Intelligently processing and prioritizing alerts is one of the biggest challenges security operations centers (SOCs) face. Security tools can generate hundreds of alerts daily and tie up a significant portion of a team’s resources. Triaging alerts requires a substantial amount of time querying and analyzing data, running reports, and documenting findings, most of which are for false positives. Noisy alerts and the work that comes with them frustrate staff and take attention away from high-priority threats. In other words, alert fatigue creates security risks.
Security analysts often perform a standard set of activities when triaging alerts. They will often run firewall reports, search for applicable log data in the SIEM, look up domains and IP addresses in threat intelligence sources, search other security platforms, and more. This data is required to understand what caused the alert and its associated risks. While these tasks are simple, they are repetitive, repeatable, and time-consuming. Obtaining the data required to perform an investigation can take anywhere from minutes to hours. The more security engineers spend getting data, the longer the incident response time and the increased risk to the organization.
To decrease incident response times and reduce the amount of administrative work done by security analysts, organizations are turning to Security Orchestration, Automation and Response (SOAR) platforms. Instead of having security analysts spend thirty minutes or more obtaining the data required for an investigation, SOAR platforms can automatically query an organization’s network and security platforms for the data, and have it ready for them before the investigation begins. SOAR platforms reduce the administrative work required by security analysts and allow them to focus on their role of protecting organizations from cyber security threats.
Summary of key SOAR platform concepts
|Automation of common SOC tasks||SOAR platforms can automate tasks that security analysts repeatedly perform manually.|
|Faster incident response||SOAR platforms can automate data extraction, reducing the time analysts spend obtaining data required for investigations.|
|Optimized data extraction||SOAR platforms can standardize the queries required for data extraction, minimizing the risks of pulling data incorrectly.|
|Higher security staff retention and improved security posture||SOAR platforms can perform mundane work, allow staff to focus on protecting the organization, and reduce the time spent doing administrative work.|
|Centralization of incident management||SOAR platforms are excellent to use as an incident management tool, acting as a single pane of glass for alerts and the required documentation and investigation artifacts.|
You’re minutes away from deploying AI-driven decision automation. Start your Devo SOAR trial.
How SOAR platforms work
With some simple initial setup, the SOAR can run commands on the various security platforms when instructed, typically when security tools generate alerts.
Structured, repeatable sets of instructions for SOARs are commonly known as playbooks. They typically contain a set of commands supported by the security platform and are executed in a specific order. For example, for a threat intelligence alert, the playbook can be configured to parse out any applicable IP addresses and domains from the alert, perform reputational lookups in threat intelligence sources and then run a report in the SIEM, firewall, and other security platforms to see if there is any log data matching those IP addresses or domains.
The SOAR can consolidate the data into standard formats used by investigators (CSV files, spreadsheets), and provide it in a single pane of glass for the analyst to use for the investigation. As the SOAR can begin obtaining the data as soon as it receives the alert, it can have the data ready for the security analysts as soon as they begin the investigation instead of having the security analyst manually start running the reports when they begin triaging the alert.
A SOAR playbook for dealing with a suspicious communication alert.
As SOAR platforms aggregate data required for the investigation, they are excellent organization-wide incident management tools. Security analysts can obtain all the data needed by simply clicking on a link within the SOAR platform instead of logging into multiple platforms and running the reports from each of them.
Top five benefits of SOAR platforms
Cybersecurity teams can benefit greatly from using a SOAR platform. Below are five of the most beneficial SOAR platform use cases.
Automation of common SOC tasks
The most common data sources and platforms security analysts use are SIEM, reputational intelligence, user data, and asset data. The SIEM will likely contain multiple log data sources, allowing the analyst to pull a report containing firewall, authentication, operating system data, and more. The analyst may look up the IP address and domain in reputational services such as VirusTotal. The analyst may want to query Active Directory to obtain information on the user, such as the user’s title, role, line of business, and manager, to determine if the activity in the alert relates to the user’s role. Additionally, the analyst may want to pull data on the assets relating to the alert to determine the severity.
The time it takes a human SOC engineer to complete standard tasks.
Again, while these may not be difficult tasks, they can take thirty minutes or more to login to all the security tools, run the queries, and consolidate the data.
See the difference AI-driven security automation can make. Start your Devo SOAR trial now.
Some SOC functions require coordination between various teams. For example, vulnerability scanning requires not only the identification of vulnerabilities within an organization, it requires careful management and remediation. This often requires cybersecurity teams to manage the vulnerabilities with spreadsheets and communication channels such as email and ticketing systems. The larger the organization, the higher the number of vulnerabilities and corresponding communications required. It’s not uncommon for cyber security teams to send out hundreds of communications and have to manage the entire process until the vulnerability is remediated.
SOAR platforms can assist by integrating vulnerability management systems and an organization’s email or ticketing system. The SOAR can obtain a list of vulnerable systems, lookup asset ownership, and automatically send communications to the system owners, notifying them of the vulnerability. The SOAR can also be configured to read their response and, as a result, automatically close some of the vulnerabilities without having a security analyst involved.
The SOAR could send emails to thirty resources, notifying them of the vulnerabilities. For example, suppose 50% of the respondents indicate the vulnerability has been patched. The security team then only needs to engage the remaining 15 resources instead of 30. The larger the organization, the more opportunity the SOAR has to reduce the amount of administrative communication and tracking by the security team.
Faster incident response
The time needed to pull the data required for an investigation can vary significantly. Some alerts can be simple lookups in threat intelligence sources or simple authentication activity from Active Directory.
When a security analyst begins triaging an alert, they may spend thirty minutes or more obtaining the required data. Additionally, it may be thirty minutes before a security analyst can triage the alert, added to the thirty minutes required to obtain the data, increasing the total incident response time to one hour or more.
SOAR platforms can reduce this burden by running the required reports and queries as soon as it receives the alert, and having the required data ready for the analyst. SOAR platforms can also be configured to rerun unsuccessful queries. It’s not uncommon for queries run by security analysts to time out while multitasking on another alert, only to find out thirty minutes later that their report didn’t generate and have to wait another thirty minutes for another.
Optimized data extraction
Given that many cyber security teams use many different platforms, it can be daunting for new analysts to learn how to query in each tool. It can also increase the probability that the security analyst incorrectly searches for data, leading to a null or incorrect result. This can result in an inaccurate security investigation, as the analyst determines if a security risk or threat exists based on incomplete data, increasing the risk that the investigation was not performed correctly.
SOAR platforms can assist by having the queries standardized and preconfigured by the security team, reducing the risk of running an incorrect query.
Higher security staff retention and improved security posture
Minimizing the amount of administrative work allows security analysts to use their skills in analyzing malware, suspicious communication, and other threats. Spending time running reports and chasing other teams around to determine if their vulnerabilities have been patched reduces the amount of time analysts do work aligned to their role. Sending out reminder emails, asking for updates, and documenting responses better align with the role of a project manager than security analyst.
Centralization of incident management
As SOAR platforms can collect the data required for an investigation, act as a single pane of glass for security analysts, and store investigation notes and artifacts, it’s an excellent tool for a SOC for incident management. Alerts can be auto-assigned to the applicable security staff, the severity can be modified based on any of the data the SOAR collects, and investigation outcomes can be easily documented for metrics.
SOAR platform recommendations
Identifying and prioritizing the repetitive and repeatable processes within your security team is pivotal to a successful SOAR implementation. Many security analyst tasks can be set up and executed quickly. SOARs are designed to work with many common platforms that security operations teams use, such as SIEMs, firewalls, and EDR. The more tasks you can automate, the more your staff can focus on protecting the organization.
While SOARs can integrate with many systems, there is an effort to both setup and maintain each integration. The time, effort, and resources required for each integration should be weighed against the value it provides. Organizations should focus on sustainable, high-value integrations and automations that benefit the security team.
Given the challenges facing cyber security teams today, SOAR platforms are becoming critical to security operations. SOARs can be set up quickly and provide a significant return on investment by addressing many issues security teams face. SOARs can help your organization automate common tasks, optimize data extraction and collection, optimize incident management, increase staff retention, and ultimately increase the organization’s overall security posture.
Subscribe to our LinkedIn Newsletter to receive more educational contentSubscribe now