5 min read time

SOAR: Transforming the Security Operation Center

by   in Cybersecurity

Guest post by Sairam Bollapragada, Head, Global Delivery Center, Micro Focus, and Samir Pathak, Security Lead, Global Delivery Center, Micro Focus.

Across Organization verticals, Security Operation Center (SOC) teams are facing a common set of challenges; unprecedented manual workload, an increasing number of security tools, and growing demand to hire and retain skilled analysts.

SOAR Transforming Security Operation Centre.jpgA typical SOC analyst will have their hands full when it comes to keeping up with the monumental volume of events - they must identify, prioritize and address only the most critical ones. Volumes of events should not become a limiting factor for SOCs to compromise on the quality of service (QoS) and client expectations.

A SOAR solution comes to the rescue here by helping organizations to address the skills gap and ease the analyst’s manual workload by the automation of playbooks and workflows. Coined by Gartner in 2017, Security Orchestration, Automation and Response (SOAR) has emerged as the leading solution to allow organizations to effectively and efficiently reduce their overall security risk. Gartner also predicts that by 2021, 70% of enterprise organizations with a dedicated SOC will include SOAR capabilities.

The KEY to Effective SecOps

SOAR provides a platform for security teams to handle the alert volume quickly and efficiently, saving time for important, skills-based tasks resulting in a higher-performing SOC.

Let’s look at the ways the SOAR solution can improve security operations:

Faster incident response

The primary way SOAR transforms security operations is by reacting quickly to identify threats to prevent the attack and mitigate the risk. The amount of time an attacker will have access to a system is reduced drastically. The more real-time we are in security space (near zero latency), the more effective the security solution will be.

Minimized risk and threats from cyber attacks

SOAR helps security analysts respond and investigate attacks more quickly, allowing them to begin mitigation sooner. The automation capabilities enable them to take steps to minimize risk from attacks without manual intervention i.e Endpoint Diagnostics. A SOAR platform helps in identifying un-managed endpoints, adds contextual notations, and opens a ticket to investigate the issue. If any endpoints are outside the scope of communications of agents, it attempts to kick-start the agents by using pings thus minimizing the risk.

SOAR automation technologies combined with machine learning (ML) and artificial intelligence (AI) provides a strong platform for mitigating evolving threats. AI and ML have emerged as new paradigms for automation in SOC. They provide faster means to identify new attacks and enables predictive analytics to draw statistical inferences to mitigate threats with fewer resources.

Proactive threat hunting

Using orchestration and automation techniques, an analyst can rapidly coordinate among multiple security tools. SOAR enables SOC team to ingest threat feeds from multiple sources and automate workflows to proactively scan potential vulnerabilities across environments.

Reduced false positives and improving investigation quality

SOAR tools can help improve investigation quality by enabling faster resolution of false positives. Analysts typically spend a large portion of their time in annotating and re-mediating false positives. By bringing automation up to 80 percent, security analysts’ time can be freed and hence utilized to learn the detailed vernacular of many security products.

Intelligent reporting and creating a knowledge base

In most of the SOCs, analysts spend a large amount of time managing cases, creating reports and documenting incident response procedures. By collecting intelligence from multiple sources and presenting this information via visual, custom dashboards, SOAR can help organizations to reduce paperwork while improving communication channels between the CXO’s and the analyst.

By automating playbooks, SOAR also helps to create a knowledge base and avoid loss of intellectual property and institutional memory, something that can happen all too easily given the difficulty organizations are facing in retaining security talent.

Cost Reduction

By bringing automation, SOAR helps in reducing operational cost. Let’s look at three major areas of investment in a typical SOC and how SOAR helps to reduce and redefine the cost in people, process and technology:

People: SOAR helps in optimizing and reducing an analyst’s workload by automating repetitive manual tasks and freeing their time to spend more on investigation and analysis of threats. Thus, it can reduce organization’s investment in manpower a great deal.

Process and technology: Creating, testing and maintaining processes, technology and teams are very tedious and adds a big cost to budget. However, processes and technology are a vital part of security operations and can’t be ignored. With the intent to leverage the capabilities of security tools fully, most SOAR implementations shift the problem to developers who may not understand the operational implications of an automated response action. SOAR plays a role here; once the process is defined the rest will take care of itself and it will allow the SOC to be run by a smaller staff of qualified analysts. SOAR brings tools together and integrates them to provide a unified platform, thereby reducing the response time and budget by many folds.

Reality and Way Forward:

Today the SOAR adoption is still very slow and low, but growing (Gartner predicts from 1% to 15% by 2020). This adoption rate helps to give conviction to organizations that SOAR will help give their security operations insurance and endurance against threats.

For SOCs looking at taking advantage of SOAR, the key is start small and automate where applicable so that the security posture can move from a level one or two maturity, where process are ad hoc and undocumented, to a maturity level of three in security metrics-speak. This third level is where operations start to be well-defined, subjectively evaluated, and flexible, and aptly known as the defined level. We all know the saying, “You can’t manage what you don't measure.” I like to think of it as, what gets measured, gets done! That’s why I recommend organizations move beyond level three (defined processes) to level four (managed and measurable) or potentially five (optimized), so that they can have defined, measured and optimized Security Operations loaded with cognitive automation.

Join our Community | ArcSight User Discussion Forum | What is a Security Operations Center (SOC)? 


Security Operations