Created by John Tuckner and the team at the AI-powered automation and workflow platform Tines, the SOC Automation Capability Matrix (SOC ACM) is a set of technologies designed to help security operations teams understand their automation capabilities and respond more effectively to incidents.
A customizable, vendor-agnostic tool that features lists of automation opportunities, it has been shared and recommended by members of the security community since its launch in January 2023, most notably by Airbnb engineer Allen Stott in his talk on BSides and Black Hat, How I Learned to Stop Worrying and Building a Modern Detection Software And the response.
The SOC ACM has been compared to the MITER ATT&CK and RE&CT frameworks, with one user saying: “It could be a standard for classifying automation processes for SOAR, a bit like the RE&CT framework, but with more emphasis on automation.” It has been used by organizations in fintech, cloud security, and more, as a basis for evaluating and improving security automation programs.
Here, we'll take a closer look at how SOC ACM works, and share how you can use it in your organization.
What is the SOC Automation Capability Matrix?
The SOC Automation Capability Matrix is an interactive set of technologies that enables security operations teams to proactively respond to common cybersecurity incidents.
It's not a list of specific use cases related to any one product or service, but a way to think about possibilities an organization might pursue.
It provides a solid foundation for beginners to understand what is possible with security automation. For more advanced programs, it serves as inspiration for future applications, a tool for measuring success, and a means for reporting results.
Although the tool is not vendor-driven, it pairs well with a platform like Tines, which was developed by security practitioners to help fellow security practitioners enhance their mission-critical operations through workflow automation and artificial intelligence.
How does the SOC Automation Capability Matrix work?
SOC ACM is divided into categories containing automation capabilities.
Each capability includes:
Description – A brief overview of what the capability does Techniques – Technology-neutral ideas about how to implement the capability Examples – Related workflow templates from the TYNES library References – Other research that contributes to the capability
The frame reads from left to right and top to bottom within categories. Although there is little opinion on which capabilities bring the most value or are the easiest to implement, the framework is adaptable to what organizations find most valuable.
Each ability can stand alone in the matrix, but combining several abilities together can produce many more complex and impactful results.
How to use the Capability Matrix to automate SOC
Next, we'll demonstrate how to use SOC ACM, taking phishing response as our example. Many organizations use multiple technologies to find and analyze suspicious messages to respond appropriately to malicious emails.
To get started, here are some processes that a routine phishing investigation might involve:
Receive a phishing email or alert Send a notification to the security team for remediation Create a ticket to track and record analysis Review email elements, including attachments, links, and email headers If suspicious, delete the email and add features to it Blocklists Notify the recipient of an update the condition
Within the matrix capability, phishing alerts appear in the Alert Handling section; Many organizations are implementing tools such as email security gateways to prevent suspicious emails from being delivered to inboxes while also generating alerts of attack campaigns that can be triggered automatically.
The capability also outlines a strategy to create a targeted inbox for users to easily redirect phishing emails that may have passed through filters. Implementing these two capabilities provides an opportunity to jump-start an automation workflow.
Once a suspicious message is identified, either through a user report or a generated alert, further automation possibilities become available. One recommendation is to create a site to track the lifecycle of each alert as quickly as possible.
Using the location tracking capability in the Issue Tracking section, we can determine where these alerts should be logged, updated, and reported. Notice how the workflow now moves between sections of the automation capability matrix to expand the process.
By identifying the location of the alert and trace, we can move towards a comprehensive analysis of the phishing alert in question. Phishing emails usually contain potentially malicious attachments and suspicious links to capture authentication material and are usually sent from deceptive sources.
Moving into the enrichment phase, we want to focus on using some basic capabilities at a minimum: domain analysis for any links found in the body of the email, file hash analysis/file analysis to look at any email attachments, and email attributes to dig deeper into email addresses for Find out the signs of emails coming from phishing addresses.
As for enrichment opportunities, the number of options for API-based tools and services that can be used to provide these capabilities is growing dramatically. Some popular options include VirusTotal for files, URLscan for domains, and EmailRep for sender information. Each of these enrichment results can be logged to the associated tracking location that has been previously defined to document the results and provide analysts with visibility into the results.
This shows how many capabilities from the same department can be applied to the same automation workflow, in this case, to provide as much information as possible to analysts.
After enrichment has occurred, a judgment may actually be reached, but more likely, the issue will require quick review by an analyst. At this point, the user interaction section becomes extremely important.
To get started, we can use chat alerts to notify the security team in a Slack channel that a phishing email has arrived and created a tracking issue, adding various enrichment details as additional context is ready for review.
That takes care of informing the security team, but what about updating any users who may be affected or who have reported the email? Phishing responses, in particular, are unique because many organizations actively train users to report emails they may consider suspicious. Notifying these users of a trusted judgment within a short timeframe is a great way to enable processes such as signing sensitive documents quickly or preventing large-scale malware outbreaks.
To do this, we can use the user notification capability to identify the user who reported the email and provide them with the results of the email analysis. In the case of user engagement, it's not just about additional notification to the security team, it's also about expanding reach and empowering others with real-time information to make the right decisions.
At this point, a lot of activity has been done, and we have a lot of knowledge at our disposal. While more information is always helpful, acting on it appropriately is what ultimately matters most, leading into the treatment phase. Many of the data points (indicators) we have collected before can be used in treatment procedures. Depending on how the situation develops, we can take some of the following steps:
Domain Blocked List: Add any domains and URLs identified as suspicious to the blocked list. File Hash Blocklist: Add any file hashes identified as malicious to the blocklist. Email Deletion: Remove emails related to an offensive campaign from inboxes. Password revocation: Change the passwords of any users caught submitting credentials to a phishing website.
The key to any treatment is knowing what is possible and starting small, especially when using automation to build trust. One way to do this is to provide links or buttons that must be manually clicked to take remediation actions, but in a repeatable manner. If you want to offer full automation, maintaining lists of suspicious domains that can be blocked offers significant benefit, minimal risk, and can be quickly fixed with little overall impact when errors occur.
Looking at the end-to-end process, we've used the following capabilities to help automate critical actions for many cybersecurity teams:
Phishing Alerts Site Tracking File Hash Analysis Domain Analysis Email Attributes Chat Alerts User Notice Domain Block List File Hash Block List Email Deletion Password Revocation
An important advantage of developing these capabilities in your organization to address a single transaction, such as phishing, is that many of these capabilities are now available to be reused for additional purposes such as detecting malware or dealing with suspicious logins, making each subsequent automation opportunity easier.
Customize the matrix
SOC ACM is also available on GitHub for those who prefer to run it themselves or contribute.
This way, SOC ACM can be fully customized to suit your needs. This includes:
Add new categories and capabilities Reorganize according to your priorities Track automation workflows that align with these capabilities Export configuration Dark and light mode
You can also evaluate different environments or organizations differently by creating separate dashboards. For example, if your organization acquires a company with different capabilities than yours, you can use the matrix to visualize that environment very differently.
All this configuration can be stored locally in your browser for privacy. In addition to exporting the configuration, you can import it to revive previous assessments, all without a login account, and without any tracking.
SOC ACM as a reporting tool
Teams who access the SOC ACM on GitHub can also use the matrix to visually illustrate where they are in their automation journey and communicate the value of their automation program to leadership and other key stakeholders.
Soon after implementing some capabilities, teams will realize which capabilities they use the most, the activities associated with them, and their value, such as time saved or reduced response time. This allows them to share results with relevant teams and decide what to prioritize next.
Case Study: Tracking time saved and implementations to demonstrate value using SOC ACM
At Tines Roadshow: San Francisco, John Tuckner, creator of the SOC Automation Capability Matrix, shared how he worked with a fintech company to evaluate and enhance their automation program using the matrix. “The Automation Capability Matrix helps us organize our workflow, identify workflows that save us the most time, and highlight areas of future opportunity,” they told Tockner.
Highlights:
25 capabilities executed and tagged 10 workflows using Slack slash commands with 2,000 executions Rapid multi-agent workflows ran 721 times saving 6.5 hours of time per month
Recommendations:
See Managing IOC Lists for response capabilities, IP List, Range List, and Hash List. Document and highlight the efforts made and time saved when using case management.
Future state – what they would do differently:
Distributed alert processing and user interaction via Slack user notification User response Update your Slack security channel and incident reporting to use a Slack bot, route reports, and request the correct sub-team Emergency resource notification Timed escalations Cut-off orders Add more response actions via Tines automation through our Slack Bot artifact collection Disable MFA device asset scanning (not just endpoints, cloud assets need to be included)
The SOC Automation Capability Matrix is a useful resource for teams at all stages of their automation journey, providing inspiration for their next automation releases and a way to evaluate their automation software.
If you'd like to explore the SOC Automation Capability Matrix in more detail, you'll find it on Notion, hosted by the Tines team.
