A small silver lining from 2020 is that it appears that cyber security is beginning to get the attention it deserves. We still have a way to go but we’re seeing cyber security being discussed more regularly at Board level and many organisations looking to significantly improve their cyber security posture in 2021.
One thing we aren’t necessarily seeing is an increase in personnel, which means that, although security capabilities may be improving, workloads are continually increasing and becoming unmanageable. Common pain points we encounter include:
- Fear of being unable to react to any out-of-hours threats
- Alert fatigue and repetition of mundane tasks leading to employee burnout
- Threat intelligence and information overload
- Mean time to respond to threats getting worse
The potential capabilities SOAR can offer are varied and not limited purely to Cyber Security. However, for the purpose of this blog I am going to focus on three Management benefits SOAR provides.
The Evolving Threat Landscape
Managing and developing your organisation’s cyber security posture can only be effective with the correct threat intelligence underpinning it. Dealing with the latest and sophisticated cyber security threats requires an in-depth knowledge of attackers’ tactics, techniques and procedures (TTPs) and the identification of indicators of compromise (IOCs) through the aggregation and validation of a wide range of sources, which is typically carried out by dedicated security analysts.
But not all organisations have the resource for dedicated security analysts.
Security Orchestration enables organisations to ingest threat intelligence from a range of sources and automatically correlate it with events in real-time, thus removing the need for dedicated analysts and providing immediately actionable information in a single UI. This doesn’t only significantly reduce the burden on organisations with dedicated security analysts and SOCs, but also empowers smaller IT teams to manage their cyber security proactively and to react to new threats as soon as they’re discovered.
Streamlined Security Operations
Microsoft found the average tenure of a cyber security analyst is just 1-3 years, which is no surprise when they are responsible for the constant monitoring of systems whilst simultaneously responding to, in many cases, thousands of repetitive daily alerts. Not only does this switching between multiple systems cost teams time and effort, but it is increasingly leading to the burnout of employees and creating huge risk for organisations’ security postures.
A key goal for any SOAR solution is to help security staff work smarter, not harder. Security automation, as discussed in my colleague’s blog , relieves teams of mundane, repetitive tasks and can easily handle low-priority alerts and incidents by utilising automated playbooks.
Ultimately, every organisation wants to ensure that their employees’ output is maximised and that means removing as much mundane repetition from their workloads so they have the time to focus on high-value tasks, such as threat hunting and vulnerability management (and creating new playbooks to further improve their SOAR capabilities).
Integration of Tools
The most important feature of SOAR solutions is their ability to integrate with other tools and systems. Most organisations are beginning to centralise security solutions through SIEMs, but SOAR goes well above and beyond SIEM, it enables the integration and correlation of alerts from a wider variety of products than SIEM, enriching alerts even further with contextual and actionable information from; Threat Intelligence Platforms, Forensics & Malware Analysis, IT Infrastructure, and more. Enabling security teams to affect changes at the network, host and application levels, and even physical access control systems.
The more tools and feeds being integrated within the SOAR solution, the greater visibility and control security teams have of their network, enriched data and potential threats. Most SOAR solutions have a huge number of pre-built integrations that mean components from any new technologies can be integrated easily into a playbook(s) with the click of a button, for a seamless, single-pane management of your security stack.
It can be difficult to know where to start with SOAR, even daunting, after all you can essentially automate whatever you want. However, we believe if you start simple, basic automations such as phishing investigations and/or isolating an end point can be achieved quickly, providing an ROI almost immediately. SOAR projects often fail if you try to start too complex, it’s a journey that we can support you on. Get in touch if you want to know more.