• United States




Automating and orchestrating security operations (and saving $1 million per year)

Jan 17, 20184 mins

Learn how one organization automated phishing investigations to build a business case for security automation and orchestration.

wan bank networking finance2
Credit: Thinkstock

In only a few years, security automation and orchestration (SA&O) has become a cornerstone technology for the modern SOC (security operations center). Investing in a security automation and orchestration platform is often seen as a highly strategic decision as the technology will become a central part of the security infrastructure, effectively acting as the operating system for the SOC.

Security automation and orchestration platforms produce a number of economic benefits in addition to helping your SOC team work more efficiently. This article aims to quantify those benefits by sharing a case study from an actual deployment.

Though industry leading platforms support a wide range of uses cases, many customers begin with incident response when deploying security automation and orchestration. Automating the investigation of suspected phishing emails is a common scenario—the investigations are highly repetitive, follow a known process, and consume valuable analyst time when performed manually.

It’s common for SOC analysts to spend upwards of 90 minutes manually investigating suspected phishing emails, and in one specific SA&O deployment the team handles around 45 suspected phishing emails on an average day.

The standard operating procedure (SOP) for this type of event includes acknowledging receipt from the employee who received the suspected phishing email, analyzing the email for malicious indicators, and taking steps to remediate the threat if the email is confirmed to be part of a phishing campaign.

Using actual data from this deployment and estimated salary rates for a Tier-1 SOC analyst, we can compute the cost of processing suspected phishing emails manually:

Table 1 CP Morey

1. Source of figure: 2. Five-day work week assumed.

With automation, a manual process taking 90 minutes or more to complete now finishes in under a minute, freeing the SOC team to focus time on less routine investigations that require a human’s insight. This 98 percent reduction in the time required to process suspected phishing emails equates to savings of over $690,000 per year.

While the savings possible from automatically processing phishing emails on a routine day alone can justify the acquisition of a Security Automation & Orchestration platform, the expected return on investment is even greater in this deployment.

Routine days for this SOC team bring 45 suspected phishing emails to process, but they also occasionally see burst attacks with up to 300 suspected phishing emails in a single day. With similar analysis, we can also estimate the return associated with handing burst attacks:

Table 2 CP Morey

1. Source of figures: 3. Two burst attacks per month assumed. 4. From Table 1.

With the same 98 percent reduction in the time required to process a suspected phishing email, the total savings equates to more than $1 million per year. Since additional analysts cannot be staffed to handle burst attacks on demand and the current team lacks the capacity to address them, most of the suspected phishing emails received during a burst attack are simply ignored. The true cost of the phishing problem could be much higher after considering the potential breach costs stemming from an incident that has gone unchecked.

Though phishing email investigation is a common use case for SA&O, industry-leading platforms are open and extensible for other use cases. This flexibility gives SOC teams the ability to easily automate a wide range of SOPs.

Teams often focus initially on use cases that represent their greatest pain points. The processes for these use cases often contain many manual tasks and require working across multiple products and departments to complete a single playbook.

While the acquisition of a SA&O platform can often be justified by a single use case such as investigating phishing emails, it’s still important to consider other potential use cases including enrichment, containment, and remediation and more. Developing comprehensive security use cases is important to help ensure that the platform you choose today will also support your needs in the future and maximize your ROI.

Security automation and orchestration platforms produce strong economic returns while helping organizations to work smarter. By automating repetitive tasks, teams can respond faster and reduce dwell times with automated detection, investigation, and response. They can also strengthen their defenses by integrating the entire security infrastructure together so that each part is actively participating in the defense strategy.


CP Morey is Vice President, Marketing & Products at Phantom, the leader in security automation and orchestration. He has a track record building teams and launching new products in fast growth markets. Prior to Phantom, CP was Senior Director of Product Marketing for Cisco’s industry leading security portfolio – a role he assumed after the $2.7 billion acquisition of Sourcefire. While at Cisco, he successfully restructured the team and doubled its size to support the fastest growing business in the company.

Before joining Cisco, CP was Vice President of Product Marketing at Sourcefire where he helped with its transformation into a multiproduct company with the launch of FireAMP, a product with exponential revenue growth since its release in 2012, that now thrives as Cisco’s Advanced Malware Protection (AMP) business.

A veteran of the security industry since 2001, CP has also held leadership positions in product marketing and product management at ISS and PentaSafe while helping to scale the companies for successful acquisitions by IBM and NetIQ, respectively.

The opinions expressed in this blog are those of CP Morey and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.