Pricing Login
Interactive demos

Click through interactive platform demos now.

Live demo, real expert

Schedule a platform demo with a Sumo Logic expert.

Start free trial
Back to blog results

September 8, 2021 By Enrico Benzoni

How to implement cybersecurity automation in SecOps with SOAR (7 simple steps)

When it comes to cybersecurity automation, there is the persistent fear that security automation is here to replace humans. And while those fears are somewhat justified, the reality is that automation in security operations is meant to aid, not hinder security professionals.

And with cyber threats evolving at a dazzling rate, cybersecurity automation is slowly becoming a necessity, rather than a luxury.

In this blog, we’ll explain how SOCs can seamlessly incorporate security automation (in a completely safe manner) into their SecOps in 7 simple steps. Let’s dive in.

The role of automation in cybersecurity operations?

The role of automation in cybersecurity operations is to ease the burden of cybersecurity organizations by automating repetitive behaviors.

Security automation allows security teams to automate repetitive and time-consuming tasks with the end goal of improving the workflow of SecOps and achieving better efficiency. Security automation, as a capability provided by the revolutionary technology SOAR, gives SOCs a major boost in their SecOps, offering a 10x SOC productivity and over 80% improved incident response time. 

SOAR is a type of technology that allows organizations to replicate their security operational processes into a workflow and orchestrate different existing technologies to better identify, track and remediate cyber incidents.

Analysts have a myriad of tasks and processes that they must perform, and via automation, analysts can choose which repetitive processes they want to automate and which ones they want to process manually.

What is the difference between security automation and orchestration in Cloud SOAR?

SOAR is an all-in-one platform that allows users to manage multiple technologies in streamlined processes thanks to playbooks.

With Orchestration, you can activate specific actions of the other tools, and thanks to playbooks, you can connect all the tools that analysts need in specific moments. This allows them to replicate threat response processes and extract all the information an expert needs to make decisions, send notifications, and take containment actions from one convenient location.

Automation allows for faster process deployment because analysts intervene only where there are decisions to be made. In fact, Cloud SOAR’s machine learning capabilities automatically identify the type of attacks, eliminate the false positives, create incidents, and activate the specific playbooks. 

Automation should be focused on assisting teams mainly with low-level tasks, allowing analysts to focus their time and effort on more challenging tasks (such as process governance), understanding situations, and making quick decisions based on SOAR insights.

Automate security operations with SOAR in 7 steps

As we mentioned, the degree of automation applied in security operations is completely adjustable.

In order to start automating your security operations, you just need to follow these 7 simple steps. 

Step 1: Identify Standard Operating Procedures (SOPs)

The first thing to do before starting automating security operations is to analyze the current Standard Operating Procedures (SOPs) within the conventional processes of the organization. Those are basically the recurring processes that include incident response and investigation.

Step 2: Analysis of the tools that need to be orchestrated within the processes

The second step is to analyze the tools that need to be orchestrated within the processes to perform investigations, notifications, and corrective actions.

Step 3: Verify existing API connectors

The third step is to verify that all API connectors identified in step two perform the individual actions and are available or developable.

Step 4: Create missing API connectors

Easily create or modify API connectors thanks to the Open Integration Framework (OIF) that allows users to extend the functionality of Cloud SOAR and integrate it into other processes.

You can also create Daemons that proactively enhance SecOps. There are no limits on Daemons you can create, like for example, new IoCs in threat intelligent platforms or SIEM alerts with higher risk.

Step 5: Replicate and enhance processes in graphical mode using playbook logic

In the fifth step, with playbook logic, create graphical workflows that give you control over your process and provide you with the ability to replicate and improve your processes. You can completely customize your playbooks by adding specific actions of the tools you have in your environment, but also tasks, and user choices to enrich, block, notify, escalate and contain threats.

Step 6: Progressive Automation

Thanks to its machine learning engine, SOAR can learn the characteristics of alerts and use that knowledge to prevent cyber attacks. So, the implementation of progressive automation in SecOps has many perks. And it starts from the moment an alert is received:

  • The alert is analyzed and identified as either a false positive or a real threat

  • Real threats are automatically converted into incidents

  • Incidents are automatically assigned to a specific group or a single analyst

  • Specific playbooks are launched, appropriate to the type of attack

In addition, when you define playbooks you can choose the type of actions you want to automate. For every single action in the SOPs (playbooks), it is essential to decide how it should be executed. In this area, we can identify three types of actions that can be inserted into a playbook:

1) Fully automated activities: Actions that are performed directly by SOAR without the need for human intervention. Based on experience, these kinds of activities are mainly those that include investigation and enrichment of alarms.

2) Semi-automatic activities: Actions that require the activation of an analyst. However, the action will be executed through APIs by orchestrating the appropriate technologies. The analyst has a dashboard that provides access to various tasks that he has to perform in correlation to the order of priority.

3) Manual tasks: In this case, these are real tasks that the analyst has to do manually on multiple specific technologies. This includes actions on technologies that do not have APIs or that the analyst wants to manage without direct connection to the SOAR.

Step 7: Analyst training and shift of mindset

Right now analysts spend a lot of their time focused on:

  • Manual tasks

  • Threat investigations

  • Enrichment

  • Triage of false positives

  • Creating reports for many incidents

  • Managing a huge amount of different tasks on different platforms.

Thankfully, with the helping hand of security automation, many of these tasks will be handled by SOAR, thus giving them the freedom to channel their time and effort into more challenging tasks, such as processing governance, managing escalations, and taking quick decisions.

Security automation provided by SOAR is completely reliant on humans

Security automation is not going to replace humans and take their jobs, because as advanced as it may be, automation will always be reliant on humans. And the best thing about cybersecurity automation is that it is completely adjustable and always under the complete supervision of security professionals.

With security automation automating many manual and repetitive tasks, analysts can focus their time on user choices and other very important tasks that have to be performed by humans.

Analysts have their own SecOps Dashboard that permits them to have control of all their tasks. In addition, Cloud SOAR provides useful suggestions thanks to the Supervised Active Intelligence - SAI.

The SAI learns from your analysts’ past responses to historical incidents and uses that knowledge to form more accurate responses to new ones. This capability drastically speeds up incident response time by applying machine learning and automation to practical workflows.

Which operational processes can be automated?

SOAR allows analysts to have the liberty of choosing which processes they want to automate. And, thanks to SOAR’s commendable flexibility, analysts are able to automate a wide range of security operations.

For instance, let’s take a trivial phishing attack. Now, in order to assess a potential phishing threat, the analyst has to perform various types of analysis before understanding whether a threat is such or not. This includes:

  • Geolocation

  • IP reputation analysis 

  • Retrieve information about any compromised users

  • Detonating attachments

Thanks to SOAR, these activities can be fully automated, and the analyst receives notifications and key insights that allow him to verify all the information collected in a very short time and then activate containment actions.

So, the same procedure of assessing a phishing threat that would take the analysts a lot of time to complete can be automated in mere minutes via SOAR.

Is there a downside to cybersecurity automation?

Yes, the revolving stereotype some have about automation, thinking that it can completely replace humans in security operations.

The reality is that as sophisticated as automation may be in terms of being autonomous, it still requires human instructions and navigations. Even if automation handles tasks independently, it still needs to be trained. 

Analysts with a SOAR solution can replicate threat response processes and define which functions should be automated and which shouldn’t. The automation process requires human control to be optimized and tailored to the way the organization wants the automation process to be managed.


Whatever your opinion on security automation may be, the unequivocal reality is that automation is here to stay. Even more so since hackers are starting to use automation backed by machine learning and artificial intelligence to boost their cyber attacks. This means that the time for SOCs who haven’t embraced automation yet is running out, and sooner or later, automation is going to establish itself as a mandatory capability in everyday SecOps.

Learn more about the powers of progressive security automation as one of the main capabilities provided by SOAR.

Complete visibility for DevSecOps

Reduce downtime and move from reactive to proactive monitoring.

Sumo Logic cloud-native SaaS analytics

Build, run, and secure modern applications and cloud infrastructures.

Start free trial

Enrico Benzoni

Manager, Marketing and Technology Alliances

More posts by Enrico Benzoni.

People who read this also enjoyed