From Speed to Consistency

The Power of Automation for Your SOC

Key Topics Covered in this book:

  • What does automation mean for cybersecurity professionals?
  • Why an automation strategy is critical and how it can help you
  • The 5 steps to consider for a successful automation strategy
  • Examples of automation in practice
From Speed to Consistency


In today’s rapidly evolving digital landscape, cybersecurity teams face an unprecedented challenge: the ever-expanding attack surface. With digital growth surging, the shift to cloud computing, and the increasing trend of working from anywhere - the volume of information that security teams must process has skyrocketed. This deluge of data, expected to only intensify, leads to an overwhelming number of alerts, creating a significant burden for these teams.

In this complex environment, the role of automation becomes crucial. To harness its full potential, cybersecurity teams must engage in a thoughtful analysis, asking themselves key questions like: which workflows are ripe for automation? What critical information could we be missing to make automation successful? And most importantly, how can we leverage automation to enhance our overall efficiency and resiliency?

In this eBook we will explore the importance of improving automation strategies to help you succeed in our fast-paced world.

What does automation mean for security professionals?

Put simply, automation is using technology to perform tasks with less or no human assistance. Automation can be a game-changer for businesses of all sizes and industries. By automating monotonous and repetitive tasks, organizations can increase their efficiency, productivity, and profitability while freeing up time for more high-value activities. For defenders, automation can be especially critical, allowing security teams to respond faster to threats, reduce analyst burnout, and maintain consistency in their responses. In this ebook we will dive deeper into automation best practices, drawing insights from experts in the field, and providing practical tips and tools to help you develop and implement a successful automation strategy for your business.

Why does Automation Matter for Cybersecurity Professionals

The cybersecurity industry is constantly evolving with threat actors leveraging AI and automation to uncover vulnerabilities and unleash attacks faster than ever. These factors make it challenging for defenders to stay ahead of the game. Therefore, organizations need to incorporate automation into their security strategy, reducing the burden of repetitive work, while freeing up more time for high-value activities that drive their security strategy forward.

Although automation is not a one-size-fits-all solution, it can undoubtedly improve the effectiveness of security teams. Successful implementation requires the right approach, along with a culture that supports automation, regardless of the tool(s) you’re using.

Months Dwell time

Proactively blocking threats doesn’t always work and when it does, threat actors tend to stay undiscovered for a period of time. The State of Security 2023 report by Splunk found that the average dwell time was 2.24 months. Security analysts need a way to respond to threats faster, so they can keep pace and get in front of threat actors that continue to evolve their tactics.

alerts per day

The average SOC receives more than 4,000 alerts per day - too many to effectively handle in a single day, leading to alert fatigue.

of analysts report critical alerts are being missed

Considering the overwhelming number of alerts that analysts are required to handle daily, combined with the repetitive nature of the tasks, inconsistencies in responses are unavoidable.

How Automation Can Help

Speed Automation allows security analysts to respond to threats faster, which is crucial in today’s fast-paced threat environment. Teams need to maintain strong detection and remediation strategies to protect their businesses and automation can enable a faster response.

Alert Fatigue Automation is a key strategy for organizations trying to improve their SOC team’s efficiency. According to the 2022 Gartner® Tips for Selecting the Right Tools for Your Security Operations Center report, “SOC teams face scalability challenges. Too many events and too much time spent on investigating complex incidents drive security leaders to seek tools for improving their SOC productivity.”

Consistency Automation can help prioritize and document alerts, ensuring there is uniformity in the way alerts are triaged, analyst-to-analyst, day-to-day. While human analysts will always be needed for deep investigations or critical incidents, SOC Level 1 work can be offloaded to automation, allowing teams to focus on higher-value aspects of their role.

Resource Optimization By automating the collection, analysis, and response to cyber threats, organizations can automate the tasks that analysts often find mundane, allowing them time to develop specialization and focus on the skilled tasks that are essential for the more advanced threats facing security teams today.

Automation is a lever that organizations can pull to respond faster, minimize alert fatigue, optimize resources, and drive consistency. Automating your security processes has true tangible benefits. IBM”s Cost of a Data Breach 2022 report showed that organizations with a fully deployed AI and automation program were able to identify and contain a breach 28 days faster than those that didn’t. And organizations with partially deployed automation programs fared better than those that did not. With this in mind, you’re probably ready to learn how you can get started!


The 5 Steps to a Successful Automation Strategy

Step One: Establish internal alignment on why you want to automate

In the rapidly evolving landscape of cybersecurity, the decision to automate is crucial, yet multifaceted. It’s critical to understand your goals for automation, especially for decision-makers and leadership, to make sure you’re automating the right things to drive success in their eyes. Understanding how and why to automate is not merely about employing tools, but adopting a mindset that automation transcends traditional automation tools.

Think outside the box

Automation is not just a tool, it’s a mindset that expands beyond SOAR tools, although those can be extraordinarily useful.

What is the cost associated with automating?

Determine if the process is worth automating by evaluating the time, energy, and resources required to develop and maintain the automation. Will the time saved through automation outweigh the cost of developing and implementing an automated process? Don’t fall into the trap of spending hours to automate a process that only saves you minutes throughout the year.

What is the cost of continuing with manual processes?

Take into account the impact of continuing with a manual process on your team’s time and energy. Analyst burnout is a very real problem, in fact, 81% of respondents to Splunk’s State of Security 2023 report indicated critical staff members left the organization for another job due to burnout. Automation is a significant lever when it comes to reducing the risk of analyst burnout by minimizing tedious, repetitive tasks and allowing time to focus on the interesting problems and low-volume, high-value alerts.

What is your opportunity cost for automating a process?

Opportunity cost is a major concern. When your team’s expertise is diverted towards manual processes, it hinders their ability to concentrate on higher-value activities. Consider the types of valuable activities you may be missing out on due to repetitive and manual tasks that could easily be automated.

Step Two: Define Success

Defining success for automation strategies in cybersecurity is essential. A well-articulated definition of success serves as a guiding star for the entire automation process, ensuring that all efforts are strategically aligned with the organization’s broader objectives. This clarity helps in identifying the most impactful areas for automation, ensuring that resources are optimally allocated and that the automation delivers tangible benefits. Moreover, a clear success criterion allows for measurable outcomes, facilitating ongoing evaluation and adjustment of the strategy. This is crucial in a field as dynamic as cybersecurity, where the threat landscape and technological capabilities are constantly evolving. By defining what success looks like, organizations can ensure that their automation efforts not only improve efficiency and reduce human error but also contribute significantly to the overall resilience and effectiveness of their cybersecurity posture.

Start with a phased approach

When teams start on their automation journey it is crucial to view it as one of incremental progress, rather than attempting giant leaps. By breaking down the automation journey into smaller, manageable steps, teams can ensure a smoother transition and achieve measurable success along the way.

Look to your existing tools

More often than not, there are opportunities with your existing tool set to integrate, fostering a cohesive ecosystem that enables seamless data exchange and collaboration. You may need to bring in external context or additional information, for crucial insights that propel your automation strategy forward.

Set objectives and track progress

Defining success in the context of automation involves setting clear objectives and key performance indicators (KPIs) to measure progress and impact. In order for teams to prove the success of their automation efforts, they need a clear understanding of the current state of their processes to identify improvements. By taking these baby steps and gradually expanding automation initiatives, organizations can realize the transformative benefits of automation while ensuring a solid and sustainable foundation for future growth.

You have to measure success, everybody has an opinion on what to automate and often the squeaky wheel tends to get oil, but it’s important to think about the opportunity cost. Are we going to spend months developing an automation that in the end is going to only save 5 mins of time? And then you need to be able to measure it year over year to quantify it. Also consider if it needs to be done in a tool or in a dashboard - there are various ways to reach the same goal

Robb Mayeski, Senior Manager Cybersecurity, EY

Step Three: Create a culture of innovation and embrace automation

Embracing automation is more than deciding on a tool and a process, to get the force multiplier effect that automation has the potential to deliver, you need a team culture that embraces automation.

As a CISO you need to cultivate an entrepreneurial mindset amongst your team and encourage employees to test things out, build things, and try new things. Knowing that it won’t be perfect at first is essential.

We live and die by automation, but it’s a culture at our organization. If you were to just challenge your team and say ‘Hey, go automate your job’, you’ll find that there’s some builders in your team and start seeing these huge, quick wins right away.

John McLeod, CISO, NOV

Security Analyst Perspective

A security analyst’s job is challenging. Handling an overwhelming number of alerts and performing repetitive tasks can lead to burnout, errors, and inconsistencies. However, as an expert in your domain, you are well-positioned to find forward-thinking solutions that can help you automate processes and tasks. An effective way to approach this challenge is to identify members from various departments, such as HR, IT, and Operations, who have experience in automating their own processes. By collaborating with others and sharing knowledge, you can identify new opportunities and develop a plan tailored to your team’s unique needs.

Talk to people and find out what they are doing over and over and over again as they navigate their tools - those become great candidates for automation. Then it’s not just the tool doing automation for you, it’s how people are using the tool to automate something impactful

Haylee Mills, Security Strategist, Splunk

Step Four: Decide on where to start

When it comes to automating tools and processes, it’s important to choose the right place to begin. Consider these three tips:

  1. Start with simple use cases: Build expertise and understand the intricacies of the process. Prioritize critical alerts in your business, and consider beginning with engaging tasks to early successes, laying the groundwork for more complex tasks like phishing or user lookups.
  2. Partially automate: Don’t feel you need to automate entire workflows to make adoption more manageable and scalable. This approach allows flexibility and human oversight in complex or variable scenarios, combining automation efficiency with human expertise.
  3. Look out for potential failure points: Assess dependencies for a resilient and well-orchestrated automation strategy, ensuring seamless integration into your organization’s operational ecosystem

It’s important to strategically pick the use case that you start with. The one I never liked, but often see as a starting point, is phishing. Nobody likes dealing with phishing alerts, and every cybersecurity team feels this pain. But, when you start to build out a phishing playbook you realize it’s about 1,000 steps long and has lots of variables. There’s easier use cases to focus on like enrichment or user lookup or maybe something you think would be fun. Picking an approachable first use case helps get some momentum going!

Jim Wolfe, Senior Security Architect, Recorded Future

Step Five: Iterate and Scale

In evolving your automation strategies, it’s vital to avoid waiting for the “ideal” moment or solution, as this leads to stagnation. Starting early and embracing risks is key. If automating a particular use case presents challenges, don’t hesitate to pause and explore other avenues. Treat your playbooks as dynamic, evolving tools, not static entities. As your technology and team evolve, so should your automation efforts. This is a continuous process that grows with each success and the momentum gained, highlighting the importance of adaptability and continuous improvement in automation strategies.


Automation in Practice


A global equipment provider uses Recorded Future as its north star towards achieving their journey to Zero Trust. They were able to automate intelligence into their daily activities they would have done manually before. John McLeod, CISO at NOV observes, “You need to know what’s important and how to prioritize. You could have a vulnerability, but is it really exploitable? Recorded Future gives us the confidence to know what’s high-risk versus what we shouldn’t be spending our time on.

Healthcare company

A healthcare company noted that Recorded Future enrichments they receive in their Splunk environment are used regularly in their day-to-day analysis and they regularly receive actionable data that helps defend their environment. The integration and enrichments with Recorded Future make the process of focusing their efforts and identifying actionable data quicker and more efficient.


A global payments processor discovered their CEOs credentials were compromised through the identity intelligence provided by Recorded Future. They were able to use automations in their SOAR tool to urgently triage, notify the user, and stay current on new potential compromises.


Learn more about automating security workflows

Recorded Future’s Automate Security Workflows solution provides faster detection and response time, more reliable detections, and enables teams to streamline workflows for increased capacity. The solution enables security teams to respond faster by automating the collection and distribution of intelligence in an actionable format. Integrated into security tools and workflows, including SIEM and SOAR, Recorded Future correlates and enriches internal data with external insights to accelerate threat identification, prioritization, and remediation.