Article Details

The New 80/20 Rule for SecOps: Customize Where it Matters, Automate the Rest. There is a seemingly never-ending quest to find the right security tools that offer the right capabilities for your organization. SOC teams tend to spend about a third of their day on events that don't pose any threat to their organization, and this has accelerated the adoption of automated solutions to take the place of (or augment) inefficient and cumbersome SIEMs. With an estimated 80% of these threats being common across most organizations, today's SOCs are able to confidently rely on automation to cover this large percentage of threat signals. But, while it is true that automation can greatly improve the efficiency and effectiveness of security teams, it will never be able to cover all detection and response use cases infallibly. In the recently released GigaOm Radar for Autonomous Security Operations Center (SOC), they accurately state that "the SOC will not—and should not—be fully autonomous." As more vendors attempt to challenge the dominant players in the SIEM category, demand is increasing for solutions that offer automation, which can cover 80%, while also offering customization capabilities to cover bespoke use cases - the remaining 20%. THE 80%: AUTOMATION With the continual surge in global data creation, organizations are inevitably seeing an uptick in the number of alerts managed by security teams. This may seem daunting for overworked security teams, but advanced vendor offerings are implementing automation across various stages of the SOC workflow, helping teams enhance their speed and effectiveness. The four key phases where we are seeing automation are: Modern SIEM replacement vendors, such as Hunters, leverage pre-built detection rules, integrate threat intelligence feeds, and automatically enrich and cross-correlate leads. These automated processes alleviate large amounts of tedious workloads, empowering security teams to easily manage the large majority of alerts. THE 20%: CUSTOMIZATION Although automating the above phases of the workflow have been massive in boosting efficiencies for many SOCs, there will always remain the need for a certain degree of customization. Each organization has bespoke needs and requirements depending on industry- or company-specific use cases. This means that even if automated and built-in capabilities can address 80% of the general use cases and tasks, additional capabilities are needed to cover the remaining 20%. "Customization" can mean a lot of different things, but the main requirement for security teams is that they have both the flexibility to cover unique use cases and the ability to scale their capabilities. Let's look at a few examples of use cases where this can be beneficial: Conclusion Building out an effective SOC has always been, and will continue to be, a nuanced effort. There is no one-size-fits-all solution when it comes to security tools. It is important to offer ways for organizations to not just customize for their use cases, but it is vital that they are able to combine this "customization" with the already existing automated capabilities that vendors offer. It has become a necessity to look for vendors that can offer both a hands-on approach to customizing tools, but to do so in a way to bolster the autonomous portions of their offerings. SIEM replacement vendors like Hunters, which have been named leaders in GigaOm's previously mentioned report on autonomous SOC, are known for their easy-to-use and pre-built capabilities. And, to ensure that they serve the needs of security teams, are continuing to add innovative customization features that allow organizations to tailor their security strategy to their unique requirements. Covering the 80% is vital, but addressing the remaining 20% will set your security team above the rest.