The challenges discussed in Part 1 of this series explain why security operations centers (SOCs) require a security orchestration, automation and response (SOAR) solution for survival. Industry-wide, analysts are overwhelmed, overworked and in desperate need of tools designed to help them keep pace with today’s expanding threat landscape and growing cybersecurity skills shortage. Even more, if it were even possible for a SOC to hire all of the personnel required, it would still need automation and orchestration capabilities to investigate the thousands of alerts received each day.
There was a time when industry thought leaders weren’t sure whether SOAR was truly “a thing” or not. But with insights from recent reports, such as the Gartner 2019 Market Guide for Security Orchestration, Automation and Response Solutions or How Using SOAR Tools Makes Life Easier from Enterprise Management Associates (EMA), it is clear that SOAR is gaining a foothold in the security industry and within SOCs of every size. The reason for this is, in short, SOAR enables SOC teams to achieve more with less—an attractive proposition to the CISO and analyst alike. SOAR eliminates the tedious, repetitive and manual tasks typically associated with incident response processes that are known to lead to analyst burnout and alert fatigue.
What about SIEM?
Most organizations use some type of security information and event management (SIEM) system, and it is unlikely that will change. While data gathered from SIEMs are incredibly valuable to the SOC, analysts struggle to keep up with the seemingly endless alerts generated by these tools. The predominately manual investigation processes associated with SIEM tools creates significant fatigue, which leads to errors and organization vulnerability. SOAR provides respite from the amount of human interaction required by these tools, and in so doing, enables improved alert investigation, faster decision making and overall more effective incident response processes.
SOARing above the problems
SOAR empowers analysts by helping them view and understand large sets of data at a glance, rather than requiring them to toggle between different windows, tools and even machines to investigate a single alert. Instead of relying on traditional strings of text or numeric information, data visualization with a SOAR solution enables analysts to reach conclusions and take action instantly.
What’s more, many incident response actions can be done without any human intervention when a SOAR solution is implemented. The orchestration component of SOAR enables the SOC to connect disparate resources and bring the data into the case record to enrich the alert. Rather than analysts spending time learning the intricacies of countless unique systems (which are likely to change over time and require workarounds depending on the SOC’s ecosystem), they can use the single case record view of the SOAR platform to access and observe all of the data. This bolsters individual analyst performance which boosts the overall efficacy of the entire SOC.
SOAR without limits
By automating tedious, repetitive tasks and orchestrating disparate tools and processes, a SOAR platform dramatically improves analyst performance, which also decreases the mean time to detect (MTTD) and respond (MTTR) for the organization. As the SOAR enabled SOC explores the full capabilities of its solution, analysts will likely find additional benefits to enhance their overall functionality and efficacy for the organization as a whole. A truly robust SOAR solution provides the organization with almost unlimited options for connecting, automating and orchestrating its operations.
Today, we are only beginning to see some of the new and amazing ways SOAR can be used to improve the operational effectiveness of the SOC. In part three, we will take a look at the future of SOAR and ways it could help us achieve maximum benefit across the organization.
*** This is a Security Bloggers Network syndicated blog from Swimlane authored by Jay Spann. Read the original post at: https://swimlane.com/blog/the-past-present-and-future-of-soar-state-of-soar/