Reducing Response Times with SOAR-Integrated Threat Intelligence

The longer it takes to respond to a security-related event, the more damage that event is likely to cause. Key to reducing such damage—and the amount of dwell time—is being able to quickly determine the level of risk associated with the indicators of compromise (IOCs). One of the fastest ways to evaluate and respond to that risk is by leveraging a security orchestration, automation and response (SOAR) solution with threat intelligence tools that are integrated into your workflows.

Determining the seriousness of a security event is critical to an accurate and effective response. Many different threat intelligence tools are available, and they all provide various insights on the level of risk associated with many different types of indicators. That fact is both a blessing and a curse when manually investigating IOCs. One the one hand, being able to evaluate results from several different tools is an excellent way to get a broad perspective and see if there is any risk associated with a particular IOC. But it is rare that any one threat intelligence tool has the ideal set of information. For example, how often do you scan an indicator with VirusTotal and have every single detection engine agree on the result? On the other hand, the amount of time it takes to query each tool systematically adds to the overall length of the response time. If using one tool takes three minutes (open the tool/page, login, paste the data, copy the result, paste the data into your case record, etc), then using three different tools to get a better overall result likely takes at least three times as long, or longer.

When executing these steps without a SOAR solution, the benefit of using more tools and getting a more accurate overall result is outweighed by the amount of time the process takes and how critical each second is in the response process. SOAR is the way to get the best of both worlds. Integrating your threat intelligence tools with your SOAR platform enables you to automate the enrichment/lookup process and reduce the time to respond dramatically. Not only does the SOAR solution carry out otherwise manual tasks at machine speeds, the security automation solution can carry out multiple tasks simultaneously effectively.

Once your SOAR solution is integrated with your security tools, in many cases that same process can be cut down to less than a minute. SOAR can send the IOCs to multiple tools simultaneously and automatically bring the results back into the record. The SOAR platform could even provide suggestions to the analyst based on the results. Even more time can be saved by having a SOAR workflow automatically execute some or all the response and remediation actions. The amount of time that can be saved by this simple change is staggering. Anyone who has been an analyst and had to execute these tasks knows the time it takes to perform these steps manually. How many threat intelligence tools does your team use? How much time does it take your most proficient analyst to evaluate a single IOC against your standard tools? Now compare that to the time it takes an analyst to handle the alert if all the threat intelligence lookups are performed by the SOAR solution and delivered to the analyst as a single result. How much time would that save in your response process? If the time saved were 10 minutes per alert, how much time would that save a single analyst in a one eight-hour shift? How many analysts are on the staff? If there are three shifts per day, how many hours are saved every day? When you start to think about it in these terms, the time (and cost) savings adds up quickly! If you haven’t integrated your threat intelligence enrichment process with your SOAR platform yet, why not?

*** This is a Security Bloggers Network syndicated blog from Swimlane (en-US) authored by Jay Spann. Read the original post at: