SOC Automation: How Security Teams Benefit from SOAR

Security Orchestration Automation and Response

Posted on: November 09, 2020

Security operations and security incident response teams are often stretched thin due to the vast amount of cyber threats organizations face, and technology that is designed to support their efforts can at times add more work. Whether an organization’s SOC operations are cloud solutions, on-premise, or a hybrid, a SOC analyst should be empowered to be more strategic with their workload and focus on priority initiatives through technology, not hindered by it.

For SOC and incident response (IR) teams, security automation by way of security orchestration, automation, and response (SOAR) solutions is one of the fastest ways to reduce time spent on low-priority work and eliminate false positives, leaving attention focused on potential security threats to the organization.

What is SOC Automation?

Security Operations Center (SOC) automation is designed to streamline processes and displace what is typically considered a tedious task. These can range from enriching data associated with a case or security incident, reviewing numerous false positives, and manually responding to cyber threats. This also includes sending out security alerts and notifications or reaching out to users, which in itself is a time-consuming task.

SOC Automation Use Cases

Automating a SOC workflow and processes for the security team has many benefits, and each step of their daily routine can be mapped back to each. Alerts and reported incidents take a lot of manual time, especially when a majority are considered false positives or benign. Even with some technology in place, many SOC teams get alert fatigue. To reduce this, automation is put in place to enrich the data, collect relevant evidence, and follow up with the related user.

Threat Intelligence Enrichment and User Communication

For enrichment, a SOAR solution can compare the details to other known or reported incidents both internally and externally via feeds. The enriched threat intelligence is filtered off the false positives that are moved to a closed state, thus saving more than half of the time for security analysts. SOC automation can also add enrichment by pulling evidence such as the relevant URL and details about the user. Lastly, if a user reported an incident or triggered one, the system can automatically contact them via email or out-of-band communication such as SMS.

Automatically Close Cases or Flag for Review

Phishing threats in particular make up a large number of cases, and SOC automation can tackle the majority of it. If the incident comes up as benign or a false positive, the case is automatically closed. If it contains an executable file, macro, or malicious link, an automated workflow can flag an analyst to review it further.

IOC Collection

One of the areas where SOC analysts typically get involved in the SOC automation process is to further investigate an incident or a threat actor. Once SOAR has pulled relevant IOCs, which typically connect to a solution such as a SIEM, further evidence is collected regarding the attacker and the affected user. This can range from the device in play, recent web history, and other relevant details. And only then does an analyst need to review the information to decide on the necessary response.

Automated Response

Once an analyst determines if an incident is a threat, they can run playbooks to manage the appropriate response. Rather than manually blocking a URL or deleting a malicious email, various SOC automations can handle the process.

Knowledge Base

Lastly, so other SOC team members or security teams can learn from a case or incident, SOAR can also collect the relevant information and place it into a knowledge base.

Benefits of SOAR Automation for SOC

In addition to streamlining processes and making SOC and IR teams more efficient, SOAR automation results in:

Time savings and efficiency gains
Free up analysts for more advanced work
Increased visibility and decreased time to detect
Consistent processes and workflows
Unified workflows by integrating security tools
Faster, automated threat hunting
Centralized threat detection and response
Reduced threat response times

This is accomplished by a mixture of machine-speed touchpoints such as enriching data to see if a reported incident is benign or confirmed, having a dashboard to quickly see relevant charts and data points such as open tasks, having a system manage the workflow and processes so that human error is removed, and the time to detect a threat doesn’t depend on a person reviewing the information or the time spent investigating it. Ultimately the goal of added automation to SOC processes is to make teams more efficient and reduce burnout.

To learn more about SOAR automation, book a free demo now!