Business Outcomes for Automated Phishing Response
Security Automation Can be a Game Changer for Any SOC or CSIRT, Including Yours
As I’ve written about in previous articles, security automation technology is creating impressive gains for security and incident response teams, by helping them improve operational effectiveness, increase speed and agility, and reduce risk. More and more security analysts and SOC managers are beginning to understand the potential of automation as they experience it firsthand or hear about it from their peers.
However, it can be difficult to accurately demonstrate these gains using language that everyone can understand and appreciate: time and cost. This is particularly important for SOC and CSIRT managers who need to communicate with company stakeholders responsible for budgeting, training, and risk management—and who may not understand the ins and outs of a security operation.
As a result, security folks are increasingly interested in the business outcomes yielded by security automation. Their interest is driven by two factors: first, they want to know potential business outcomes beforehand, in order to get buy-in from executives and team members during the project planning phase; and second, they want to know—for their own SOC management purposes—how many person-hours can be saved in order to run their SOC more efficiently.
I have been involved with the implementation of many incident response solutions and have documented the “before and after” of security automation. In this post I’m going to share the typical business outcomes experienced by a security team and show you the simple mathematical approach that can help you estimate the effect of automation in your SOC.
1. Choose a use case to measure
Ask your security team: what incident types are causing the most grief? What incident types require you to constantly switch between multiple tools to investigate? Often, phishing is identified as the obvious incident type that is most ripe for automation. This is due to the sheer volume of phishing attempts—particularly in large enterprises—and the combination of steps and tools that are required to investigate and resolve the incidents. For these reasons, we’ll use phishing as our example in this article.
2. Establish baseline metrics for your manual response
Next, calculate or estimate the number of phishing attempts you face each month. How many of these were false positives and how many turned out to be genuine incidents? How many minutes or hours does it take, on average, to close each false positive? How long does it take to close each true positive, or genuine incident?
Now, multiply the average response time by the number of phishing attempts per month and the hourly cost of a security analyst in your organization. This will give you the amount of money that you spend in an average month investigating and responding to phishing incidents.
3. Compare the manual response to an automated process
In organizations that use a security orchestration, automation, and response (SOAR) tool, the process for responding to a phishing attempt looks very different. The phishing inbox connects with the SOAR tool, automatically escalating an alert when a phishing attempt is reported. The SOAR tool then takes the MSG file and uploads it to a sandbox, generating a report for the analyst. The analyst can quickly evaluate the report to determine whether the incident is a false positive or true positive.
If the analyst determines it’s a false positive, the SOAR tool will notify the user who received the initial email, and close the alert. If it’s a true positive, the SOAR tool can conduct a series of automated actions across the security environment, such as banning the hash, performing a network scan, and quarantining any infected endpoints. This whole process only takes a few minutes.
4. Crunch the numbers
Based on the many organizations that I’ve worked with on automation projects, closing a false positive will take around 2-3 minutes, and resolving a genuine incident will take 4-6 minutes. So, let’s take a conservative estimate of the automated processes, and compare against the manual response’s baseline:
• Events per week remain the same: 200.
• False positives and true positives remain the same: 164 and 36.
• Time to close each false positive goes from 15 minutes to 3 minutes.
• Time to resolve each true positive goes from 30 minutes to 6 minutes.
• Overall time per week spent on phishing incidents goes from 59 hours to 10 hours.
If paying and “housing” your security analysts cost $75 per hour, that means that manually resolving phishing incidents is costing your organization $4425 per week. Introducing automation would reduce the cost to just $750 per week. Extrapolated over a full year, your SOC could save 2,548 hours and $191,100 per year—just by automating a single use case. Now, ask yourself: what could your team do with the extra time? What about the extra budget?
Obviously, there are many other use cases that can benefit from automation. By highlighting phishing, which causes so many headaches for all us security professionals, I hope you can see just how much of a game-changer automation can be for any SOC or CSIRT, including yours.