It is no surprise that security alerts are on the rise. In fact, organizations currently review an average of 12,000 alerts per week, resulting in an average mean time to response (MTTR) of 4.35 days.
As a result, Security Orchestration, Automation and Response (SOAR) is one of the hottest technology spaces in the market today. CIOs and CISOs started their due diligence on SOAR in 2017-2018 and we believe it will be one of the fastest growing technology segments in 2019 and beyond. The SOAR space helps enterprises quickly detect, respond and remediate security alerts and potential incidents by establishing and automating playbooks and lowering the operational impact of the enterprise. The technology does this by “learning” from human analysts and automating detection and response, never having analysts repeat the same investigations ever again.
Automation can help in making your security and remediation teams significantly more efficient and enabled. These technologies also follow the very specific workflows that humans usually skip in an effort to remediate faster – but not smarter. Here are some areas of automation that some of the new SOAR emerging technologies can automate in production environments:
Alert Triage -- Reduce false positives by 95%
Incident Response -- Reduce response times (MTTR)
Threat Hunting -- Detect unknown threats
There are some challenges in the SOAR space today that most technologies can't perform. For example, they are unable to automate analysis and decision making, and they require deep security expertise. Also, while most security orchestration tools can automate enrichment and response actions, only a few emerging technologies in the SOAR space, like LogicHub, can:
Reduce false positives
Automate decision-making analysis
Detect advanced unknown threats
Accept feedback for continuous improvement
The low hanging fruit in which the market has deployed SOAR technologies are these (6) common uses cases:
Phishing -- Phishing is one of the most prominent ways that adversaries get into the network. SOAR technologies help to quickly triage and examine suspicious emails by extracting details from the suspicious email, performing analysis and then remediating the phishing attempt when the security team approves the threat.
Malicious Network Traffic (Malware) -- With the rise of attacks on organizations, the number of alerting tools has increased substantially. Unfortunately, these tools often send too many alerts for the enterprise to triage. SOAR technologies can analyze these alerts and let the security teams know which ones pose serious threats. These technologies can also automate the workflow of finding the same instances within the organization, helping analysts understand if there are any additional instances.
Vulnerability Management -- SOAR technologies document the entire security case from start to finish. This helps enable the security teams and makes them cognizant of any new vulnerabilities that the enterprise is facing; keeping the teams informed on all vulnerabilities to effectively analyze the risk profile of each risk. After notifying the team, the technology can enhance the vulnerability and host information. This enables security teams to proactively analyze the host in question to make sure there is no exploitation, tactically start safeguards if needed, and put the host on a more rigorous monitoring schedule until the risk is remediated.
Case Management -- SOAR technologies document the entire remediation process from identification to triage to remediation workflow. This helps security analysts understand the threats and follow the appropriate workflows to stop the threat from becoming a potential disaster.
MSSPs -- Managed Security Service Providers (MSSPs) are contractually obligated to meet certain SLA's with their clients. While SOAR technologies help MSSPs meet SLAs, they also document the entire workflow per customer to drive customer transparency and effectiveness. They do this by segregating individual customers data to ensure private environments. SOAR technologies can also help the MSSP become more efficient, which increases profitability and customer satisfaction.
Ransomware -- SOAR technologies can help detect ransomware before it strikes and spreads through an enterprise. After it identifies the threat, you can automate rapid response to the attacks.
While those are the key use cases of today, the SOAR space will keep expanding the use cases as the segment expands. Today, you should automate routine tasks that can be easily automated and increase your security team’s productivity. As you grow in your SOAR experience, you can start to automate tasks that require mid-level or even expert analyst skills. SOAR technologies are only as good as the love you put into them (i.e. if you don’t have a proper workflow to remediate certain risks, our advice is to leverage the technologies resources or a consulting partner to create the correct workflows in remediation).
SOAR systems provide useful features for enriching data and performing rote responses
to identified threats, but they lack the critical decision analysis that’s at the heart of threat detection and threat response A complete intelligent security automation platform does it all – data enrichment, decision automation, and automated response. Good luck on your SOAR journey!
Please login to the Vation Innovation Platform (VIP) to research further today! If you are not a subscriber today, please contact us at contact@vationventures to get full access. Full access in this report includes a “Buyer’s Checklist of SOAR Capabilities” and the key leaders in the SOAR space.