Self-Driving SOC

Every time I hear someone reference the supreme challenges of building a security operations center, my mind jumps to a wonderful young man I once knew named Jim Boxmeyer. Back when most businesses were just beginning to arrange security teams into groups of analysts squinting at screens looking for alarms marked red, Jim was pioneering techniques for bridging that massive chasm between Tier 1 analysts and their high-level technical support.

Here are a couple of things I learned from Jim about SOC design: First, if you are going to rely on human analysts, then expect to train them – basically from scratch. The discipline, skills, background, and judgment required to serve as an expert on a SOC floor are not going to emerge from a college course. (This does not diminish the importance of good education for SOC analysts. Jim, in fact, spent several years while at AT&T Labs finishing his own degree.)

But second – and this might be the most important issue: If you are going to build a working SOC, then you’d better know (or learn) how to integrate automation into the design. With cyber attacks now approaching automated speeds that far exceed the ability for any human being to track, the only means for SOC teams to keep up with real-time threats is to automate. Years ago, this meant connectors to the SIEM; today it means intelligent technology.

I had Jim’s sound advice echoing in my mind while meeting recently with the principals from a cyber security company called Respond Software. I’d been hearing over and over from friends about this start-up, and how it was automating critical portions of the SOC. I’d even heard reference to a marketing image of theirs that caught my eye – one that is almost Steve Jobs-esque in its power and simplicity: Self-Driving SOC.

Let’s dig into the idea: All existing SOCs are centered on a commercial or customized system, platform, or server that provides event and incident support to on-site analysts. We can refer to this general capability as an onsite analyst server. Each SOC team can fill in their local details of how this server ingests event and environment context data, and how it supports case management, incident response, and correlation analysis.

The challenge, as security experts will attest, involves figuring out how to translate data from the onsite analyst server into actionable management intelligence. Where this task has been traditionally supported by human beings in a SOC, more modern solutions employ intelligent algorithms to provide both basic and advanced analytics in a self-controlled manner. Such autonomy is the basis for the self-driving analogy.

The Respond Software platform can thus be viewed as an automated analyst for the enterprise. That is, the Respond Analyst solution plugs directly into the onsite analyst server, just as a human SOC team might. It has the self-driving responsibility to augment the existing SOC team by performing the following support tasks – each of which requires the dependable operation of an automated and intelligent expert system:

Knowledge Base Management. The basis for all traditional expert systems, as well as modern machine learning systems, is the collection and storage of information into a knowledge base that can be managed and accessed through defined interfaces. “Our platform is designed to help gather facts and infer context,” explained Chris Calvert, co-founder of the company. “This is a function that automation can perform more efficiently than any human trying to keep track of data.”

The implication is that if you are running a SOC and you plug the Respond solution into your onsite analyst server, the result will be a high-quality knowledge base, constructed and maintained automatically, and providing autonomous support for your analysis and response activities. This is a welcome capability, since most SOC hunters and analysts use home-grown or special tools to store and manage available knowledge.

Decision Engine Processing. The decision engine in the Respond platform combines basic expert system decision structures with modern machine learning methods. The result is an advanced decision-making function for the SOC that makes both rudimentary and advanced choices about observed security information. Such decision-making is based on underlying probabilistic mathematical models developed at Respond.

SOC analysts thus have access to a powerful decision function, readily available to support the development of management action recommendations. By some estimates, the workload augmentation from the Respond Analyst platform approaches the equivalent of twenty-six full-time SOC analysts. That type of significant capability leap is exactly what is required for modern enterprise SOC teams to deal with a rapidly advancing cyber threat.

Case Building and Support. The core unit of predictive analysis and reactive incident response is the notion of a “case,” which is basic to the practical operation of a working SOC. To that end, the Respond solution supports case building and incident management, with reporting to the security management team responsible for response decisions. “Our platform is designed to emulate the judgment of a human security analyst,” explained Calvert.

The decision to generate cases is influenced by Respond’s Probabilistic Graphical Optimization (PGO) technology, which performs analysis based on a multitude of different factors. The goal of the PGO processing is to determine severity, likelihood, and consequence of a potential incident. This capability is one of the most powerful aspects of the self-driving SOC, because the decision to respond is based only on relevant information.

These automated tasks are complemented by ingest of external threat intelligence feeds from Respond Software – and can include any threat intelligence feed you might be using at your company via the STIX/TAXI standard. The result of the automation and feeds is a system that really does look like a self-driving SOC. Granted, the approach does not remove the need for human beings, but it does introduce an element of welcome autonomy in tasks that a machine is likely to perform more effectively than any person.

Respond Software has been in business since 2016, and I’m sorry I didn’t notice their SOC automation until recently. I can assure you, however, that if Jim Boxmeyer was still around – and unfortunately, we lost Jim a few years ago to cancer (such a sad loss, not only for his family, but for the entire cyber security community) – he would certainly have made sure this company was in front of me the instant they announced their offering.

Now, I have no idea if you have anyone on your team as good as Jim Boxmeyer offering advice on security architecture and SOC design. If you don’t, then I’ll serve as a proxy here, and recommend that you contact the Respond Software team. Their solution offers a glimpse into the future of autonomous security management by combining intelligence and automation in a way that makes humans perform better.

And please let us all know – as usual – what you learn in your own analysis.