It was 2013 and I was 26 years old just starting out in the Security Operations Center of an Managed Security Services Provider. I sat in a room filled with hopes and dreams of money, money, money from my colleagues. We were all just starting out and at the lowest rung of the ladder not making much money at all but everyone knew somebody that made what felt like billions of dollars doing cybersecurity. What did they do with all that money? This is Is the best of the SOC behind us?
We would wake up and check the news outlets because breaches were happening and making big news. The public was very concerned about cybersecurity and companies were throwing cash at cybersecurity so they didn’t end up in the news.
There weren’t many people who were trained in cybersecurity and the demand was high for talent, companies couldn’t hire the talent they needed so they threw cash at training people. The training business was booming.
It was a time to be in cybersecurity; it was the golden age.
Before we go further I want to say that this blog doesn’t end depressing it ends on a high note and not the high note that you might be thinking right now.
It is 2020, COVID is hot topic, I am just leaving VMware as an SOC Automation Developer after having what someone could describe as a breakdown for just realizing what the future of cybersecurity would look like. I spent my time slowly taking away work from the SOC and automating it, scribbling in my notebook next steps until I reached what would be the master plan for automating not only the SOC, but what would be “Mastering Cybersecurity Automation” which led to a book deal with the publisher Manning that I ultimately backed out of. When I began on the book, starting with the matrix, I realized something that haunted me, something I haven’t told anyone until now.
Computing at its fundamental level is very basic. Its a combination of 1’s and 0’s, which a 1 and a 0 can be organized into four combinations: 11, 00, 10, 01. We are adding complexity. From there, you can take those same 11, 00, 10, 01 and make 16 combinations adding more complexity.
This is the same thing that we’ve done in cybersecurity.
The very basic cybersecurity tasks, or in this outline “building blocks”, can be organized into increasing complexity to accomplish all of our tasks meaning all you need to do is automate the building blocks of your company and use a matrix to combine them in various combinations to achieve the result of full automation. This draft could use some more refining but presented to understand the idea.
There are actually very few tasks that we do in cybersecurity fundamentally.
And thats when I stopped.
We overcomplicated and convoluted a 180 billion dollar industry that provides jobs to millions of people and I wasn’t prepared to take on what would be an internal struggle on what the right thing to do was.
I went back and forth with this for sometime.
What eventually happened was is that I couldn’t stomach being responsible for building the master matrix of tasks leaving everyone unemployed and I left automation all together.
Today, it is well known that automation, not AI, is replacing cybersecurity jobs and we are feeling the impact of it. Its like I am seeing this evolve before my eyes whether I was responsible for it or not. Someone is going to figure this out.
Now, I mentioned that this blog leaves on a high note. Are you ready for it? The high note is the demand for automation. The threat landscape continuously evolves leaving more to automate. Automation tools have become extremely more user friendly meaning that you don’t have to be a developer to use them. The SIEM that we used in the past as a single pane of glass is now automation tools. There will be a race for efficiency that will never, ever, ever, end. Companies will continuously tweak automation forever to get more and more efficient. It will never end and the demand will shift for people with better and better automation skills. Automation BREAKS all the time. People will be needed to repair the automation. Some processes you just can’t leave to automation and require human approval. People will be needed to do this, too.
I am writing about this only because it’s my belief that the net sum of labor from before and after will be near zero when its all said and done. I think companies are going through some changes right now where they are laying off people they will have to rehire when they re-skill. There are some unrealistic expectations of the cost savings of automation and the only real way they can save costs is by accepting more risk and thats something they could have just did from the beginning. It’s an ebb in the ebb and flow of an industry and that is where I have landed lately.
All those nights lying awake worried about the future just seemed to work itself out.
PART ONE: Understanding Automation
CHAPTER 1: Introduction
Why this book was written
What this book aims to accomplish
CHAPTER 2: The Demand for Automation
The evolving cybersecurity threat landscape
The cybersecurity workforce
The traditional security operations center
The solution of cybersecurity automation
Value Stream Map
CHAPTER 3: Mastering Cybersecurity Automation
Cybersecurity automation architecture
Cybersecurity automation processes
Cybersecurity automation technology
CHAPTER 4: Prerequisites and Assumptions
The similarities between SMB and Large Enterprises
International legal and data privacy considerations
Government regulations and certifications
Industry-related regulations and certifications
Organization policies/Asset policy
PART TWO: Building Blocks
CHAPTER 5: Sending Emails Playbook
Technical integration components
Process flowchart
Explanation of steps and decisions
CHAPTER 6: Enrichment Playbook
Technical integration components
Process flowchart
Explanation of steps and decisions
CHAPTER 7: Analyzing Malware Playbook
Technical integration components
Process flowchart
Explanation of steps and decisions
CHAPTER 8: Actioning Endpoints Playbook
Technical integration components
Process flowchart
Explanation of steps and decisions
CHAPTER 9: Firewall/web proxy Blocking Playbook
Technical integration components
Process flowchart
Explanation of steps and decisions
CHAPTER 10: Escalate to Incident Response Playbook
Technical integration components
Process flowchart
Explanation of steps and decisions
CHAPTER 11: SIEM Automation
Technical integration components
Process flowchart
Explanation of steps and decisions
CHAPTER 12: Responding to Emails
Technical integration components
Process flowchart
Explanation of steps and decisions
CHAPTER 13: Asset Discovery Playbook
Technical integration components
Process flowchart
Explanation of steps and decisions
CHAPTER 14: Manual Exception Playbook
Technical integration components
Process flowchart
Explanation of steps and decisions
CHAPTER 15: Whitelist Playbook
Technical integration components
Process flowchart
Explanation of steps and decisions
PART THREE: Fully Automated
CHAPTER 16: Phishing Response Automation
Building Blocks Required
Flowchart
Description of the phases of this automation
Potential response actions
How this automation is used
CHAPTER 17: Unusual Privileged Account Activity
Building Blocks Required
Flowchart
Description of the phases of this automation
Potential response actions
How this automation is used
CHAPTER 18: Banned Programs
Building Blocks Required
Flowchart
Description of the phases of this automation
Potential response actions
How this automation is used
CHAPTER 19: Threat Intelligence Response
Building Blocks Required
Flowchart
Description of the phases of this automation
Potential response actions
How this automation is used
CHAPTER 21: Vulnerability Management
Building Blocks Required
Flowchart
Description of the phases of this automation
Potential response actions
How this automation is used
CHAPTER 22: Emergency Vulnerability Management
Building Blocks Required
Flowchart
Description of the phases of this automation
Potential response actions
How this automation is used
CHAPTER 23: Data Loss Prevention
Building Blocks Required
Flowchart
Description of the phases of this automation
Potential response actions
How this automation is used
CHAPTER 24: Cloud Orchestration and Response
Building Blocks Required
Flowchart
Description of the phases of this automation
Potential response actions
How this automation is used
CHAPTER 25: Insider Threat
Building Blocks Required
Flowchart
Description of the phases of this automation
Potential response actions
How this automation is used
CHAPTER 26: Threat Hunting
Building Blocks Required
Flowchart
Description of the phases of this automation
Potential response actions
How this automation is used
CHAPTER 27: User Account Provisioning/Termination
Building Blocks Required
Flowchart
Description of the phases of this automation:
Potential response actions
How this automation is used
CHAPTER 28: Rogue Assets
Building Blocks Required
Flowchart
Description of the phases of this automation
Potential response actions
How this automation is used
CHAPTER 29: Metrics
Building Blocks Required
Flowchart
Description of the phases of this automation
Potential response actions
How this automation is used
CHAPTER 30: Cybersecurity Automation Matrix
Building blocks and their components
Automations and their building blocks
Cybersecurity roles and their automation
Table of Illustrations
About the Authorship
About the Technical Review
Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and ten online courses specifically for SOC analysts.
You can connect with him on LinkedIn.
You can sign up for a Lifetime Membership of Cyber NOW® with a special deal for 15% off with coupon code "KB15OFF" which includes all courses, certification, the cyber range, the hacking lab, webinars, the extensive knowledge base, forums, and spotlight eligibility, to name a few benefits.
Download the Azure Security Labs eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing.
Some of our free resources include the Forums, the Knowledge Base, our True Entry Level SOC Analyst Jobs, Job Hunting Application Tracker, Resume Template, and Weekly Networking Checklist. Ensure you create an account or enter your email to stay informed of our free giveaways and promos, which we often offer.
Check out my latest book, Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success, 2nd edition, published June 1st, 2024, and winner of the 2024 Cybersecurity Excellence Awards and a finalist in the Best Book Awards. If you enjoy audiobooks, I suggest the Audible version, but you can also get it in beautiful paperback, kindle, or PDF versions. The downloadable PDF version can be grabbed here.
Comments