It isn’t easy being a security operations analyst. Every company needs a cybersecurity portfolio, and the threats out there only continue to grow. Almost daily we see a new attack that costs an organization capital, reputation, or both. Security Orchestration Automation Response (SOAR) tools could provide aid to organizations buried by the potential threats out there.
The Four Challenges of Every Security Operations Teams
Security operations teams today, with the number of tools and techniques available, often face four general difficulties:
A seemingly endless amount of alerts are triggered thanks to the number of security detection tools that we typically put on the network.
Security operations teams need to respond to every one of these alerts in order to assure that the network is secure. In many cases the alert is a false positive – triggered by some automation response, but otherwise the network is unharmed.
As more tools are utilized, a flood of alerts hits the security operations team. They can’t possibly get to them all.
“It’s a well-known fact that a lot of the security breaches that we read about in the papers were actually detected by the security tools that companies put in place,” says Nimmy Reichenberg, CMO of security operations management firm Siemplify.
“They were just lost in the endless flood of alerts, and that’s how these attacks went unnoticed.”
If you’ve ever gone into a security operations center, you’ll likely find a security analyst looking at four monitors, with twenty tabs open on each, copying and pasting information into different tools in a manual and cumbersome way.
There are many tools that security analysts use to investigate and respond to alerts. They typically don’t integrate with one another.
This poses a huge problem for security analysts that need to use time and effort to fight against potential threats, rather than making sure that the tools that are supposed to help them are communicating effectively.
In an average company there are very few processes that guide a security analyst when it comes to the necessary response to a legitimate threat alert.
For the most part the processes are tribal knowledge – analysts that have been working there and helped to install the systems know the response, but never took the time to pass that information along to newer employees. In some cases the processes were never there in the first place.
When processes are in place, they’re very manual – the investigations take time, and time is a critical factor in security. It’s about how quickly you can respond to the attack more than blocking it altogether.
Imagine a fire starts in your kitchen and you’ve never learned the processes for getting the extinguisher to put it out. Not only are you trying to figure out what to do, but as every second passes the fire grows, and the stakes grow higher.
A cyberattack is an incredibly stressful situation. Troubleshooting during one is not where a security analyst wants to be.
“Depending on which research you read, there are between three and five million unfulfilled cybersecurity positions,” says Reichenberg.
“What that means is companies can’t really hire their way out of this problem.” If you get five times as many alerts you can’t just hire five more people – you need to find them, train them, and retain them. No easy task.
Security Orchestration Automation Response (SOAR)
There is a growing trend in the industry to automate as much as possible. It makes sense, because automation can combat much of the four major problems outlined earlier.
With so much on the security analyst’s plate, it makes sense to bring in tools that perform some of the more (relatively) mundane tasks that the analyst shouldn’t waste time on.
Security Orchestration Automation Response (SOAR) tools build off security information and event management (SIEM) systems.
Where SIEM tools will make sense of the data brought in from firewalls, network apps, and intrusion detection systems, SIEM tools won’t take the next step to automate processes and validate threats. That’s where security operations tools come in.
The SIEM performs basic correlation between a threat intelligence feed and firewall logs, generating an alert for every match (I know, many will argue it’s a bad use case example, but many orgs are actually doing it exactly like that). The SOC analyst would triage each of those events by identifying the internal workstation responsible for that traffic, checking it with an EDR tool, extracting some additional indicators related to that network traffic (the binary file that initiated the connection request, for example) and submitting them to external validation services or sandboxes. If the result is positive, they would use the EDR tool to kill the process, remove the files from the endpoint and also search for the existence of the same indicators on other systems.
SOAR is a growing trend that ultimately amounts to tying together disparate tools, and automating the early stages of the accident response plan.
Security Orchestration Automation Response tools will react when an alert comes in. If we consider threat detection a multi-stage process, which we should, then Security Orchestration Automation Response (SOAR) tools handle the first stage of that process.
When implementing SOAR tools, your team will decide what protocols it needs to follow. SOAR tools might query external systems, external services, or big reference sets. They can put detection cases through validation and queries that you set in place.
They ensure that the alert passes a certain threshold of further investigation, and automatically lay to bed those alerts that are clearly false positives. This saves the security analyst a large amount of time validating every single alert.
However, you’ll likely need a partner to help you put the Security Orchestration Automation Response tools into place, and integrate all of the tools with the new system.
Service Providers to the Rescue
When you look at the function of security operations, you find that large, enterprise-level companies have the resources to invest and build the SOAR function on their own. Fortune 500 companies will buy the technology, hire analysts, and invest in everything they need to build functions on their own.
SMBs typically don’t have the resources to do this – staff a team of security analysts in shift 24/7. An SMB would outsource the technology needs to a managed service provider, and all of what we have discussed would be on the plate of the MSP.
In either case, hiring a service provider to help is a viable and valuable option. Obviously, the MSP can help the smaller businesses – they would connect the company’s network to their own services and deal with implementing SOAR technology and dealing with alerts this way.
These MSPs will need Security Orchestration Automation Response more than anyone to deal with the flood of alerts from all of their clients. They would also have less need to deal with the problem of talent shortages – their employees are the talent, and hiring an MSP can give you access to a full-fledged security operations team.
Even if the company is enterprise-level, hiring an MSP or a security operations management firm could be a great way to deal with the stress of introducing new SOAR technology, or building the system from scratch.
Keep in mind that an MSP or SecOps firm isn’t doing this for the first time. Their jobs are to consult with clients and implement the correct technology.
They’ll have the knowledge and experience to implement SOAR technology without running into roadblocks or hiccups that first-time adopters usually see.
It also saves you the hassle of hiring someone that has implemented these systems before – the right partner will not only implement the system, but will train your staff on how to use it, create documentation for future training, and create documentation on proper protocol.
It’s an up-front cost, but the long-term return on investment is incalculable – you’ll be glad you paid when you don’t lose millions because your staff didn’t follow proper procedures, or the system didn’t work the way it was supposed to.
The point is that there’s no need to go it alone. There are plenty of companies to help you introduce this new Security Orchestration Automation Response technology into your operations. From the largest company to the smallest SMB, partnering with an expert MSP or SecOps firm can be the difference between a functional system and a lot of work for nothing.