On the surface, organizations are still facing similar cyber threats that we’ve seen for decades, and that is because the techniques behind them constantly change. For example, a phishing lure from two months ago likely has different messaging, dozens of domains, and countless different targets today. The same goes for banking trojans, loaders, brute force attacks, and of course, ransomware.
The common thread? Like cybersecurity professionals, threat actors and hackers follow similar models to find success: use lessons learned, cover your tracks, and use automation where possible.
According to Aite’s latest SOAR Impact Report, “attackers get smarter by studying organizational defenses. A SOAR solution is a great equalizer to see where a hacker sets up an attack in the kill chain. SOAR solutions are designed to identify IOCs in the kill chain, alert security analysts, and take automated threat remediation action.”
The report also suggests that analysts may have a knowledge or skill deficit due to constantly evolving threats; however, we see this as a resource, availability, process, and technology shortage more than anything. Soapbox aside, let’s take a closer look at how SOAR can put the security operations center on a more level playing field.
Using SOAR to Disrupt Threat Actor Kill Chains
According to Cyware Threat Intelligence Specialist, Neal Dennis, SOAR is a force multiplier, which, when deployed correctly, can allow security operation teams to respond to threats sooner and disrupt a kill chain in motion. This is the result of automating routine processes and balancing automation with analyst involvement at critical stages. Identifying an organization’s automation tolerance is an essential step in building out how to deploy SOAR best. This is especially true as the scope of SOAR is only expanding.
Based on Aite’s latest definition and a look at Next-Gen SOAR technology, solutions will go beyond simple automation and include capabilities for alert triage, case management, incident response, orchestration and automation, playbooks, threat intelligence, risk scoring, multitenancy, and support integrations.
However, Dennis also notes a vital caveat around automation and the availability of playbooks. While SOAR solutions come in many forms, the library and availability of playbooks impact what outcomes a SOC can gain from such a solution. “Your playbooks are only as good as those programming them and the intelligence you leverage to make automated actions.” When exploring SOAR technology, finding a solution that supports your existing security tools is vital, making the difference between a force multiplier or adding more work to analysts.
Using SOAR to Free Up Analyst Time
Aite’s report also notes that SOAR solutions are designed to identify IOCs in the kill chain, alert security analysts, and take automated threat remediation action.
“SOAR should first look to solve the burden of timely response, freeing up analysts' time to either get good scrub/have time to learn new skills, or build in more time to research threats known to target their environment,” said Dennis.
This allows for a more proactive approach, giving analysts more time to prioritize critical threats and significantly reducing wasted effort on false positives.
Dennis goes on to say that “attaching SOAR to things like vulnerability assessments, automating patching and vulnerability responses efforts can free up time. SOAR is a force multiplier, not some magic all-knowing eight-ball that will mysteriously find stuff you've missed. You can use it to automate threat hunting operations; that’s pretty close. But, your threat hunting operations are only as good as the intel and the programming in the playbook.”
Fighting Automation with Automation