Moving towards a fully-automated Security Operations Center?


In January this year, Orange Cyberdefense received the ‘PDIS’ qualification. This certification is issued by ANSSI (French National Security Agency) to cybersecurity providers that meet the France’s Military Programming Law threat detection standards.

Within this context, the SOC (Security Operation Center) takes on an even more important role. Effectively, it gathers and analyses a considerable volume of information and security alerts, in order to identify every possible threat for a company. In the years to come, the SOC will be led to covering more numerous and complex perimeters. Thus, the automation of at least part of its activity is inevitable and this evolution raises crucial questions about the sharing of knowledge, its reliability, but also the interconnection of systems between them.  In this context of increased intelligence in the SOC, we must ask ourselves, which human-computer interactions are possible? Rodrigue Le Bayon, Director of CyberSOC at Orange Cyberdefense, makes use of his expertise in the field, to answer these questions. Interview.

Share the post:

The automation of security tasks is not yet standard practice for many organizations.
Which limitations do they face?

Rodrigue Le Bayon: The real issue remains identifying the security incident management processes that are already in place. It is also about engaging staff to achieve the tasks assigned to them. Another challenge is to formalize these processes, especially as we are constantly confronted with multiple cases. It is therefore crucial to gather as much contextual information as possible, which will prove to be extremely valuable within the framework of automation; this is too often missing. When such information is present, it is often scattered in the form of data that is rarely standardized or updated. The limitation imposed on us service providers is thus as follows: where can the information be found? Can it be trusted?

Indeed, it is not enough for the information to simply exist. Companies must, above all, take the time to increase the reliability of data that is only known internally – sometimes by only one person. It is this essential stage which makes automation possible. No artificial intelligence can provide reliable results without this structured data.

What are the benefits of an automated SOC?

Rodrigue Le Bayon: above all, automation is synonymous with time optimisation for SOC experts. They can then concentrate on the most critical and complex cybersecurity issues without neglecting to perform substantive work, which remains essential.

Today we can handle phishing incidents automatically for almost 70% of alerts. Our goal is to reach 90% by the end of the year. This is a considerable development which allows analysts to work in better conditions.

How can we make automation happen, when organisations use a number of different security solutions?

Rodrigue Le Bayon: This is a very important point since  every solution has its own controls and communications. Different environments must be able to work together and therefore be connected to each other. There is the human factor: realistically, analysts cannot be trained on dozens of different, ever-changing systems.

We therefore need a layer of orchestration in order to bring together all operations. In simple terms, it comes down to asking the machine to manage the cross-solution translation, adapting to all environments and connecting them together. This orchestration interface is essential for  successful automation.

Rodrigue Le Bayon, Directeur SOC et CyberSOC chez Orange Cyberdefense

About the blogger

Rodrigue Le Bayon is Head of SOC in Orange Cyberdefense.

He made his entire career within the Orange Group.

He helped develop Orange’s cybersecurity activities since 2008.

 

 

Is SOC automation a real possibility for all organizations? Do they need a certain degree of maturity in cybersecurity to fully benefit?

Rodrigue Le Bayon: automation is for all organizations, but it is clear that the most experienced on one hand and the other those with urgent security coverage needs will lead the way.

In large corporations, automation is truly successful via collaboration between the security services provider (SSP/MSSP), benefiting from their scale and experience. We come back to the notion of knowledge sharing.

What degree of knowledge sharing needs to be put in place for successful automation?

Rodrigue Le Bayon: There are always two players: the client and their cyber security provider. Both parties need automation as much as the other. But automation also needs to be complemented with intelligence and the larger the knowledge base, the greater the collective intelligence that can benefit all customers.

Nowadays, conversation between machines is possible: a computer can give a command to another, and the recipient can respond. We are thus evolving on notions of analysis and enhanced intelligence. In this context, the real question that remains is on the collaboration between humans and computers. The tools will learn from analysts but analysts will also need them to function more effectively. Teams, therefore, need to have the certainty they can reap the benefits of automation. It is a subject that goes far beyond a simple process change. SOC automation leads to a holistic reflection on change management.