Thoughts from #Symphony2019

A great day for SOAR at #Symphony2019 in SanFrancisco yesterday. For those that couldn’t attend, here are *my* top 10 comments/thoughts from today. I’ll no doubt follow some of these up with better write-ups in the future.

“There will be 12.3 billion mobile-connected devices by 2022” (Cisco Visual Networking Index whitepaper) reinforcing our problem that human analysts can’t keep up with the tech explosion. Especially as our brains and team sizes grow in a linear way, and this device explosion is growing more like exponential. Is automation the only to retain some control? (Thanks Keren )

I’ve already joked on this blog how attackers automate, and so should defenders. Keren also pointed the audience in the direction of AutoSploit which really backs this up

SOAR and automation are great, but don’t forget that over-automating can lead to reduced visibility which is a slippery slope to not seeing everything. Yes automate the boring, but don’t forget to track it, review it, etc. So don’t forget case management, automated reporting etc.

‘SOC Analyst hours saved per month’ might not be a KPI for some business units. Consider other approaches that relate to business goals, for example ‘response time for access requests’ which uses a playbook that onboards people into Distribute Lists, 2FA systems, etc. For many your employer is your customer and KPI that relate to the business might fare better.

Previously I briefly touched on how even simple playbooks can still add value, and a great example was covered today by a guest speaker. Chasing end users for input/updates on tickets is not only time consuming but very distracting. Imagine SOAR as an end user prompter which will ask for more information “every 4 hours” for a total of 24 hours and then automatically closing the ticket with “lack of information”. Any system can kick off this playbook and we sync all updates back to ticketing/email/slack taking the burden of responsibility away from your team.

Over the years Privacy and Security have been merging into one another and it’s causing fresh problems SOC teams (e.g. scale, focus)

During a Q&A it was asked “is SOAR not becoming one complicated place with lots of code in?”. The guest presenter made a fantastic point reminding us that SysAdmins are naturally lazy and mini tactical home-brew scale automations have existed for 20+ years. However without SOAR their network would have small snippets of code running on 100 different servers by 100 different authors and without real documentation meaning that when a developer leaves the knowledge of what/why/how goes with them. A SOAR platform helps bring that together and formalise that with a standardised environment.

Guest speaker – “In a P1 critical incident the last thing I want to focus on is remembering how to do the silly little processes”

All board members understand risk, but they might not quantifiably understand how much better stopping attack X in 15 minutes is compared to stopping it in 2 hours, is that good or bad? Crowdstrike recently released a report focussing on the breakout time breaking this down by threat actor. This can serve as a fantastic baseline that explains to the board “this attack typically takes 1 hour from exploit to exfiltration” and we can now us that to serve the baseline to compare a “manual only” method vs how a SOAR playbook can compete. (

It was a great event and I’m looking forward to next year’s guest speakers, thanks everyone!!