Threat actors are increasingly relying on automation to enhance the effectiveness and efficiency of their attack strategies. They utilize automated tools and processes across various stages of their attacks, such as phishing campaigns, brute-force attacks, distributed denial of service (DDoS) attacks, malware distribution, data exfiltration, and bot attacks. By automating these activities, threat actors can cast a wider net, exploit vulnerabilities at scale, launch coordinated attacks, and extract valuable data more efficiently.
Combatting these threats with the proverbial ‘tedious, manual and repetitive tasks’ executed by overstretched SOC teams on a daily basis is not only unfeasible but leads to analyst pain, analyst fatigue and alert floods, especially false positive alerts. All this is exacerbated by the ever-present cybersecurity skills gap challenge. In addition, current statistics show a disturbing trend, as outlined in this Forbes article:
- In 2023, cyberattacks rose by 7%, with 1 in 31 organizations hit by ransomware weekly
- Daily malware detections reached 560,000
- Data breaches affected 340 million people
- The advent of 5G led to faster attacks, particularly in the vulnerable healthcare sector.
So, it should come as no surprise that an effective strategy to mitigate against these automation-driven threats is to ‘fight fire with fire’ through the use of SOAR, Security Orchestration Automation and Response. And this is borne out by facts on the ground. IBM, in their Cost of a Data Breach 2022 Report reported that ‘organizations with fully deployed security AI and automation had an average total cost of a data breach of USD 3.15 million. This average total cost compared to USD 6.20 million for organizations without security AI and automation deployed’. And the Biden administration’s Office of Management and Budget in their M-21-31 memorandum recommended that ‘agencies at EL1 stage shall start planning on how to best implement SOAR capabilities in their environment’ to protect critical national infrastructure.
As mentioned in my The Automated Security Operations Center—Myth or Reality? blog, ArcSight SOAR on-premise/off-Cloud has been available to our customers since 2020 as a result of the Atar Labs acquisition. However, as part of OpenText’s philosophy of providing customers with freedom of choice, SOAR is now available as a SaaS subscription model. It is fully integrated with our ArcSight SaaS with Real-Time Threat Detection offering and, as an added bonus, ArcSight SOAR SaaS is available as a complimentary add-on to ArcSight SaaS Log Management and Compliance, ArcSight Intelligence and ArcSight SaaS with Real-Time Threat Detection.
This recent TechTarget article covers the Top 6 SOAR use cases to implement in enterprise SOCs. Let’s break down how ArcSight SOAR SaaS can address these same use cases and provide value to our customers, not only with SOAR itself but also by leveraging the rest of the ArcSight portfolio.
- Threat intelligence coordination
ArcSight SOAR SaaS can substantially reduce analyst workload by automatically reaching out to threat intelligence feeds (including our own Galaxy offering), EDR and NDR tools, malware analysis tools etc., and perform triage to categorize whether a threat is low, medium or high. One advantage of this capability is the huge reduction in analyst workload through the identification of false positives that trigger semi- or fully-automated playbooks which report the alert to the ticketing system (for auditing purposes) and close-off the incident.
- Case management
Since alerts can come in clusters, for example a company-wide phishing attack that is targeting multiple employees, SOAR SaaS can reduce the case management workload by ensuring that the alerts generated (for example, by ArcSight SaaS with Real-Time Detection) are aggregated into a single incident case. This not only avoids analysts working in disparate silos on the same alerts but SOAR SaaS can assign incidents based on an analyst’s or a team of analysts’ experience and expertise and/or a particular analyst’s shift.
- Vulnerability management
ArcSight SOAR SaaS has 120+ integrations with a vast array of 3rd party security tools, cloud services and service desks and its orchestration engine can search and retrieve the results of vulnerability scans as executed by exposure management solutions such as Nessus and Tenable.
- Automated enrichment for remediation
ArcSight SOAR SaaS has the ability to enrich incidents with additional data so that by the time the analyst has sat down at her desk and is ready to process an incident, SOAR SaaS has already, for example, leveraged MISP to query a file’s hash value and identified the risk level and/or reached out to Virus Total or Galaxy to identify a suspicious domain, IP or URL.
- Threat hunting
Since ArcSight SOAR SaaS is continually reaching out to either internal or third party security tools to gather more information on the nature and risk level of a threat then, as the article indicates, this serves as a form of proactive threat hunting.
- Incident response
ArcSight SOAR SaaS allows for the execution of semi- or fully-automated playbooks that can for example, block a malicious IP address on a firewall; interact with Active Directory to disable a user account that has been compromised; or parse a phishing email and send a suspicious attachment to a sandbox for further investigation etc. SOAR SaaS also has role-based access controls to ensure that only authorized and experienced analysts are in a position to carry out sensitive response actions in order to avoid unintended consequences e.g. an IP address is blocked which triggers a production outage. Even though a threat may be real it is important that the security response is controlled and authorized.
Business Benefit Proof Points
Please see this A Business Case for ArcSight SOAR white paper, which highlights the benefits of ArcSight SOAR and includes customer testimonials from successful implementations.
The National Bank of Georgia has implemented ArcSight SOAR and Nino Simonishvili, Head of Cyber Security discusses the business benefits in this financial industry case study:
‘The ArcSight SOAR capabilities are one of the most important features when we think about Micro Focus CyberRes [now OpenText]. We estimate that SOAR will give us the equivalent of an additional headcount. Considering how hard it is in Georgia to recruit quality cyber security staff, this is a major benefit for us’ says Nino Simonishvili, Head of Cyber Security, National Bank of Georgia, in the case study.
In a Gartner Peer Insights Review of ArcSight, a satisfied customer wrote that "We were delighted to get an update from the ArcSight Team that they have acquired a full-fledged SOAR company and most importantly they are sharing this license free of cost for all existing customers."
For more information on ArcSight SOAR please visit our website: ArcSight Security Orchestration Automation and Response
Other ArcSight SOAR resources:
- ArcSight SIEM-as-a-Service
- White Paper: SOAR
- White Paper: A Business Case for ArcSight SOAR
- White Paper: SOAR for SOC Analyst and Security Engineers
- Video: ArcSight Demos | Part 18: Native SOAR Solution
- Video: Using Threat Intelligence with ArcSight SOAR | CyberRes SME Submission
- Video: Responding to a Case with an ArcSight SOAR Playbook | CyberRes SME Submission
- Video: SOARing your SecOps Efficiently | ArcSight SOAR DEMO
Join our Community | ArcSight User Discussion Forum | ArcSight Idea Exchange