Last week I had an intersting chat with a security team:
- Our workload is very unpredictable
- We want SOAR to intelligently auto-prioritise incidents
- And when we are ‘busy’ auto close low priority tickets
- but we still want automated IOC enrichment, full auditing, etc
Coupled with intelligent prioritising this is a great idea
Request : “if workload is high, auto close incident”
- After a new incident workflow enriches, we calculate the current team workload
- For every open incident: Priority1 = 4 points, open Priority2 = 3 points, etc
- If total points is >20 then auto close the incident with a note “auto closed due to too much workload”
This is great, but I see an improvement. Workloads change very quick, you might be busy right now, but in 1 hour everything gets resolved, then you have no tickets to look at.
My alternative: “create, enrich, wait, auto close”
- Any low priority incident starts a 3 day timer
- Incidents are assigned to the team, not an individual
- If an analyst has capacity then can self assign and now own the ticket
- If the incident isn’t touched in 3 days it is auto closed
- We create dashboards that look at the incident count per close duration
- This dashboards show how many incidents / type are closed without being looked at
I’m an ex-analyst, I know that low quality alerts can contain valuable information, we don’t always have the time, but that ticket still needs enrichment for future analysis if we need to come back to it.
At least using SOAR for automation you ensure that:
- The incident was logged
- The details were enriched
- You were able to reach out to members of the company to validate
- Auto log all information/decisions for future audit and reviews
- The playbook had the option to double check the alert is low priority (and self re-prioritize if not)
…which is significantly more than I was able to control a few years ago 🙁
Andy