How to Maximize Your SOAR Investment

The Problem

Today’s security analysts face serious challenges when attempting to identify, assess, respond to and remediate alerts in a timely manner. What’s more, as new internet of things (IoT) devices are added to the network and attackers develop new techniques and increased sophistication, the threat landscape continues to grow, adding additional pressure to already overwhelmed security operations center (SOC) teams.

The manual effort required for an analyst to open, read and comprehend an alert is significant. To ensure they have a complete picture, they must must also identify and consider any related alerts in their investigation. Most SOC analysts achieve this by copying and pasting the IP address, file hash, URL, etc. into a browser tab or window that interfaces with threat intelligence sources. The results must also be copied and pasted back into the alert or event record to provide context to the existing data.

“Analysis Paralysis” comes to mind here: The mind-numbness that comes from repeating the same monotonous task all day every day (and for some, at night too). But it doesn’t have to be that way.

Since we’re not going to be able to staff ourselves out of this problem, the logical solution is to find a better way to perform that process. A security orchestration, automation and response (SOAR) solution can eliminate most, if not all, of these manual tasks and help ensure every alert is handled in a consistent, repeatable way at machine-speeds.

SOAR as a solution

The first step to maximizing your SOAR solution is having strong incident response processes in place. These processes are replicated in your SOAR platform as playbooks to accomplish tasks and workflows that orchestrate actions. By doing this, you’re ensuring:

  • Incident response processes are consistent and repeatable, eliminating the potential for human error.
  • SOC improvements are clearly defined and reported with metrics showing drastic reductions to mean times to detect and respond as well as minimal dwell time when responding to alerts.
  • Analyst on-boarding and training efforts are efficient and standardized.
  • Documented workflows provide a guidebook for reference while also helping make sure analyst learn and use the proper techniques and methodologies for handling each type of incident.

SOAR implementation also provides a single unified view that dramatically improves the analyst’s day-to-day. Instead of having to learn, work with, and constantly reconfigure the unique designs and quirks of each individual security tool, analysts can work with the single consistent interface of the SOAR platform. This new central security component becomes the premium location for designing and testing new processes for handling alerts and incidents. Using the workflow builder provides a simple drag-and-drop interface that can quickly connect and rearrange different combinations of data interchange, allowing engineers and analysts to refine their processes. Typically, with little to no programming required, users can test out different combinations of tool and data connections quickly and efficiently.

Return On Investment

Tracking return on investment (ROI) in real time with SOAR is easy to accomplish. Many SOAR platforms provide an administrative tool that allows you to set a value for the cost to execute a manual action both in time and money. Providing this information allows the SOAR platform to calculate in real time the average amount of time and money saved for each action performed by the SOAR platform. Swimlane offers the option to get even more granular and provide effort values of time and money for each task executed. This enables Swimlane to provide better than average measurements and real-time ROI calculations that can be displayed as needed.

With SOAR implementation, analyst efficiency begins to multiply. A single analyst can easily handle multiple tasks in the time it would have taken them to handle a single task previously. These efficiencies are typically most abundant in well-defined and refined use cases. The most commonly implemented use cases, due to their prevalence and importance to the SOC are phishing, SIEM alert triage and threat intelligence.

Well-defined processes are key. These cases tend to be well defined from a procedural standpoint and are often some of the first and easiest to roll out with SOAR. By beginning with these use cases, it is easier to identify where significant elements of manual effort and time are being spent and look for opportunities to reduce or eliminate them with automation and orchestration. Savings begins to be realized immediately and becomes exponentially noticeable.

Every new use case implemented with SOAR increases the efficiencies at an almost logarithmic pace. Then adding more unique use cases like VPN monitoring, employee on- and off-boarding, or monitoring for domain squatting becomes easier and only increases overall savings of time and manual effort.

The SOAR values for time per action and cost per action are critical to getting the best results from your ROI calculations. Other reports, charts and graphs can provide the KPIs that are most valuable to you. Don’t forget that dashboards can be unique to the user or role they are intended for. SOAR can track the performance of users, groups, roles, tools, tool groups and just about anything else you might want to track. Make it your own and make sure what you get from your SOAR tool is what you need to maximize your investment in SOAR.


*** This is a Security Bloggers Network syndicated blog from Swimlane authored by Heather Williams. Read the original post at: https://swimlane.com/blog/how-to-maximize-your-soar-investment-roi/