Does SOAR Replace People?

And Are We Automating People Out of Jobs?

Originally, this article was intended to be a deobfuscate post but I realized I didn’t want SOAR itself to be the focus. This is something that I run into in my full-time job quite often, and it’s something that scares analysts and engineers alike. Today I wanted to cover this topic because I think there’s a fundamental misunderstanding about what SOAR can and can’t do, and why I unequivocally believe:

No, SOAR does not replace people.

Understanding SOAR Technologies

Security Orchestration, Automation, and Response tools, commonly abbreviated and referenced as SOAR tools, are fantastic solutions to getting rid of those redundant, remedial tasks that analysts and engineers are constantly faced with. You model a workflow and then build automated tasks into that workflow so that analysts spend less time doing low-level tasks such as sending an email, checking an IOC in VirusTotal, etc, to getting to do the more fun and involved analytics that, you know, the job title analyst should be doing.

What does this contribute to? Lower MTTD, MTTResp, and MTTReso. Simple as that. The overcomplexity of SOAR tools is on the organizations that tend to sell them as one-stop-shop and do-everything tools, which yes, they can be, but when we skip the basics, we tend to complicate things when we lack the fundamental understanding of what the tool really should be used for. Focusing SOAR as the tool it was designed to be, you can save analysts a lot of time and even build morale in your SOC when you get rid of those tasks that ruin your day.

We should be building workflows/playbooks on rooting out tasks that we shouldn’t be bothered to do, and also reduce the sheer amount of alerts SOC’s deal with every week. Just in my role, we tend to see SOC’s receive over 10,000 alerts a week. This is vastly impossible to tackle, as you would need a ridiculous 24/7/365 operation that has about sixty analysts per 12-hour shift to handle the one incident per minute ratio and give them each an hour to respond to that one alert. When we break it down like this, manpower simply doesn’t scale well, especially if you consider the cost organizations would incur by paying salaries plus benefits to those individuals.

So how do we use SOAR to help? Take phishing for instance. Phishing is something that still accounts for a massive chunk of breach root causes, and in typical fashion, many SOC’s are still responding to phishing with remedial analysis. When one of our employees or tools reports a potentially malicious email, we must manually process the emails and go to our typical triage process of VirusTotal, Hybrid Analysis, and any other free or paid resource to determine if the email is good or bad. And we must do this for every single report. But image a tool that would monitor those alerts for you, and would automatically triage them once an alert is received. It would go through the process of taking the email, extracting the IOC’s, running them through enrichment tools including your Threat Intelligence Management Platform (TIM/TIP), running any attachments through a sandbox tool, and finally responding to the user and alerting any analyst about malicious indicators. You can even take it further by allowing automated remediation if there is a phishing email.

This is the purpose and capability of SOAR and can help us tremendously when we deal with the alert fatigue we go through.

Reduce Analyst Fatigue Not Analyst Numbers

Or in other words, SOAR is a Force Multiplier, not a Force Reducer. The main target of SOAR is to free up analyst hours. A lot of people associate triage with junior analysts and that’s the only thing they do. This is an extreme misconception that simply isn’t true, and it’s only stereotyped because that’s all the tasks we’ve ever given a junior analyst to do. They are the first contact for our alerts so often this is all they get to do, but do you think they want to sit there and look at alerts and emails all day, only to do the leg work and forward off the real issues to more senior analysts? Hell no. Meanwhile, if we asked a junior analyst to hunt, likely, they don’t have a clue how to do it, and that again is the leadership’s fault and the fault of just too many things and not enough time to handle them all. If they aren’t exposed and trained on how to do something, then how can we expect them to do that task when it is required of them?

SOAR can relieve this triage burden from junior analysts, and instead, let them support more advanced SOC duties and support your senior staff on investigations that they shouldn’t be working on at their level. Keeping it simple: let analysts do what analysts do best: analyze. SOAR can’t do everything, and shouldn’t. Automate what you’re comfortable with and let them take over the rest, but don’t make it the reason you wanted to lay off some of your staff. You’ll immediately lose the morale you gained and put good people out of a job. If they can’t keep up with the actual analyst work and not just the data input specialist work, then yeah, its time to have some reasonable conversations about their need to adapt, but that comes after we determine there are issues in training and development, not when we first implement a tool.

Train, Adapt, Overcome

So if you’re implementing SOAR, here are some tips to take it on appropriately and develop your teams so they are ready to take on new tasks:

• Slowly implement SOAR - Start with playbooks that take over triage tasks and allow the tool to take on alerts when they first fire. Let them process them before they’re handed off to the analyst. A simple enrichment will suffice to root out false positives, so more quality alerts hit the analysts and they can spend time on more meaningful investigations.

• Train For the Job Above You - When we begin to let SOAR stretch its legs, we should be letting the juniors start partaking in mid-level tasks that they normally wouldn’t cover. In this case, introducing them to topics about hunting, processing threat intel, and writing content for our monitoring and detection tools should be great places to start. Maybe consider even dedicating analysts to become a subject matter expert (SME) of a specific tool your team uses, including the SOAR tool.

• Update SOP’s - Remember to ensure that standard operating procedures (SOP’s) are updated so that your team is tracking the changes to processes. That way when situations arise for your team to respond to, it isn’t a question of how things should go now that SOAR is involved. A good SOAR tool will even let you build these SOP’s out, even if they’re manual ‘human intervention’ tasks that don’t do any automation.