Who Should Build Your Security Automations

SOC vs SecEng

This week, I’m diving into a critical decision for your security automation setups. To make it easier to understand, I'm going to use a construction analogy. Think of this as building a skyscraper .

AI generated image

In one corner, we have the Security Operations Team, the diligent ground crew. These folks are like the builders on the front lines – agile, hands-on, and ready to act. They're the ones identifying vulnerabilities, reinforcing digital barriers, and countering threats with lightning speed. Picture them as a skilled team laying bricks, ensuring there are no gaps for cyber threats to sneak through.

In the other corner, you’ll find the Security Engineering Team, the master architects. These are the strategic visionaries mapping out your cybersecurity blueprint. With their deep understanding of risk management, compliance, and security protocols, they're not just planning for today but for the future. They think beyond the immediate needs, designing a skyscraper that can withstand even the fiercest cyber storms.

So, here’s the big question: Who should you trust with the blueprint of your hyperautomation skyscraper? The quick-reacting Security Operations Team, always in the cyber battleground, or the foresighted Security Engineering Team, charting the long-term path?

In this article, I’ll break down the pros and cons of letting either team lead your security automation. We’ll explore how to balance immediate responses with strategic long-term vision. Whether you’re just starting in cybersecurity or are a seasoned pro, figuring out who should take the lead is crucial for building and maintaining a strong Security Automation skyscraper.

Security Operations Team 🎯 

Advantages:

  • Immediate Response: Like the builders on the ground, the SOC team can respond instantly when a threat appears. When a threat arises, they can respond instantly, mitigating damage before it escalates. This immediacy ensures that the base of our skyscraper is robust and resilient, preventing foundational cracks that could compromise the entire structure. As they are the end users of the automation, they know if some of the steps are not working correctly and can fine-tune it fast.

  • Hands-On Experience: These guys use security tools every day. They know exactly which processes need automation to make their jobs easier. Think about a scenario where malware is detected – they know the ins and outs of the system well enough to automate repetitive tasks like quarantining affected files or notifying relevant personnel.

  • Continuous Feedback Loop: As they deal with incidents, they’re constantly learning and tweaking their methods. This real-time feedback is crucial. For instance, after dealing with a ransomware attack, they can immediately adjust their defenses to better handle similar threats in the future.

Disadvantages:

  • Ground-Level Vision: The SOC team is often so focused on immediate threats that they might miss the bigger picture. From my experience, SOC teams usually build a lot of small playbooks that address only parts of the problem, leading to a huge pile of automations that are not optimized, with some serving the same purpose. Additionally, change management is not typically their strength, often resulting in automations created "quick and dirty" without proper data flow designs or documentation on dependencies or custom code. (I recommend checking the Security Automation Development Life Cycle (SADLC) that I wrote.)

  • Tool Limitations: If you’ve worked as a SOC analyst, you know the pain of adding another tool to your toolset. Integrating an automation platform can add overhead. Although many platforms promise low-code/no-code solutions, this is usually true only for simpler use-cases. Building complex scenarios often requires custom code or integrations, and coding might not be the SOC team’s strong suit.

  • Cost Perspective: Starting with the SOC team might seem cost-effective since you don’t need to add additional FTEs to manage your automations. However, adding more tasks and responsibilities can increase stress and lead to high attrition rates. Combined with inadequate documentation (leading to tribal knowledge), this is a recipe for disaster.

Security Engineering Team 🛠️ 

Advantages:

  • Grand Vision: With blueprints that foresee the skyscraper's pinnacle, the Security Engineering team ensures every floor, every room aligns with the bigger picture. They design with the end goal in mind, creating a cohesive and integrated security strategy that supports long-term objectives and growth.

  • Technical Precision: The engineering team's deep technical expertise ensures that all automation tools and security measures are seamlessly integrated. Their precise planning and attention to detail guarantee structural integrity, reducing the risk of vulnerabilities and ensuring robust defenses.

  • Future-Proof Design: The Security Engineering team’s designs account for scalability and future challenges. They build with an eye on tomorrow's threats, ensuring the skyscraper can adapt and evolve, standing tall amidst the evolving cybersecurity landscape of future metropolis challenges.

Disadvantages:

  • Detached from Ground Reality: While they are adept planners, the engineering team might sometimes overlook the practical, on-ground challenges faced by the SOC team. Missing out on these nuances can lead to designs that, while theoretically sound, might fall short in real-world application.

  • Extended Planning Phase: The detailed and meticulous planning that the engineering team undertakes can delay the actual kickoff of construction. While this thorough planning is beneficial in the long run, it might slow down the implementation of necessary security measures in the short term.

Blueprint for the Future

In my opinion, the best approach is a hybrid one. Integrate the immediate response capabilities of the SOC team with the strategic vision of the Security Engineering team. This collaboration can create a cybersecurity defense system that’s both effective today and adaptable for tomorrow’s challenge

Additionally, I'm curious to learn more about your own cybersecurity setups. Understanding the diverse structures in which we operate can offer invaluable insights and foster a richer community dialogue. To that end, I've included a poll below. Let's share our experiences and strategies:

  1. Who currently leads your security automation initiatives?

  2. What challenges have you faced in integrating automation tools?

  3. How do you balance immediate response and long-term planning in your cybersecurity strategy?

Your feedback will help shape our collective knowledge and strategies moving forward.

If you're enjoying my newsletter, why not start your own? Grab your 30-day trial and a 20% discount here:

If you want to get on a call and have a discussion about security automation, you can book paid consultancy here:

Are you passionate about cybersecurity and eager to stay ahead of the curve? Become an Ultimate Supporter of our blog and gain exclusive access to cutting-edge content, while playing a pivotal role in sustaining our community.

By joining the Ultimate Supporter tier, you decide how much you wish to contribute, directly aiding in the maintenance and growth of our website. Your support helps us cover essential costs, ensuring we can continue to deliver top-notch insights and tools for engineers and cybersecurity leaders.

As an added benefit, each Ultimate Supporter will receive a link to the editable versions of the visuals used in our blog posts. This exclusive access allows you to customize and utilize these resources for your own projects and presentations.

Join us today and be part of a movement that drives innovation and security in the digital world. Your contribution, big or small, makes a significant impact. Let's secure the future together!

Reply

or to participate.