How does the current threat landscape pave the way for technologies such as SOAR?
Following on from our recent security practice blog - How to know if you need SOAR - by my colleague James Brown, you may be considering such a tool for your organisation. The purpose of this blog is therefore to follow up on his thoughts, by running through the ROI you can expect to achieve from SOAR, and providing you with a clear understanding of the benefits of investing in this technology.
An effective cyber security strategy is not solely based on prevention, but must also include the capacity for detection and response; and now is the time to automate those responses. This is where a technology such as SOAR is proven to provide an immediate ROI.
What ROI can you expect to see from SOAR?
Security orchestration and automation is used to offload low-priority and repetitive tasks from internal staff. This allows your SOC analysts to do higher-value work, whilst security automation and incident response playbooks allow SOAR to build workflows that require minimal human intervention.Out of hours coverage
We have found that one persistent challenge for customers is that out of hours coverage is often too expensive or non-viable due to lack of resources, and previously there were only two options:
- Increase staff for 24/7 coverage
- Outsource to 24/7 service provider
But now there’s another option…
Unfortunately attackers are not only active during working hours, thus 24/7 cover is critical. Once you have the correct visibility to detect attacks, the next step is how you respond - even when your team are asleep.
SOAR allows organisations to save costs on staff overheads through the introduction of automation, such as disabling users, creating firewall rules, amending 365 security policies, and deleting malicious emails before users even attempt to read them the following morning.
The savings that SOAR allows on staff overheads is clear, however an item that’s often missed is the potential future savings. In the event of a breach, the automation will stop the attack from escalating, thus reducing the possibility of a serious financial impact or a damaged reputation.
Automating Manual Tasks
An Example: an individual receives a phishing email and reports it to the IT/ security team.
There tends to be two approaches to the next steps our customers would take:
- Customer Approach One: Do nothing - this simply cannot be an option!
- Customer Approach Two: Locate the URL in the proxy firewall logs, find out who’s clicked on it and then go and delete it from their mailbox - with SOAR you can implement workflows to action this autonomously or with the click of a button, reducing the amount of manual tasks based on a single incident.
Improved response to attacks
Other examples of ROI that can be expected from SOAR can be seen through a security team's MTTR (Mean Time To Respond), the enrichment of data for analysts, and the ability to kick off a workflow that has several hundred actions, and would otherwise take hours for an individual to set up but takes minutes for SOAR. Security automation decreases the MTTR by responding to alerts automatically in real time, therefore reducing the cost of responding to an incident.
To hear more on how this technology can benefit your organisation, please do get in touch...