Sumo Logicの製品概要や事例等のお役立ちコンテンツはこちら! さらに詳しく

blog に戻る

2021年09月09日 Davor Karafiloski

SOAR doesn't replace humans - It makes them more efficient

Whether it’s because we’ve watched one too many sci-fi movies, or we’re just plain scared of the potential of AI, automation, and machine learning, many suggest that the dawn of automation is going to make humans obsolete in security operations.

While there are new security technologies on the horizon, such as SOAR, that are offering all sorts of next-gen capabilities in the form of self-learning progressive automation, the unequivocal reality is that humans are going to remain the ones holding the wheel in security operations.

SOAR, as a particularly young technology that is only now making its strides in the cybersecurity world, is often misunderstood due to its revolutionary capabilities. And it’s about time that comes to an end.

The truth about Security Orchestration, Automation and Response

More often than not, analysts are drowned in repetitive, time-consuming alerts that are literally taking up their entire energy and time. Hackers very well know that by bombarding SOCs with too many alerts, they can potentially swoop in the real threat undetected, while keeping the analysts busy with a never-ending alert assessment.

Given that most of the alerts are actually false positives, that means that analysts spend most of their time on a wild goose chase. And, considering that hackers are launching more sophisticated and evolved threats than ever before, companies just can’t afford to assess potential threats in days or weeks. Their goal should be to catch them in the act and perform threat assessment in minutes.

That is exactly what SOAR helps them achieve.

SOAR is not replacing humans with the goal of taking their jobs. It is actually doing the opposite. It is allowing SOCs to automate those tedious, time-consuming, and low-value repetitive tasks that are taking most of their time. SOAR cleans the mess so that security analysts can channel their time and effort into more challenging initiatives. 

SOAR doesn’t replace the expert mind of security professionals, but rather it does the “dirty” work for them. If performed manually, incident documentation, alert data collection, and similarly repetitive and time-consuming processes can be quite tiresome. And as a result of being overwhelmed with such tedious and recurring tasks, security professionals are often experiencing burnout in the form of “alert fatigue.” This often leads to analysts being disappointed with their role in SOCs and becoming unmotivated to keep up with the necessary performance in the long run.

This is why a technology with capabilities similar to SOAR was direly needed by security professionals. The initial purpose of SOAR was to lend humans a helping hand in security operations, not replace them. And that’s how it’s going to remain.

SOAR helps security teams keep up with evolved cyber threats

SOAR was born out of the problems previous technologies were incapable of overcoming.

Security Orchestration, Automation and Response is supposed to act as a force multiplier, simultaneously enhancing multiple areas in one SOC. And despite the misconception that SOAR replaces humans, it actually boosts their productivity in many ways:

  • Enhanced threat hunting capabilities

  • Resolving the skill shortage issue

  • Improved incident response time

  • Better communication and coordination within the SOC

  • Seamless orchestration of all tools 

Not only does SOAR allow SOC teams to automate a myriad of tasks, but it also allows them to increase their overall productivity, communication, and coordination.

And while many organizations are still not mature enough to comprehend and implement the unconventional capabilities introduced by SOAR, in time, SOAR is deemed to become a necessity rather than a luxury. 

Automation in SOAR doesn’t mean complete autonomy

Autonomous means carried out without supervision or control. And automation (at least automation provided by SOAR) does not function with complete autonomy.

Yes, SOAR does implement automation in a variety of security operations, thus liberating humans from having to perform the task themselves. But, in any phase of the automation process, humans are the ones that are in control of how the automation unravels.

Security analysts decide which parts of a security operation they want to automate and which part they want to manually oversee. The degree of automation applied to processes is completely adjustable, and analysts have the freedom to decide which tasks they deem safe to be fully automated and which ones require their professional attention.

So, while SOAR and its automation capabilities do in some way replace analysts, complete autonomy in automation is - and will be - out of the question.

Will progressive automation eventually outsmart hackers?

Thanks to its machine learning engine, SOAR is capable of learning from the characteristics of incoming threats, and as its knowledge base becomes richer, its decision-making process becomes smarter. 

This capability allows SOAR to become better at detecting false positives. For example, if an alert of a potential Phishing Attack turns out to be a false positive, SOAR will learn the characteristics from that alert and will use that information to cross-reference the next time an alert with similar characteristics arrives.

But, as we all know that the most devastating attacks are always the ones that are least expected, SOAR and its progressive automation capabilities aren’t able to anticipate the unknown and outsmart hackers.

So, as sophisticated as SOAR can be in terms of offering next-gen capabilities, it does not possess the same kind of critical thinking that security experts do in order to outsmart hackers. Critical thinking is a trait that will always belong to humans.

Augmenting analysts instead of replacing them

Security tools are created to support security professionals. And the same goes for SOAR. 

Bottom line is, SOAR helps security teams become better at what they do. So, in the long run, instead of replacing security professionals, pioneering technologies like SOAR are expected to augment their capabilities.

Instead of shifting the focus from analysts to technology, SOAR fuses the two and gives analysts a big boost in the battle against sophisticated cyber threats.

AI and machine learning are writing the next chapter of technological advancements, but cybersecurity still revolves around human expertise as the cornerstone of security. And with the help of such flexible and forward-thinking technologies like SOAR, analysts will become true defenders of SOCs.

Complete visibility for DevSecOps

Reduce downtime and move from reactive to proactive monitoring.

2021 GigaOm Radar Report for SOAR

See why Sumo is recognized as a Leader and Outperformer

Read the report
Davor Karafiloski

Davor Karafiloski

SEO and Content Marketing Specialist

More posts by Davor Karafiloski.

これを読んだ人も楽しんでいます