As the sheer variety of hacks and breaches over the past 12 months has shown, any organisation can fall victim to a cyber-attack that compromises their network, writes Ross Brewer, VP & MD EMEA, LogRhythm.
When this happens, rapid incident response can be the difference between quick containment and a damaging data breach. Indeed, faced with much more stringent regulations and a growing awareness of corporate responsibility, speed and measurability of remediation efforts has become crucial.
A big problem is that security operations teams are increasingly managing a profound shortage of skilled IT staff. This often means IT departments are being run by a small number of people, some of which may not be adequately trained for the job at hand. At the same time, pressure is growing to adopt new technologies and budgets are shrinking, leaving security operations teams increasingly dealing with serious resource constraints. This is particularly concerning as the threat landscape becomes more and more dangerous and complex.
Traditionally, organisations have invested in numerous cyber security tools that generate thousands or tens of thousands alarms on a daily basis. For the security team, this can be a minefield and is particularly challenging given they are frequently under-staffed.
One of the biggest challenges is that the containment of an attack often requires the IT team to follow difficult guidelines including several time-intensive manual steps. It’s a lot to ask them to learn and understand multiple different products, correlate the data generated by each one and decide whether the alarm raised is genuine. When time is of the essence, too few staff and a lack of automation can leave an organisation more exposed to risk.
The Rise of a SOAR Approach
Embedded security orchestration, automation and response (SOAR) has been a buzzword in the cyber security space for some time.
These capabilities are, without doubt, the next step in enterprise security. According to Gartner, SOAR is “technologies that enable organisations to collect security threats data and alerts from different sources, where incident analysis and triage can be performed using a combination of human and machine power to help define, prioritise and drive standardised incident response activities according to a standard workflow.” The analyst firm predicts that by the end of 2020, 15 per cent of organisations with a security team larger than five people will leverage SOAR, up from 1 per cent today.
SOAR essentially provides security teams with customisable workflows and controls to streamline and accelerate the investigation and neutralisation of qualified cyber threats. It also automates a lot of the day-to-day and mundane tasks usually undertaken by security operations teams. Furthermore, by adopting case playbooks, analysts can respond and remediate within a single platform, enabling greater efficiency and efficacy when every second counts. Supporting the entire threat investigation, these efficiencies improve organisations’ productivity and enables IT teams to better respond to and remediate cyber threats.
Improving Incident Response
Through clear, trackable metrics, including mean time to detect (MTTD), mean time to respond (MTTR), time to qualify (TTQ) and time to investigate (TTI), SOAR capabilities can also help analysts understand workflow effectiveness, and quickly identify and address potential areas for improvement to further improve the effectiveness of their security operations teams.
These performance metrics also enable security leaders to prove and quantify the overall business value driven by their teams and, if needed, can be vital as evidence for any regulatory body that may require them.
What’s more, SOAR can help reduce paperwork and improve reporting capabilities. Many security operations teams are tasked with a significant amount of admin-based jobs, whether it’s writing up reports or documenting security procedures.
However, by aggregating intelligence from the numerous sources and having them displayed via a visual dashboard, SOAR removes the need for these responsibilities to be actioned manually. In addition, it helps teams avoid the possibility of forgetting important tasks or updates, something that can easily happen in the busy, fast-moving environment that the security operations team work in. The technology essentially helps them work smarter as opposed to harder.
Whilst the automation of SOAR can generate quick returns, it’s worth noting that it does require upfront investment so buy-in, collaboration and cooperation from the broader IT organisation is key. SOAR automates responses across the entire IT organisation so it’s important that IT teams outside of the security operations team are also on board.
Ultimately, SOAR helps businesses and security operations teams optimise their ability to detect and respond to threats faster, quantify key performance indicators like MTTD and MTTR, and reduce their day-to-day workload through improved intelligence and reporting, streamlined workflows and playbooks for automated response actions. Undoubtedly, automation is fast becoming the most important tool in an IT professional’s toolbox. Today’s threat landscape is constantly evolving, sophisticated and complex, and security operations teams are finding it increasingly difficult to keep up. SOAR removes all the manual, menial tasks, enabling them to focus on other important tasks, safe in the knowledge that they are protected.