still much better at this than virtual analysts. Blending together a planner and an LLM is still a hot topic in AI.
- Tasks with high-risk side effects: For tasks with high risk, we would ideally want to have a human in the loop. With the right kind of automation/augmentation - even such tasks can be done in seconds as opposed to minutes.
How much automation is appropriate?
Like many things in life - there is not one answer to “How much automation is appropriate in a SOC team” that is the right answer. It's heavily dependent on the customer’s need for consistency/speed in Alert Triage, Investigation & Response, funding levels, and the team’s skill sets play a big part in determining the right answer. That said - the cost of triage, investigation, and response can be brought down while improving the quality and speed - by applying automation, augmentation, and AI to such problems. No matter your starting point, outlining your goals, recognizing how AI enhances efficiency through the analysis of repetitive tasks and predictable automation of response patterns, and conducting a skills assessment are key initial steps for a successful automation journey.
