Email Security

    How Cybersecurity Automation Transformed ZeroFOX’s SOC

    Internally sharing info on how the cybersecurity automation software works enables SOC analysts to cut work down from days to hours—or even less.

    by Mike Azzara

    Key Points

    • Research shows cybersecurity automation is on the rise, despite obstacles like a shortage of skilled programmers and concerns that it could lead to new vulnerabilities.
    • By ‘democratizing’ knowledge of the automation software’s inner workings, ZeroFOX’s CSO has transformed the efficiency of the company’s SOC.
    • Frequent iteration means the automation software evolves in concert with the cybersecurity landscape.
    • Added bonus: Better communication across company departments, and a morale boost.

    AI took the business technology world by storm over the past few years. So it comes as no surprise that AI-based cybersecurity automation is becoming all the rage. But some CSOs are saying “not so fast”: Cybersecurity automation presents obstacles, challenges—and, most importantly, it could expose your enterprise to new vulnerabilities emerging from the automation itself. One CSO has found an approach that resolved those issues while delivering dramatic productivity improvements for his security operations center (SOC). 

    Cybersecurity Automation is on the Rise

    Nearly 80% of security professionals responding to a 2019 Ponemon Institute study said their organizations either already use cybersecurity automation or are planning to do so.[1] But AI isn’t magic—it takes lots of hard work to get there. And, like most things in cybersecurity, automation presents a skills-shortage challenge—times two: There’s the general problem of not enough cybersecurity talent, and the difficulty in finding needed AI and automation talent. According to the Ponemon study, 56% of respondents listed the lack of in-house talent as their number one challenge to adopting cybersecurity automation.

    But Automation Can Create New Vulnerabilities

    What’s worse, cybersecurity automation itself may create vulnerabilities, as explained by Cybereason CSO Sam Curry in a report from Mimecast’s Cyber Resilience Think Tank, Transforming the SOC. Curry worries that automated cybersecurity systems “will become predictable and therefore exploitable.” Curry believes CISOs and CSOs shouldn’t “automate for the sake of it, but make the humans more effective, improving the value of their output without weakening the whole.”

    That’s precisely what Sam Small, CSO of ZeroFOX and member of the Cyber Resilience Think Tank, set out to do using an approach he calls “automation acceptance.” Small’s essential idea is to deploy cybersecurity automation whose development and inner decision-making processes are so well understood by the SOC analysts who use it—and anyone else in the business who needs to know, regardless of technical acumen—that the information becomes “democratized.” 

    A Quick Win Lays Groundwork for Automation

    ZeroFOX provides its customers with “public attack surface protection” to help guard against fraud and scams that exploit customer brands. In practice, that means ZeroFOX’s SOC monitors all forms of social media, mobile apps, surface, deep and dark web, and code share repositories on behalf of its managed customers—the ones who choose not to use ZeroFOX’s products to do it themselves. When Small stepped in as CSO, ZeroFOX’s SOC analysts were on the verge of being overwhelmed by thousands of daily alerts in need of rapid processing.

    “At the time, our operations team used our product to triage and service our managed customers’ alerts the same way any individual customer would,” explains Small. “That might seem like an obvious choice, however the volume of alerts we review for our managed customers during any given time frame is at least an order of magnitude larger than an individual customer might experience, and any inefficiencies in the process are exacerbated at that scale.”

    Small assembled a kind of “product development” team for ZeroFOX’s own internal SOC. They modified the standard tool by, for instance:

    • Eliminating the need to use a pointing device, so analysts’ hands never have to leave the keyboard
    • Building bulk-action functions that could be applied to clusters of alerts simultaneously
    • Enabling rapid filtering of alerts by typical characteristics of the data, which allowed analysts to more rapidly access many alerts that shared a particular trait or traits

    Many of these changes were later integrated into versions of the product shipped to customers. While none of those updates involves automation—they simply made the human analysts more efficient—the effort laid important groundwork for the cybersecurity automation that came next.

    Continuous Evolution is a Giant Hurdle for Cybersecurity Automation

    Small knew the next logical step in improving SOC operation should be robotic process automation (RPA), which would capture analysts’ expert knowledge in software. Such cybersecurity RPA software would begin to automate analysts’ decision-making, starting with the simplest choices they have to make. But there was a problem: Unlike accounting RPA software, which automates rote tasks that have been done similarly for many decades, cybersecurity tasks—and associated decision-making—is extremely dynamic, always evolving.

    “The decision making process our SOC analysts use might be rote for a few weeks, or a few months at best, before they evolve slightly—or more than slightly,” says Small. “The events we might consider a threat or a risk, or the severity at which we consider those things at the beginning of the year, might completely change by the end of the year because attackers may target our customers differently. They might've changed their tactics. Our tech stack and capabilities might have changed. And on and on.”

    In theory, therefore, ZeroFOX’s cybersecurity automation software would have to evolve continuously, too. That might be possible, Small reasoned, since ZeroFOX is a software company, and has developers capable of doing it. But how would continuous evolution of cybersecurity automation software work in practice?

    The biggest obstacle was knowledge. Typical RPA software is a black box, as is most AI software. It’s often difficult or impossible to deconstruct AI’s decisions, and that has become a general criticism of the field. The front-line SOC analysts were typically the first to see when something needed to evolve to counter new threats. But if those SOC analysts did not truly understand the logic flow inside their automation software, they’d have a much harder time explaining to programmers what to change.

    The ‘Artifact’ that Makes ZeroFOX’s AI Work

    The solution may sound deceptively simple: Using the RPA design tool from his favorite SOAR system, Small and his team constructed giant posters that visually—and fully—explain the deep inner workings of the SOC’s automation software. Says Small, “You don’t have to be a software engineer; anyone with reasonable intelligence can follow along to understand how the process works. There’s not a lot of room left for the meaning to be lost in interpretation or hidden behind an opaque decision making process.”

    The effects of this simple solution have rippled around the company.

    A mechanism for software evolution: Foremost, it resolved the conundrum around continuously evolving cybersecurity automation software. “It’s an artifact that democratizes the knowledge in the automated processes, giving an analyst the ability to say, ‘Hey, I know how this works right now. That was awesome last month, but things have changed. We want to tweak this just a little bit,’” says Small.

    “Democratization leads to rapid iteration and relieves the pressure on engineers and developers because the logic is visible, they can truly collaborate with non-techies. Instead of saying, ‘This doesn’t work,’ the analysts can come to the table and say, ‘It doesn't work, and I suspect it's for this reason,’ because the process is visible and they understand it," explains Small. “That saves a lot of time.”

    Communication to other departments: Making knowledge about how the automated processes work not only transparent but highly accessible has opened up lines of communication throughout the company. Anyone in the company who can benefit from that knowledge can have it, including the C-suite. This is the effect that led Small to coin “automation acceptance.” By understanding the AI’s workings, employees can better accept its use—or suggest improvements. 

    Morale boost: Sharing knowledge about the inner workings of the company’s cybersecurity automation provides a common foundation for interaction among people from different parts of the company. Instead of simply nodding as they pass each other in the hall, co-workers from different departments have started to get to know each other better, which makes their interactions more comfortable, boosting productivity and morale at the same time.

    The Transformation: Days to Hours, Or Minutes

    Most important, ZeroFOX’s SOC has become far more efficient and effective. Work that took days before cybersecurity automation software now takes hours, and in some cases just minutes. “When you look at the quality and throughput of our service capability, we have completely transformed,” says Small. “That's not to say there aren’t other areas to improve, but it really has been transformative.”

    In addition, ZeroFOX’s approach to cybersecurity automation has an inherent defense against the exploitable predictability that concerns Sam Curry. Having a design process that iterates frequently, with a wide-ranging diverse group of participants who think differently from each other and bring different skill sets to the table, ultimately enables the AI to mimic a full enough range of human potential that it becomes unpredictable from a cyber criminal's point of view.

    The Bottom Line

    Despite significant hurdles and potential vulnerabilities, cybersecurity automation is gaining steam around the world. Getting it right requires investment, hard work and rigor. While many different successful approaches are likely to emerge, cybersecurity automation based on transparently shared knowledge that details the software’s inner workings has driven dramatic improvements at ZeroFOX—and delivered important cultural benefits, too.


    [1]The Cybersecurity Automation Paradox,” Dark Reading

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top