What SOAR Brings To The Table For A SOC Admin
Last year, Gartner announced a new kind of cybersecurity technology category called Security Operations, Analytics, and Reporting, or ‘SOAR.’ In a sense, SOAR really can help your CSOC feel like it has wings.
You may have heard people call it SOAPA (security operations analytics platform architecture) instead of SOAR. This may be because they are trying to punish us with yet more cybersecurity acronyms. Pay them no mind – Gartner calls it SOAR, and so shall we.
SOAR is a security reporting and operations platform that uses data from a wide range of different sources to provide management, analysis and reporting capabilities in support of CSOC analysts. These platforms apply decision making logic, combined with context, to provide formalized workflows and enable the informed prioritization (triage) of remediation tasks. Additionally, SOAR platforms provide the actionable intelligence that a CSOC team needs to stay on top of their workflow.
What’s the difference between SOAR and SIEM?
SIEM has been around for a while now; during that time, it has evolved from being a security event correlation tool to a security analytics system. Traditionally, it’s the practice of aggregating your security logs and events. This gives you visibility into what is happening in your organization from a security perspective. Evolution of the tools we use is a continuous process. While alerts are necessary, the real goal is to act as quickly and effectively as possible in response.
While a traditional SIEM lets you know something is happening with your networks, SOAR allows you to act on that information. SOAR consolidates all the data from your security applications and threat intelligence feeds. It additionally enables you to automate your responses, coordinating automated security tasks across your connected applications and processes.
SOAR enables you to aggregate third-party threat intelligence from multiple sources. At the same time, it’s giving you the ability to develop playbooks consisting of quality responses to any threats.
What does SOAR bring to the table for a SOC admin?
"Information is a source of learning. But unless it is organized, processed, and available to the right people in a format for decision making, it is a burden, not a benefit." – William Pollard
From the 19th century, Pollard succinctly describes a problem that most modern CSOC teams will face at some point. CSOC analysts can often become overwhelmed by the number of alerts and information they face, often spread across different systems. They spend a lot of time trying to organize and present it in a way that’s conducive to decision making. This is where SOAR comes in, unburdening analysts from these tasks. This allows them to focus on higher priority work, delivering a measurable return on investment more quickly.
It’s worth mentioning that the best platforms are those that can demonstrate they are delivering an ROI. Also, typically you should expect to see a clear 10%+ saving of your team’s time. I spoke to Joseph Loomis, Founder & CTO of CyberSponse, and asked him what additional capabilities you would expect to find in a modern SOAR platform. Joe said that an Enterprise SOAR Platform will incorporate and integrate the following sets of capabilities:
- Threat intelligence: SOAR into any number of threat intelligence platforms and sources to enable analysts to quickly compare potential threats against known threats.
- Case management-based incident response: Analysts collect, process and analyze security data, but they need to be able to leverage that in order to prioritize alerts and respond to threats as quickly as possible. The incident response capabilities of a SOAR platform are critical to this.
- Vulnerability management: Part of a SOC analysts job is knowing which alerts need to be prioritized and managed, these decisions are typically driven by vulnerability management capabilities of a SOAR platform and based on live data.
- Endpoint detection & response: After prioritizing security alerts, security analysts then want to dig deeper into incidents by investigating and monitoring endpoint behavior, making endpoint detection and response (EDR) a critical part of any SOAR platform.
- Playbook management: Because SOAR platforms are geared towards incident response, an essential part of SOAR is the ability to create and manage playbooks that align with your incident response policies and streamline your incident response processes.
SOAR: An essential SOC component
The threat of cyber attack puts pressure on SOCs; many of them simply cannot afford a data breach, the associated operational disruption, and reputational damage. This issue is also an administrative burden involved in data security management.
SOAR provides SOCs with a different approach to the provision of security, one that is unrestricted by manual processes and which leverages automation, predictive analytics and (increasingly) AI to help identify and respond to unauthorized intruders before they manage to get a foothold in their networks. SOAR aims to reduce attacker dwell times (the time it takes to detect a threat after the initial compromise). It also aims to improve detection and remediation (containing the threat once it has been identified) times.
By integrating automation, incident management, orchestration processes, with visualization and reporting beneath a single pane of glass, SOAR provides a fast and accurate way to process large volumes of alert and log data. It also helps analysts identify and respond to attacks that may already be underway; therefore, it acts as a force multiplier for SOC teams. This enables them to become exponentially more efficient in the way they deal with their workflows.
Post provided to you by @InfosecScribe.