It was 2013 and I was 26 years old just starting out in the Security Operations Center of an Managed Security Services Provider. I sat in a room filled with hopes and dreams of money, money, money from my colleagues. We were all just starting out and at the lowest rung of the ladder not making much money at all but everyone knew somebody that made what felt like billions of dollars doing cybersecurity. What did they do with all that money?

This is Is the best of the SOC behind us?

We would wake up and check the news outlets because breaches were happening and making big news. The public was very concerned about cybersecurity, and companies were throwing cash at cybersecurity to avoid being in the news.

There weren’t many people trained in cybersecurity, and the demand for talent was high. Companies couldn’t hire the talent they needed, so they threw cash at training people. The training business was booming.

Before we go further, I want to say that this blog doesn’t end depressingly; it ends on a high note, and not the high note that you might be thinking right now.

It is 2020, COVID is a hot topic, I am just leaving VMware as an SOC Automation Developer after having what someone could describe as a breakdown, just realizing what the future of cybersecurity would look like. I spent my time slowly taking away work from the SOC and automating it, scribbling in my notebook next steps until I reached what would be the master plan for automating not only the SOC, but what would be “Mastering Cybersecurity Automation” which led to a book deal with the publisher Manning that I ultimately backed out of. When I began the book, starting with the matrix, I realized something that haunted me, something I haven’t told anyone until now.

Computing at its fundamental level is fundamental. It's a combination of 1s and 0s, and a 1 and a 0 can be organized into four combinations: 11, 00, 10, 01. We are adding complexity. From there, you can take those same 11, 00, 10, 01 and make 16 combinations, adding more complexity.

This is the same thing that we’ve done in cybersecurity.

The fundamental cybersecurity tasks, or in this outline, “building blocks”, can be organized into increasing complexity to accomplish all of our tasks, meaning all you need to do is automate the building blocks of your company and use a matrix to combine them in various combinations to achieve the result of full automation. This draft could use some more refining, but it is presented to understand the idea.

We do very few fundamental tasks in cybersecurity.

We overcomplicated and convoluted a 180 billion dollar industry that provides jobs to millions of people, and I wasn’t prepared to face an internal struggle over what was right.

I went back and forth with this for some time.

Eventually, I couldn’t stomach being responsible for building the master matrix of tasks, leaving everyone unemployed, so I left automation altogether.

Today, it is well known that automation, not AI, is replacing cybersecurity jobs, and we feel its impact. It's like I am seeing this evolve, whether or not I was responsible for it. Someone is going to figure this out.

Now, I mentioned that this blog leaves on a high note. Are you ready for it? The high note is the demand for automation. The threat landscape continuously evolves, leaving more to automate. Automation tools have become incredibly user-friendly, meaning you don’t have to be a developer to use them. The SIEM we used as a single pane of glass is now an SOAR tool. There will be a race for efficiency that will never, ever, ever, end. Companies will continuously tweak automation forever to get more and more efficient. It will never end, and the demand will shift for people with better and better automation skills.

Automation BREAKS all the time. People will be needed to repair the automation. Some processes you just can’t leave to automation and require human approval. People will be needed to do this, too.

I am writing about this only because I believe the net sum of labor from before and after will be near zero when it's all said and done. Companies are undergoing some changes, laying off people they will have to rehire when they reskill.

There are some unrealistic expectations of the cost savings of automation. The only real way to save costs is by accepting more risk, which they could have done from the beginning. It’s an industry that fluctuates, and that is where I have landed lately.

All those nights lying awake, worried about the future, just seemed to work themselves out.

And then AI happened.

PART ONE: Understanding Automation

CHAPTER 1: Introduction

• Why this book was written

• What this book aims to accomplish

CHAPTER 2: The Demand for Automation

• The evolving cybersecurity threat landscape

• The cybersecurity workforce

• The traditional security operations center

• The solution of cybersecurity automation

• Value Stream Map

CHAPTER 3: Mastering Cybersecurity Automation

• Cybersecurity automation architecture

• Cybersecurity automation processes

• Cybersecurity automation technology

CHAPTER 4: Prerequisites and Assumptions

• The similarities between SMB and Large Enterprises

• International legal and data privacy considerations

• Government regulations and certifications

• Industry-related regulations and certifications

• Organization policies/Asset policy

PART TWO: Building Blocks

CHAPTER 5: Sending Emails Playbook

• Technical integration components

• Process flowchart

• Explanation of steps and decisions

CHAPTER 6: Enrichment Playbook

• Technical integration components

• Process flowchart

• Explanation of steps and decisions

CHAPTER 7: Analyzing Malware Playbook

• Technical integration components

• Process flowchart

• Explanation of steps and decisions

CHAPTER 8: Actioning Endpoints Playbook

• Technical integration components

• Process flowchart

• Explanation of steps and decisions

CHAPTER 9: Firewall/web proxy Blocking Playbook

• Technical integration components

• Process flowchart

• Explanation of steps and decisions

CHAPTER 10: Escalate to Incident Response Playbook

• Technical integration components

• Process flowchart

• Explanation of steps and decisions

CHAPTER 11: SIEM Automation

• Technical integration components

• Process flowchart

• Explanation of steps and decisions

CHAPTER 12: Responding to Emails

• Technical integration components

• Process flowchart

• Explanation of steps and decisions

CHAPTER 13: Asset Discovery Playbook

• Technical integration components

• Process flowchart

• Explanation of steps and decisions

CHAPTER 14: Manual Exception Playbook

• Technical integration components

• Process flowchart

• Explanation of steps and decisions

CHAPTER 15: Whitelist Playbook

• Technical integration components

• Process flowchart

• Explanation of steps and decisions

PART THREE: Fully Automated

CHAPTER 16: Phishing Response Automation

• Building Blocks Required

• Flowchart

• Description of the phases of this automation

• Potential response actions

• How this automation is used

CHAPTER 17: Unusual Privileged Account Activity

• Building Blocks Required

• Flowchart

• Description of the phases of this automation

• Potential response actions

• How this automation is used

CHAPTER 18: Banned Programs

• Building Blocks Required

• Flowchart

• Description of the phases of this automation

• Potential response actions

• How this automation is used

CHAPTER 19: Threat Intelligence Response

• Building Blocks Required

• Flowchart

• Description of the phases of this automation

• Potential response actions

• How this automation is used

CHAPTER 21: Vulnerability Management

• Building Blocks Required

• Flowchart

• Description of the phases of this automation

• Potential response actions

• How this automation is used

CHAPTER 22: Emergency Vulnerability Management

• Building Blocks Required

• Flowchart

• Description of the phases of this automation

• Potential response actions

• How this automation is used

CHAPTER 23: Data Loss Prevention

• Building Blocks Required

• Flowchart

• Description of the phases of this automation

• Potential response actions

• How this automation is used

CHAPTER 24: Cloud Orchestration and Response

• Building Blocks Required

• Flowchart

• Description of the phases of this automation

• Potential response actions

• How this automation is used

CHAPTER 25: Insider Threat

• Building Blocks Required

• Flowchart

• Description of the phases of this automation

• Potential response actions

• How this automation is used

CHAPTER 26: Threat Hunting

• Building Blocks Required

• Flowchart

• Description of the phases of this automation

• Potential response actions

• How this automation is used

CHAPTER 27: User Account Provisioning/Termination

• Building Blocks Required

• Flowchart

• Description of the phases of this automation:

• Potential response actions

• How this automation is used

CHAPTER 28: Rogue Assets

• Building Blocks Required

• Flowchart

• Description of the phases of this automation

• Potential response actions

• How this automation is used

CHAPTER 29: Metrics

• Building Blocks Required

• Flowchart

• Description of the phases of this automation

• Potential response actions

• How this automation is used

CHAPTER 30: Cybersecurity Automation Matrix

• Building blocks and their components

• Automations and their building blocks

• Cybersecurity roles and their automation

Table of Illustrations

About the Authorship

About the Technical Review