by Stan Engelbrecht, Director of Cybersecurity Practice, D3 Security
Security orchestration, automation, and response (SOAR) platforms are becoming increasingly prevalent
security operations tools, emerging out of the categories of incident response, security automation, and threat intelligence platforms in the last few years. Some SOAR platforms are narrowly focused on automating simple tasks, but leaders in the sector are expanding SOAR across the SOC with numerous modules and the ability to orchestrate across the entire security stack.
The best SOAR solutions are valuable for everyone on a security team, from people on the front lines to managers and executives tracking reports and metrics from a birds-eye view, or even compliance and legal personnel working outside the SOC. Because SOAR can act as a central hub within the SOC, it helps coordinate efforts through automating escalations and task assignments, eliminating data siloes, and enforcing adherence to policies in workflows. These unique capabilities have allowed SOAR to become the heart of the SOC for many organizations.
Of all the roles that SOAR supports, security analysts see the most direct benefits, because SOAR automates and simplifies repetitive manual tasks like event escalation, intelligence gathering, contextualization, scripting, collaboration, and reporting. To illustrate how significant this impact can be, let’s take a look at how a SOAR platform can make an analyst smarter, faster, wiser, and even happier.
A large part of the role of an analyst in an enterprise SOC is evaluating what alerts pose real threats and how best to handle them. An analyst with a few years of experience may have built up their ability to effectively
Assess alerts, but with a SOAR platform in place, their decisions can be augmented with contextual Information aggregated via integrations with the security systems and threat intelligence sources on which they rely.
Analysts can also use tools like link analysis and incident timelines, which ease investigations by visualizing patterns and relationships. Even bi-directional SIEM integrations help analysts “be smarter”, because the SOAR tool can dynamically grab additional relevant data—from a prior event, for example—and present it to the analyst as part of the incident record’s contextual element. No matter how skilled your analysts are, having the full story of each alert drastically reduces human error while boosting alert management and decision-making capabilities.
The need for speed is real—especially given the volume of alerts and increasing complexity of targeted cyber attacks. Fortunately, with a SOAR platform, when an analyst opens up an incident record, the grunt work has already been done. With an incident already confirmed, contextualized, and prioritized, an analyst simply needs to oversee the response—and approve, when necessary—any security actions, such as blocking a website, closing a port, or disabling a compromised account. Compared to a manual response to a typical phishing incident, which might take an hour, a SOAR-powered response should only take 45 to 90 seconds.
Security teams accumulate tribal knowledge over time about the history and patterns of incidents, plus the intricacies of their IT and security infrastructure. Senior analysts can build up this wisdom over time, but without a way of documenting the lessons they have learned, their wisdom is lost when they leave the organization—or simply go on vacation. With the right SOAR platform, senior colleagues can codify their knowledge into playbooks, guided workflows, and reports, and share their experience with the team, including in the critical onboarding phase for new analysts. Junior analysts can also access historical data from every previous incident to see how comparable cases have been handled in the past. This empowers the entire team with the wisdom of their most experienced analysts—past or present.
It may seem trivial, but the happiness of analysts can have a significant impact on the functioning of a SOC. Without the right systems in place, analysts often get frustrated with the relentless pace of menial, repetitive tasks. With the growing cybersecurity skills gap, high turnover can be crippling for a security team, because it is hard to hire and retain talented employees.
Put simply, SOAR platforms reduce burnout. With automation and orchestration, analysts spend less time on tedious tasks like copying and pasting hashes, looking up reputation data in third-party apps, and chasing after false positives. This lets them focus on meaningful tasks that require skill and protect the company from genuine threats. With SOAR, analysts get more done, feel less overwhelmed, and have much higher job satisfaction.
About the Author
Stan Engelbrecht is the Director of Cybersecurity Practice at D3 Security and an accredited CISSP. Stan is involved throughout the product delivery and customer success lifecycle and takes particular interest in working with customers to configure solutions.