SOAR – conductor in the SOC orchestra
As we mentioned in a previous article, the value of SOAR lies in its ability to combine and coordinate various cybersecurity solutions and data sources “under one roof”. In our series of articles, we draw on findings from the Palo Alto Networks – State of SOAR report.
PAS researchers, based on the data collected, highlight four incident response processes:
- Incident ingestion and “enrichment”. The process by which the SOC gathers detailed information about a security incident and enriches it with contextual data to better understand what is happening. For example: if an attack can be traced to a specific CVE, the enrichment process can add detailed information about the CVE, the affected systems, remediation options, etc.
- Case management – each incident should become a case to be handled by the SOC and other teams within the organization. Such as: IT operations, network operations, legal, and human resources (HR).
- Incident Investigation – Security analysts must investigate the incident to determine the best way to respond and prevent similar events in the future. At this stage, root cause analysis is conducted increasingly using systems that automate data collection.
- Response and enforcement – involves implementing the mitigation actions identified in the investigation process. These elements overlap and reinforce one another. Tools supporting the incident management process keep everything in order and update with all relevant stakeholders
SOAR improves the criteria for success in each of these areas – through automation. Which incidentally, is the leading trend when it comes to initiatives that improve enterprise cybersecurity posture. According to Gartner: “Emerging SOAR technologies allow you to bring automation, consistency and efficiency to SOC teams beyond what is currently possible with SIEM. “
Among SOC employees using Security Orchestration Automation & Response technologies on a daily basis, surveyed by Palo Alto Networks:
- 54% admitted that SOAR saved them time taking action on incidents.
- 51% indicated a reduction in time to incident remediation.
- 47% confirmed a reduction in the average time to incident closure.
- 44% reduced the time to segregate security incidents. Another 37%.
…and a staggering 79% say their security processes improved overall after implementing SOAR. These results suggest that SOAR offers a viable solution to many of the challenges facing SOC teams today. By reducing the time it takes to manage and resolve incidents, SOAR helps reduce the stress of high alert levels and tracking too many threat sources.
Faster segregation and more productive SOC teams mean you can focus on critical incidents – and effectively leverage analyst expertise – a resource that is very hard to come by these days!