Managing IT is a fairly complicated task due to its complexity. Complexity arises due to the need to use various products from different vendors to meet ever-evolving business requirements. Similarly, managing security is as complex as managing IT, if not more so, due to the Internet enabling various different paradigms of enabling technology to meet business requirements better. The increasing complexity of IT coupled with the ever-increasing use of the Internet has resulted in a spate of new threats. This makes the security manager role more difficult as managers now need to coordinate multiple technologies and varied security products. To combat growing threats, organizations have invested in multiple security solutions such as security information and event management (SIEM) systems, user and entity behavior analytics (UEBA), threat intelligence platforms, incident response platforms, intrusion detection and prevention systems (IDPS), etc. These solutions help the organization combat security incidents more effectively and, at times, proactively take action against security incidents. This helps the organization develop an improved security posture. However, this leads to more alerts for security personnel to investigate, which can be time consuming and may result in a delayed response. With the introduction of the EU General Data Protection Regulation (GDPR) and other similar compliance requirements, delayed response is something that is becoming untenable.
The challenge faced by security managers is how to integrate all these tools, people and processes to enable the common objective of providing protection for information assets. Security orchestration, automation and response (SOAR) is a term used to describe the integration of different technologies used for effective security.
SOAR technologies enable organizations to collect and aggregate vast amounts of security data and alerts from a wide range of sources. This assists human and machine-led analysis. It enables standardization and automation of threat detection and remediation. SOAR technologies help organizations as follows:
- Speeds the response to security events—SOAR tools speed up response time by integrating all the tools in the security operations center’s (SOC) arsenal including threat intelligence sources—both internal and external to organization. Instead of using a dozen or more different tools, security personnel can refer to one data source to get all information and indicators of compromise very quickly.
- Simplifies the investigation process—In many cases, SOAR tools can investigate low-level alarms and escalate only important ones to security personnel. Also, they provide a consolidated view that makes it easier to correlate alarms from different tools and determine root cause.
- Minimizes the damage from attacks—Automation capabilities may help initiate action such as blocking an IP address or isolating a compromised system or endpoint, which can help to minimize damage and provide important information about the attack faster.
- Reduces time spent reacting to false positives—False positive alarms require unnecessary effort and waste security personnel’s time, reducing their productivity. SOAR helps reduce false alarms.
- Improves the efficiency and effectiveness of IT and security operations—SOAR integrates cybersecurity and IT operations so that they can work together and provide a comprehensive view of the environment and improve the efficiency and effectiveness of IT and security operations.
- Prevents and manages security threats—SOAR enables knowledge capture to further improve an organization’s capabilities to prevent and manage security threats.
- Provides meaningful and insightful dashboards—SOAR provides these dashboards so that enterprises can understand and appreciate the efforts put in by the security team.
- Lowers costs of operations—All of the previously listed points also result in lowering the costs of operations.
Many organizations today outsource security operations to managed security service provider (MSSP) vendors. When selecting an appropriate vendor for MSSP, organizations should include SOAR services in their requirements to achieve maximum benefits from outsourcing arrangements.
Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP, is a consultant and trainer in IT governance and information security.