SOAR Doesn’t Have Mood Swings
If you looked back at how your cyberdefense centers have evolved, you’ll realize that you’ve only thrown more eyeballs on the screen to deal the with the ever-expanding threat landscape. The challenge for the current team is to stay afloat in this endless stream of alerts and identify, rank and respond to the most critical ones. Given that cybersecurity data doubles every year, you’d soon be looking at a real estate problem—you will need to house an exponentially increasing number of analysts to handle the exponentially growing number of alerts. What seems like a challenge today, will be an impossible task tomorrow. Amid these non-stop threat notifications, you realize that it’s only a matter of time until someone drops the ball.
SOC at Scale: That’s a Problem. Here’s Why
You have security information and event management (SIEM) systems that listen to the chatter from around the infrastructure. Hopefully, they help us connect the dots. Next, there are analysts at the security operations center (SOC) who crunch these alerts and validate threats, weeding out false positives and prioritizing events of interest. This process is easy if it works, but the reality is different. The ratio of false positives to meaningful alerts turns the game. Add to that our love for mindless notifications. This creates tremendous pressure on the SOC by requiring analysts to be “extra” attentive to ensure nothing slips through. Let’s face it; it is painful to spend time analyzing alerts and eventually discover that some of them are not even real.
The equation is simple: More alerts requires more analysts. You are now hunting for the right talent while trying not to settle for whatever is available. After you hire, you realize that this is just the beginning. Next, you start worrying about training them, helping them with the process and finally holding on to them. However, the fact remains that more the people in your SOC, the more it seems like a mishap is around the corner.
Same Problem, Different Outcomes
If you give the same incident to 30 analysts in a SOC, you are likely to see six different lines of investigation and four of which won’t achieve the desired end goal. This is due to a skills gap that also ensures you have a vibrant spread of reaction times in your weekly report. And because it is impossible to have all your analysts at the same skill level, you end up leaning on your superstar handlers during times of stress.
As a culture, analysts must continually be kept aware of the threat landscape and helped to build strategies to tackle these threats. While these strategies are sometimes standardized, most of the times threats are left to the good judgment of the handler.
The State of Mind is a Significant Contributor
Running a SOC is like managing a team that must win at all costs. As in a group, where having all members switched on at all times is a challenge, in a SOC, temperaments play a part in bringing out varying results from every individual. Laxity (and similar traits) in mundane tasks can result in significant breaches. Let’s also get practical here; even skilled analysts can make errors when inundated with this deluge.
Going from Machine to Machine
Validating an alert is critical because it is here that an alert becomes a possible threat. The process of validation can include multiple internal and external checks and cross-checks against other devices or endpoints.
Typically, the validation process accounts for about two-thirds of the time required for investigating a threat. Security orchestration automation and response (SOAR) helps in connecting the threat management life cycle to API-driven service providers that respond with third-party intelligence on the threat. SOAR brings capabilities that validate threats internally and externally (using these third-party threat intelligence partners). Today, the majority of the validation checks done by analysts (including correlations) can be automated.
As per a study performed on MSSPs (predominantly servicing customers in India), it takes an average of 170 minutes from the time a threat is identified to the time a response action is initiated. This is because response is a manual process, and different levels of validation are performed before initiating a response action.
By chaining these response actions after an automated validation check, we can cut down the dwell time of an attacker significantly and save time spent in investigating mundane alerts.
Making SOAR Work for You
SOAR platforms allow binding validation and response plugins based on defined logic; these platforms have the benefit of integrating with various data providers and network and security components. The most effective way of implementing automation is to:
- Collect past alerts and group similar threats.
- Pick threats that occur the most.
- Notice the path of investigation and the combination of validations and response analysts take for each threat type.
- Mark validation and response blocks that can be automated.
After the first phase of automation, you could look at a more connected approach using security orchestration. Multiple playbooks can be connected, allowing investigations to automatically branch out into different directions. In a way, train systems to handle threats like humans.
Introducing SOAR capabilities into your business is the beginning of quick decision-making and rapid response without human errors. SOAR is the best escape for analysts stuck in the maze of SIEM alerts. It enriches events to prevent false positive alerts from lowering the sensitivity bar, streamlines your incident response workflows and improves overall security operations—incident response times define effective cybersecurity.
After figuring out the exact steps in the human (as-is) process, as a part of SOAR, you can automate them to reduce the personnel workload by more than 41 percent. This means 410/1,000 alerts can be automated! Even the remaining 59 percent have contextual information added to assist analysis, enabling speedy and accurate decision-making. Security is no longer a trade-off between the two.
Your SOC analysts will rock—minus the mood swings!