NEW TECH: Juicing up SOAR — SIRP inserts risk-based analysis into network defense playbooks

Security information and event management (SIEM) is evolving and integrating with security orchestration, automation, and response (SOAR) to add real value in the cybersecurity space.

Related: How SOAR Is Helping to Address the Cybersecurity Skills Gap

SIEM is useful for detecting potential security incidents and triggering alerts, but the addition of a SOAR solution brings these alerts to another level by triaging the data and adopting remediation measures where required.

A new addition to the SOAR space is SIRP, a platform established in 2019 in the UK that combines security operations management with cybersecurity intelligence. I caught up with Faiz Shuja, SIRP cofounder, at the RSA 2020 Conference in San Francisco recently. You can get a full drill down on our discussion in the accompanying podcast. Here are a few key takeaways:

Quickening investigations

Enterprises are drowning in an ocean of threat feeds; SOAR offers a lifeline.

An endless stream of technologies that deliver data, combined with a shortage of skilled security analysts, has pushed the market toward SOAR, which automates repetitive security analysis tasks and frees analysts to work on more important tasks.

“Right now what you are seeing in the SOAR space is just scratching the surface,” Shuja points out. “It’s mainly ingesting all the security alerts coming in from different sources and running different playbooks like workflows on them, so that some of the enrichment and analysis can be done automatically.”

Playbooks contain the security processes that an analyst performs, automating alert analysis. Full automation is still some way off, but the data can be enriched based on certain automation and workflows, automating some 70 percent of the risk investigation. More mature playbooks will actually block an IP address, quarantine an endpoint, and take more proactive decisions.


SOAR also speeds up investigation time. An analyst might take 15 to 30 minutes to do low-level correlations, whereas automated analysis can take mere seconds. “You can automate 70 percent of the workflow that a security analyst usually has to perform manually, and then the analyst can take if from there and declare it as an actual incident, or a false positive,” Shuja told me. “It’s saving a lot of time, and then the analyst can focus on more important analysis,  and get through a lot more alerts.”

Risk-based decisions

SIRP operates in risk-based SOAR, allowing organizations to make risk-based decisions, rather than just responding to alerts. Enterprises cannot respond to the thousands of alerts they receive daily, so Shuja distinguishes SIRP from other platforms by its ability to empower organizations to prioritize alerts and respond to the most important. SIRP ingests data on vulnerabilities and threat intelligence feeds and correlates them with the assets and the risks. This risk register allows them to build a context and prioritize based on the information profile.

When a security alert comes in on an asset, the SIRP platform recognizes the asset’s vulnerabilities, risks, threat intelligence, and applicable alerts. Based on that information, it generates a security score that rates that security event’s importance. This relative score gives the analyst an overall context to help them prioritize risks.

SIRP integrates with existing security scanners that gather data on global tech vulnerabilities. “We pull different feeds and correlate with the context in the organization based on the information we have used.”

Early enterprise customers include Oman’s largest oil refinery, a Forbes Global 2000 bank, and a leading Saudi Arabian MSSP.

 SOAR advances to come

For one of the banks SIRP works with, SIRP used SOAR to track everything that had already been assigned a risk, ingesting all the data and applying its own technology to automate, scale up, and generate the appropriate playbooks. Case management is built in, so once the analysis is performed, cases can be assigned to the appropriate asset owner to take action if required.

Shuja believes the potential of SOAR technology is largely untapped. “There are going to be more use cases. [Just] as you have seen SIEM platforms moving from log management to full analytics, so I think the SOAR platform also needs to evolve.”

Last Watchdog’s Melanie Grano contributing.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: