4 MINS READ
Solution
Cyber Security
Data and Cybersecurity to Fight off Cyberattacks
Highlights
- Security operations teams are overloaded with tasks such as investigating threats, tracking incidents, and performing manual remedial actions.
- Implementing security orchestration, automation, and response (SOAR) can help enterprises to automate these activities, reduce incident response time, and improve efficiency.
- When adopting SOAR, businesses must be aware of ground realities and proactively devise a plan to mitigate risks and improve their security posture.
ON THIS PAGE
SOAR high
Lack of automation is impeding Security Operations Center (SOC) analysts in their fight against cyberattacks.
Today’s SOC analysts must manually verify and conclude false positives by relying on third-party tools and sources that validate suspicious IP addresses and domains. The lack of automated contextualization and enrichment of alerts is a key challenge in identifying suspicious behaviour in user accounts.
The absence of integrated threat intelligence feed or advisories, and aggregated alerts that multiple tools generate for the same incident is an added challenge that results in alert fatigue. Moreover, manual follow-ups are required to take remedial actions. For example, analysts depend on firewall administration teams to block malicious connections, endpoint support teams for host isolation, and mail administration to delete infected mailboxes or reset affected user passwords.
These challenges apply to the majority of SOC alerts and automating these alerts can reduce the time SOC Tier 1 analysts spend monitoring them. By embracing security orchestration, automation, and response (SOAR), SOC analysts can automate repeated and known triage tasks such as indicators of compromise (IOC) scan, threat intel and vulnerability enrichment, identity checks and de-duplicate alerts. They can also collaborate with stakeholders without having to monitor multiple channels and maintain a centralized knowledge base to easily access contextual information while managing similar incidents.
Getting started
Plan extensively before rolling out SOAR, to make sure it automates tasks in security operations—instead of becoming overhead for SOC.
Begin your SOAR implementation by studying existing SOC playbooks, skill sets, incident handling processes, and integration requirements in detail to chalk out a long-term strategic plan.
Next, work with your SOC analyst to determine your automation needs and SOC efficiency improvements and select a SOAR tool best suited for your needs. Be aware that, in most cases, it serves to automate playbooks for phishing campaigns and malware detection. In some cases, with poor adoption, it is used for alert aggregation and incident management.
One can’t stress enough on the need to avoid such pitfalls and plan for a proper implementation and set the right expectations for its management. Retrofitting a SOAR tool without analyzing the automation objectives can lead to wasted SOAR investments and make it an overhead for frontline SOC analysts.
While a typical SOAR implementation with three to five playbooks may run for less than three months, it is highly dependent on other influencing criteria covered in subsequent sections. Also, it is not a one-time activity and requires continuous development and integrations akin to other applications.
Success enablers
Three principles to set up your SOAR for success.
Scale maturity of security operations: Succeeding with SOAR depends on the maturity of security incident management process and playbooks. SOAR implementation, just like SOC maturity, also matures with time. SOAR could also be leveraged with security information and event management (SIEM), or other security products. The bottom line: set automation goals that are realistic, and time bound to achieve optimized SOAR maturity.
Identify tasks to be automated: Incident-handling processes have multiple tasks, some of which can be automated while others must be manually completed. Be clear about the tasks that can be automated and their desired outcome. For example, in an incident handling process for a potentially compromised account, only part of the investigation may need automation. The security investigator can decide whether to suspend or lock the account based on severity.
Embrace best practices of SOAR experts: Implementing SOAR immediately after setting up a SOC function is not recommended. Clearly define SOC processes with measurable outcomes, and do not implement SOAR for the sake of automation that will not add any value. The SOAR engineering team and SMEs play a vital role in designing the playbooks in the SOAR tool. Some best practices they adopt include identifying the right playbooks and defining KPIs.
Automation as a culture
Take a giant leap in successfully automating your security operations.
Companies are slow to adopt security automation as they believe it reduces headcount. In some cases, the SOC team may be working in crisis management mode, hence restructuring and automation are not an immediate priority. However, automation frees security professionals from routine tasks and empowers them to make decisions through intelligent analytics.
Periodic reviews of the process and efficiency of automation, based on metrics gathered for improving the process and workflow, is key to driving visible improvements. With SOAR platforms, enterprises can prevent and respond to a host of new threats and attacks. By augmenting it with a robust security solution, threat intelligence, and IT hygiene, enterprises can transform incident response.
Retrofitting a SOAR tool without analyzing the automation objectives can lead to wasted SOAR investments and make it an overhead for frontline SOC analysts.
