Changes needed for SOCs and CSIRTs, claims Dutch research institute

Extensive automation of cyber security operations could become a game-changer, and the concept of playbook-driven security automation is advancing rapidly.  

Cyber attacks are becoming more sophisticated, and their disruptive effects on business and society are increasing spectacularly. Many organisations are therefore seeking to enhance their security monitoring and incident response capabilities. These are often established in dedicated security operations centres (SOCs) and computer security incident response teams (CSIRTs).  

While such SOCs and CSIRTs have greatly matured over the past decade or so, there is still a huge gap between attackers and defenders. Most notably, where an automated cyber attack can be launched in mere seconds, detection and response can often take days, weeks or even months.

Richard Kerkdijk, senior consultant of cyber security technologies at Dutch independent research firm TNO, said: “When an SOC team receives notification of a suspected incident, they need to compile an analysis and figure out the most appropriate response.

“For common – known – threats and events the response procedure is often standardised, but underlying tasks such as searching for related events or cross-referencing against available intelligence sources can still be time consuming. And if the event is more exceptional, the analysts needs to dig in even further.”

SOC and CSIRT operations often rely heavily on human effort and expertise. This is precisely what causes the present mismatch between the speed of attack and the speed of response. Unless fundamental changes are made, Kerkdijk said the imbalance will increase even further since the work of SOC and CSIRT teams is becoming increasingly complex.  

“The infrastructures that SOC and CSIRT teams protect are becoming increasingly complex and diverse,” he said. “Traditional on-premise networks are now intertwined with a variety of cloud-based services and infrastructures, and accessible from an abundance of (mobile) devices. This makes it inherently hard to comprehend security events to their full extent and prepare an effective response across all the technologies involved.” 

Automating defence 

To turn this trend around, we will need something of a game-changer, and extensive automation of cyber security operations could become just that.

“There is a lot of automation potential in operational security processes,” said Kerkdijk. “An obvious driver for such automation is to accelerate the speed of analysis and response, but it can also relieve security analysts from routine (repetitive) tasks and free up resources for more complex activities, such as threat hunting or processing cyber threat intelligence.” 

A key development in SOC and CSIRT automation is the emergence of playbook-driven security automation. The essence of this concept is that specific, predefined events trigger a standardised response workflow that is executed with no or only limited human intervention. Such workflows are captured in machine-readable security playbooks that dictate a predefined sequence of investigative or remedial tasks.  

“Traditionally, playbooks and runbooks for incident response were documented instructions for human analysts and operators,” said Kerkdijk. “When compiled in a machine-readable format, however, their execution can be automated. The technology to automatically execute a security playbook already exists, and is commonly referred to as security orchestration, automation and response, or SOAR.”

Playbook-driven security automation

Kerdijk added: “SOCs often operate a security information and event management (SIEM) system that collects data from the protected infrastructure and produces events and alerts for analysts to follow up on. A SOAR is a next-generation solution in which much of the response is automated.”

Present SOAR deployments typically focus on automating the analysis of an event (for example, a search for related events that traditionally involved copy-pasting and alt-tabbing between various screens).

Ultimately, however, the SOAR could also orchestrate the actual mitigation of the incident by automatically reconfiguring security controls and network functions. This could lead to huge time savings. Kerdijk said taking the ultimate step towards fully automated incident mitigation is often not a technological but organisational challenge.

“Present day SOCs have no or only limited mandate to execute changes in the infrastructure themselves,” he said. “Processes dictate that they request such changes from the responsible technology teams – typically by raising a support ticket. While automated execution of responsive actions is technically feasible, it will also require a reconsideration of IT maintenance procedures and the mandate of SOC and CSIRT teams.” 

Eventually, these systems should work in a highly automated way and with increasing autonomy. “Yes, that does require confidence in such a system,” said Kerkdijk. “We are not there yet. Technology must be developed to a level that we can trust, and that takes time.”

Another downside of present services for cyber security automation is that the technology is often proprietary. Most SOAR solutions are therefore supplier-specific, which means only playbooks with the format specified by that specific supplier can be executed. 

Standardising playbooks 

An important development currently taking place is that OASIS is standardising security playbook formats. TNO was closely involved in the current CACAOv2 standard for machine-readable security playbooks. “Through standardisation, playbooks become agnostic and independent of the supplier of the SOAR you are working with,” said Kerkdijk.

“They also become shareable among organisations, even if they don’t employ the exact same SOAR solution. While playbooks cannot be adopted from other organisations one on one because every infrastructure is different, sharing generalised playbook templates gives organisations a useful basis that they can configure further with their own parameters.”

Moving forward, Kerkdijk expects to see community sharing of security playbooks in the standardised CACAO format as a complement to the already-existing exchange of cyber threat intelligence. That way, not every organisation has to reinvent the wheel for every incident or event.  

TNO believes there is a need for open SOAR services to drive both the development and adoption of this technology forward. The research institute, therefore, built its own SOAR offering and released it as open-source technology in mid-March.

“We are a very strong advocate of open and standardised solutions,” Kerkdijk told Computer Weekly. “Our SOARCA tool is therefore free of vendor dependencies and comes with native support for the CACAOv2 standard. We released it as open-source so that the community of SOC and CERT professionals can freely experiment with the concept of playbook-driven security automation and hopefully contribute to its further advancement.”

Playbook-driven security automation can save considerable time and free up analyst time to perform more complex analyses on lesser-known or new incidents. Ultimately, this will give an organisation a means to stay attractive for the sought-after security specialists.

“SOC and CSIRT specialists are in high demand,” he said. “If they are relieved of boring, repetitive tasks in favour of more challenging work, I could very well imagine that their job becomes more interesting and that it becomes easier to retain them.”  

Future developments 

TNO is pursuing a variety of innovative technologies for cyber security automation. “For instance, we are delving into a concept that we call automated security reasoning,” said Kerkdijk. “When security monitoring systems raise an alert, the process of reasoning towards a diagnosis and determining the right way forward is still largely the job of human experts. We believe this process can be supported more directly by using technologies for modelling both the infrastructure and the behaviour of cyber attackers.”

TNO also conducts extensive research with respect to self-healing systems that autonomously anticipate, withstand and recover from threats and attacks. This concept is inspired by defence patterns of the human immune system and applies principles such as cell regeneration to cyber security infrastructures.  

“SOCs and CSIRTs will take on a different appearance in the years to come, partly because there are a lot of changes in the threat landscape, but also because the infrastructures that SOC and CSIRT teams protect are greatly evolving, and because new regulations such as NIS2, the Cyber Security Act and Cyber Shield will come with new demands,” said Kerkdijk. “Automation of SOC and CSIRT processes will likely play a pivotal role in this ongoing development.”