The cyber security threat landscape is often exposed to emerging technology being touted as a silver bullet that can stop new and evolving threats dead in their tracks. We’ve seen the same claim time after time, yet decades after the first phishing attack resulted in a breach, we still see threat actors using social engineering at an alarming rate. Like SIEM technology, SOAR too has been called a silver bullet; however, each tool needs to be part of a holistic approach to security to harden an organization's defenses and move to a proactive state.
So how do SOAR and SIEM solutions help security teams achieve a higher level of maturity? By improving security operations and SOC efficiency through automation. More specifically, reducing alerts managed by the SOC and automating routine tasks.
Fact or Fiction?
For the past two years, organizations have rapidly adapted to remote and hybrid workforces, and in parallel, threat actors have increased their attack volume. This has created a constant state of overload for cyber security teams, which puts more pressure on staff, budgets, and output.
According to APWG’s Q1 2021 phishing activity report, phishing attacks are at a historical high and January has smashed all records. Phishing is just one attack vector of countless others but remains one of the largest producers of alerts. The SOC is often burdened by related tasks with historically high phishing attack volume and corresponding false positives from users. Fortunately, handling these events and potential incidents follows routine processes and procedures, making it an ideal use case for automation.
How does automation take what can take up to four hours of manual effort and reduce it down to just a few minutes? There are two primary methods: automatically enrich data into intelligence and automatically actioning intelligence based on playbooks. Both of these processes consume the most effort, but each follows the same rails each time.
And, according to Aite, enriching data to create threat intelligence will help security teams answer pertinent questions:
- Is the IOC reported on a critical asset?
- What is the proximity of the IOC to critical assets?
- How many other threat intelligence sources have rated this IOC as high?
- Have we seen this IOC elsewhere in our IT enterprise?
Take, for example, a leading banking and financial services institution in the Middle East that was facing similar challenges and other manual processes tied to actioning incoming intelligence. According to the bank’s CISO, “In the past, it could take two days to respond to new intel; now it’s minutes. In the past, I couldn’t spare people; I needed more. Now they can focus on their projects,” said the CISO.
Alert-Based SOAR Use Cases
There are two primary areas where SOAR can positively impact the SOC via automation to make it more efficient and reduce time to respond.
Alert Triage and Prioritization
This is the ability to take alert inputs from different sources and apply a data enrichment process. This rationalizes and prioritizes incidents with a more significant impact and high probability of causing damage to a given organization. The goal is to leave fewer alerts behind and concurrently produce highly accurate incidents that deserve genuine attention from analysts.
Threat Intelligence and Investigation
Evidence-based knowledge, including context, mechanisms, indicators, implications, and action-oriented advice about an existing or emerging menace or hazard to assets. This intelligence can be used to inform decisions regarding the subject’s response to that menace or danger. An incident investigation will be conducted in the form of a workflow to validate the alert into an incident and determine the best workflow to initiate a response in a manual or automated fashion.
Read Aite’s Full SOAR Impact Guide
In a later article, we’ll take a closer look at some of these use cases in motion and how SOAR specifically makes routine processes faster. For now, we recommend taking a look at Aite’s latest report on SOAR and to see how the next generation of SOAR technology is starting to emerge.