Security Automation: Realizing Business Benefits, Without Adding Headcount

Good afternoon. People here in the room as well as online. My name is Seven Collins. I'm the global director of sales engineering D three Security. We are so vena, meaning we operationalized technology to make efficiency in the so possible, allowing you as security leaders to drive more technology within the SOC more efficiently and reduce the workload on your individual analysts. Generally speaking, a few facts about me. I've been in cyber for two and a half decades now.

I did pretty much everything with regards to security management and monitoring and I promised father of a five year old Sonya late starter and he often asked the question, What is cyber? And tried to explain that to a five year old. And the only thing that I come up with is actually, it's like onions. There's a lot of different layers and at one point somebody starts to cry.

And the reason for this is, it's interesting, I assume you're familiar with the voice of Analyst and John ick, an individual for a very long time In 2011, I already asked a question if there will be a cybersecurity talent shortage. Thinking about it, it's 11 years and we still talk about the very same topic. And if you look at various different job sites, and I just used Cybersec currently in the US alone, over 700,000 unfilled roles in cyber. Just extrapolate that on the global scale. And the adversaries on the flip side, they don't mind if it's a small business, it's a large enterprise.

They're just looking for the next victim. If you look at the recently published divorce SOC performance report, they issue that on an annual basis. You can see that 64% of SOC leaders lost individuals within the soc.

This, there's a vary scale with regards to attrition rates, but if you look at the last point, 3% lost almost 40%, half of their entire team in one year. The question is obvious, what makes working in a sock soul painful? And funny enough, if you look at the reports over the last years, the problems have not changed. It's lack of integration. It's operating across various different tools. It's information overload. It's the various different faults, positives that the Analyst needs to change. It's repetitive workflow that they need to perform.

And the question that I always get, how do I solve this? There's a, from my perspective, a very simple methodology to a very common problem because if something happens reoccurringly over and over again, the easiest way to do is automated. And I can do this. I can handle a lot overload through various different playbooks. I can create or alleviate manual processing through automation, again, through playbooks having various disparate tools, I can solve that problem through integration talent shortage.

If I can't hire security analysts, I need to sweat my assets and drive the best out of the individuals that I have, which means I need to reduce the work that's cumbersome to them. And especially driving the typical behavior, the grass is greener on the other side. Majority of the analysts that security analysts that I speak to, it's always the same. They just came into a new organization thinking the grass is greener. Generally speaking from a technical perspective, how do we do that?

We take the telemetry, we integrate the various different security toolings and we do that for our customers. A huge differentiator in the market space because we literally say to them, we have unlimited application and integration support because we have over 80 to close to 90% of resources in engineering that are building those integration for our customer into rapid pace. So the customer, even though he could build those integrations through the built in ide, they don't even bother with building it because we are delivering it faster to them and deeper integration.

However, once the data is being processed, it hits what I call the magic zone or we officially call it the D three event pipeline because that's where the magic happens. We do the entire normalization, we do enrichment, we do correlation. We attribute the various different alerts and events to the various different incidents. We have the possibility to requalify. Simple scenario, if you're using Cisco umbrella, you get the data that's already 30 minutes old. So it could be that the event that's been ingested at the time wasn't malicious.

However, by the time we are getting the event to correlate and aggregate the event, we could deem this particular url click as a potential leak towards any threat scenario that you could imagine. We do a hundred percent for positive reduction because we can look at the various different demands themselves. We can reevaluate all those. We follow maintenance, we can take the various different artifacts and reevaluate those. And by that we can reduce the false positives rates in the, so before it even hits the queue for the analysts, That's a theory, right?

Let's look at one of our customers healthcare organization. Medium sized stock operations. Huge challenge with fishing. Fishing incident to be handled roughly takes them 30 minutes in time cause they need to take the data and need to find the yama, extract the artifacts, submit it to the sandbox, create the report, assess further artifacts that might be associated start remediation.

What we do for them, we take the data and then we extract and pass the email, We extract the artifact automatically submit it to a sandbox, get the report, vet the report and then determine is there something that an Analyst needs to look at. If it's a false positive, we inform the end user end user automatically. Nothing is to be done. It takes three minutes and most of the time actually spent in the sandbox. If there's a true positive, so there is an actual incident, what happens, we escalate it into the tier two queue. The hash gets immediately bent.

We have the possibility to then quarantine the host and start remediation. We can issue a complete network scan to get additional information around that and we can enable full scan on the endpoint.

Again, this can take three minutes. The entire process now takes six minutes and that's solely reliant on the various different connected tools. Let's review what the return of investment for this very simplistic use case actually is. So previously they had 200 events per month equating to a total work time on those various different for its positives that they needed to chase of 59 hours. Now due to the fact that we fully automate majority of the work, we free up 49 hours per week. Let's think about that. 49 hours a week, work week, 40 days.

Typically in it we do roughly eight nine hours overtime. That's a head count. Let's look at another customer of mine manufacturing organization.

Again, very small. So team is a team of four. They have additional MSSP services for out of ours monitoring they, when they look at various different faults, positives, we ran the calculation all the way through. They spent roughly a hundred hours per week in total. If I consider the Analyst cost, and this is the real cost the Analyst was giving us the actual fact it's 27,000 euro that they spend on investigating faults, positive malware alerts.

With technology this could look completely different because we can do this way faster than the, The process takes us less than a minute to analyze and investigate. In total, the cost here is roughly or not even roughly, it's 2,900 and a bit euro or if I take it vice versa. The saving is almost 25,000 euro. Think about it in a different way. It's half a head count. As a director of global sales engineering, I obviously monitor the various different calls that my senior as well as standard security engineers are doing on a day-to-day basis. Ilias with various different customers and prospects.

And here are a few quotes that constantly seem to reappear and I like to say start thinking outside of the box. The responses that I'll be showing you now is not us saying it, it's somebody within their individual team. So the sizzle, the top manager on the call goes, says, this looks really good, but I don't think we can make this happen or a priority in our environment at this moment in time. Mostly cost driven and one individual speaks up and says, Looking at that, probably we should typically hiring scenarios. We can't hire enough people fast enough.

I was talking to another sock manager, they operate their SO businesses in Poland and it still takes them roughly nine months from getting the headcount approved to onboarded. Maybe automation can help if you can't hire reshift. The workload to automation where you can. Typical scenarios also often, I don't think we are really in the position for this or we are not mature enough. If you're not mature enough probably you should definitely look at automation because that's when you start to build structure And pretty much everyone that I speak to says we aren't looking at.

So there's always that one individual that says we should be looking at. So because I can immediately see efficiency within our SOC being increased by leveraging automation and getting rid of all this cumbersome work. Thank you. Are there any questions? Thanks. No questions from the audience. Maybe a question from my side then, just curious, what are your thoughts on XDR solutions? Are they gonna, in a way compete with soar?

I don't think so because XDR is often driven through vendor initiative and as you see, it's sometimes a combination of various different tools providing certain function as a, as a, So automation can go way further. It's not necessarily only security automation that you could deliver as such, we have customers automating workflows, for example in ServiceNow, trying to enable more effective ticketing across the entire board. So as you start peeling the onion, trying to identify the virus, different use cases you can explore way more than just XDR will just extend detection and response.

Funny enough, nobody knows exactly what it contains. Any questions? Yeah. So where do you see store vendors building, building in the orchestration capabilities their product? Or do you see in the future that being pluggable orchestration layers where you plug into some other orchestration engine and what, what your thought on where that's going? Generally speaking, I don't think that we would build the various different capabilities into the platform.

It would be pluggable leveraging capabilities that other individuals built that have the ability and knowledge around that particular framework with regards to where's that market developing. Obviously you've all seen that SOAR is a bit of a loose market at the moment because a lot of SIM vendors are driven by Gartner for example, to integrate SOAR as and capability as as such. Some organizations go, oh, just acquire.

So not necessarily the best one, but to take the box for Gartner, which makes it a little bit more challenging in the market because obviously you're now competing against integrated SOAR versus independent standalone. So however, there's also the competitive advantage because if you are vendor X with an integrated so technology and you wanna integrate with somebody's competitive platform, they don't give you their information or not all the information.

Whereas independent source will always have deep integration Thing, I think and what you're saying, but you talk about headcount and the skills gap, we can never get enough people, see we're focused on how we side of skilling requiring less knowledgeable people that end up getting the same output. I think basically it's not requiring skilled people to get the same thing done cause technology gonna fill in the gap and making it a lot simpler. What are your Thoughts on that? I I don't think it's about having less skilled people doing the exact same job.

Cause you need to have a full understanding it. It will always be mandatory.

The, the re real challenge is really hard to fill that gap and majority of our customers filling the gap by reskilling their tier one because they automated and no longer have any tier one. As as such, you're not pre hard pressed for hiring because you immediately, by introducing this technology, you immediately free up headcounts that is available, that is already skilled, that understands your business processes and you can then start yeah, sharpening their skilled investing in into those individuals.

They immediately feel better at work because all those repetitive work has immediately stopped. There's a lot of social benefit within the teams that we are seeing as, as such. Where will this go? I don't know. I can't predict it at this moment in time.

I, I wish I could because technology could be the problem, could be the problem or it could be the solution. But what, what I'm trying to say is depending on where you are as an organization today, identifying that there is improvement possibilities by using technology alone is a benefit for an organization. Majority of the organizations today still fear automation, even though it could help a lot.

Well, if there are no further questions, we'll close the session. Thank you. Thank you.