Security Automation: Moving Beyond SOAR to Hyperautomation
Posted September 28, 2023 by Sayers
Have you worked with your teams to identify processes in your security playbooks and day to day tasks that can be automated? Security automation platforms offload mundane, repetitive tasks and free up personnel for strategic initiatives and more complex, unique, and higher-criticality incidents. The result? Organizations can immediately see increased efficiency coupled with consistency. Surprising long-term benefits, such as improved morale and increased retention, are achievable by automating overwhelming amounts of mundane work that can attribute to burnout so frequently seen in security teams.
Security automation emerged in a big way with security orchestration, automation, and response (SOAR) platforms. SOAR helps companies make their cybersecurity efforts more efficient, organized, and responsive.
Hyperautomation, the newest development stage of security automation, evolved from SOAR’s initial functionalities and integrates advanced technologies such as AI and machine learning.
The evolution from SOAR to hyperautomation aims to make security automation platforms more cost-effective and easier to use. Gartner expects by 2024, organizations will lower operational costs by 30% by combining hyperautomation technologies with redesigned operational processes.
Security Automation Capabilities From SOAR To Hyperautomation
Cybersecurity professionals no longer have to spend valuable time manually investigating and responding to a variety of security events thanks to SOAR’s three key capabilities:
- Security orchestration coordinates and manages the various security tools and processes within the organization’s technology stack.
- SOAR’s automation aspect uses software to handle routine security tasks, like scanning for vulnerabilities or responding to common security incidents.
- SOAR’s response abilities quickly provide predefined and automated actions, such as blocking an IP address.
Sayers Cybersecurity Engineer Jason Marocchi says:
“Typically a security analyst will spend 20 minutes manually investigating a phishing email. As a one-off, that’s not a big issue. But as the volume and complexity of email threats grow, the analyst can’t handle all that workload with manual processes. Things start to fall through the cracks. That’s when a breach happens, and unaddressed malicious payloads can find their way into the organization.”
How that malicious payload is remediated largely depends on the maturity of the security team. A more mature team may have a playbook(s) to follow giving specific instructions, while other teams may triage ad-hoc. Regardless of the triage process, it’s common for a response to touch multiple pieces of your organization’s security stack – for example, network or endpoint security solutions to isolate the endpoint from the network, vulnerability scanners to scan the environment for any other instances of the vulnerability, firewalls to block specific IP addresses, and finally an endpoint solution to remove any similar malware found in the network.
If done manually, an employee would have to log into each of those disparate systems in a logical order, stay within the defined process, get every piece of information possible before taking action, and then create a ticket with a summary of the actions taken. All while racing the clock to reduce an organization’s exposure to the threat. Marocchi says:
“SOAR helps automate those steps so we can have a precise workflow that is executed time and time again for a specific circumstance. If we see a particular type of alert, we know the SOAR solution will take an accurate and comprehensive response every single time.”
As SOAR evolved to a more comprehensive solution, it pulled together disparate pieces of a company’s security stack into a single workflow and tied them together with advanced capabilities such as integrated machine learning and threat intelligence management. This became extended SOAR (XSOAR), as seen in Palo Alto Networks Cortex XSOAR and modern SOAR competitive solutions.
Hyperautomation represents the evolution of SOAR and XSOAR to quickly and easily create an automated workflow for rapid incident response. Gartner coined the term hyperautomation a few years ago:
“Hyperautomation involves the orchestrated use of multiple technologies, tools or platforms, including: artificial intelligence (AI), machine learning, event-driven software architecture, robotic process automation (RPA), business process management (BPM) and intelligent business process management suites (iBPMS), integration platform as a service (iPaaS), low-code/no-code tools, packaged software, and other types of decision, process and task automation tools.”
Today’s hyperautomation platforms offer an alternative approach to security automation and seek to relieve the complexity and cost of SOAR / XSOAR.
Recognizing The Challenges Of SOAR / XSOAR
The question organizations must answer about SOAR / XSOAR is: Will the value gained from the solution outweigh the cost?
Answering that question includes acknowledging the challenges of SOAR / XSOAR platforms, specifically:
- Complexity. The initial setup and configuration of SOAR / XSOAR solutions are complex. You have to dedicate resources with specialized knowledge, and obtaining that knowledge takes a steep learning curve.
The platforms require integrations between multiple solutions within your security technology stack. You need extensive scripting and coding to ensure the automated workflows do what you intend them to do. Marocchi says:
“In a malware remediation workflow, if you can’t isolate a device on the network due to limited integrations, a manual process must then be taken. That throws your entire workflow off. If that integration isn’t there, then you’re missing a crucial piece of what makes the SOAR so valuable.”
- Cost. SOAR’s total cost of ownership traditionally has been high, including licensing fees, training costs, infrastructure requirements, maintenance, and a dedicated full-time resource to manage it.
If part of your tech stack doesn’t integrate well with the SOAR platform, you may have to replace it with a compatible solution for optimal performance. Smaller organizations with limited budgets have found it particularly challenging to justify the financial investment.
How Hyperautomation Relieves Complexity And Lowers TCO
Hyperautomation addresses the cost and complexity of SOAR / XSOAR in three key ways:
1. Hyperautomation simplifies security automation by offering low-code and no-code options.
Low-code and no-code options use simple scripting or a simple graphical interface for workflows and integrations – ideal for smaller teams that don’t have the time or the resources to learn how to create complex workflows for SOAR / XSOAR.
These options not only simplify the process, they also reduce your total cost of ownership by eliminating the need for extensive training and dedicated resources. By shortening your ramp-up period, you start seeing value much sooner.
2. Hyperautomation platforms come with a wide set of pre-built integrations.
Pre-built integrations of the solutions in your technology stack lead to better orchestration. More integrated solutions mean you can create more workflows for automated responses without having to code them all yourself.
This ease of use has led some organizations to use hyperautomation platforms more broadly across their IT organization. They spread the cost across multiple departments and get additional value within that single solution.
3. Hyperautomation solutions provide licensing per workflow to drive immediate value.
Traditionally, SOAR licensing was either per seat or per platform. Those upfront costs were substantial, and organizations didn’t see the value right away. New hyperautomation solutions take a different approach by providing licensing per workflow. This minimizes the entry-level cost, drives value immediately, and allows companies to scale at their own pace.
Is Security Hyperautomation Right For You?
Not every organization is ready for a hyperautomation solution. Determining if the value of the solution would outweigh the cost means answering several questions, such as:
- Do you have a security operations center or IT department that performs a large volume of repetitious, manual activity? (Such as incident investigation and triage, case management, etc.)
- Do you have a more mature security practice with a wide variety of security solutions as part of your technology stack and workflows?
- Is your security team short-staffed and needs to gain time back?
- Do you have well-defined and documented processes and procedures in place for the repetitive tasks you want to automate?
If you’ve answered yes to these questions, security hyperautomation could be a good fit for your organization.
Questions? Contact us at Sayers today to learn which security automation platforms are the right choice for your business.