Security orchestration and automation response (SOAR) is a hot topic in cybersecurity circles due to the sense of overwhelm most security teams (79%) currently feel. The volume of threat alerts, many of which are false positives, are inundating SecOps teams. And as the speed of business drives an ever-expanding attack surface, attackers become more active, and resources become scarcer still.
What is SOAR?
So, what is SOAR? Simply put, SOAR enables an organisation to create a digital workflow process that identifies critical alerts and implements automation response procedures. It can be enormously helpful in bypassing human latency by immediately pulling a malicious email from everyone’s inbox or suspending staff access when they act suspiciously.
SOAR removes mundane, low-value tasks, allowing staff to focus on more important and value-adding issues while also improving time to action and consistency of response. It’s obvious why it’s a hot topic—so why isn’t everyone using SOAR?
Considerations when embarking on a SOAR journey
Any SOAR journey must start with a fundamental question: Should we automate? Not every process is sufficiently routine, predictable, understood and documented to be a candidate for an automation response. The process also must be time-intensive to maximise value.
IT teams have learned hard lessons from outsourcing processes without fully understanding them. SOAR can lead you down those same challenging paths. Many security processes are difficult to contain within a defined linear process and require human insight to function.
Still, the benefits of SOAR are undeniable, so the journey is well worth it for your organisation. These five tips can help increase your chances of success:
1. Invest in data quality before automation
It’s essential to ensure that the automation response process you want to create are well understood, documented and repeatable, even for edge cases. Ensure that all the data required to drive the logic and workflow is available and, most critically, accurate.
Consider how many times you’ve created a security report only to have IT Ops tell you it isn’t right because of an error, a recent change or some random caveat over a part of that data. That can’t be allowed to happen if you’re planning to automate action upon that data. So, get the IT department on board early and make sure they’re 100% happy with the data feeds.
2. Understand that even robots need owners
Technology, business workflow and attack techniques will change over time. Each automation response process will require an owner or guardian to ensure the changing environment doesn’t break that process or a new attack vector doesn’t make it redundant.
3. Build trust in the process
You may remember the many years that intrusion prevention systems were left in detection-only mode, as businesses lacked the confidence to enable these tools to be proactive. That challenge still exists, so step slowly with SOAR. Enable functionality in stages and bring relevant business users on the journey. Make sure any potential business impacts, both positive and negative, are identified and agreed to by the affected business units.
Remember that automated processes can still be interactive. So, consider including a human review process via messaging or a ticketing system to enable the action until you have confidence.
4. Focus first on preventing noise
Your first steps in automation should focus on reducing the volume of issues that your security operations centre (SOC) must handle. Email is responsible for most cyber-attacks, so it’s a good place to start. Seek to reduce the number of attacks that get through with analysis and filtering, and then automate the analysis and remedy of any threats that users spot in their inboxes.
Also, identify which systems create the most consistent alerts. Trim away the low-value work to allow resources to focus on the more important and challenging issues.
5. Become proactive
Once you’ve mitigated the noisy, low-level alerts, prioritise opportunities for SOAR to become a proactive threat hunter, seeking out and reacting to signs of suspicious behaviour—terminating suspicious process threads, quarantining endpoints or pushing additional user authentication, for example.
Look to enrich existing manual processes such as threat intelligence, by automating the collation and presentation of supplemental information so that your SOC team members get everything in one package—and don’t need to waste time hunting.
Start your SOAR journey with local tools
Implementing SOAR can require a significant investment of time and funding, and the organisations that stand to benefit often have little of either.
So, here’s a bonus tip for SOAR success: Investigate the opportunity to take advantage of automation response functionality from existing tools and suppliers. There will be gains to make from your existing estate, and you can invest the saved time into a wider SOAR initiative.
Managed services can help ease some of the resource pressure without tooling; however, it often retains the “human latency” that automation with SOAR can remove. That said, don’t think of SOAR as a staff replacement. Instead, view it as a force multiplier for your frontline team.
Be sure to subscribe to our blog to ensure you never miss a post from our CISO team.