Pick up any industry and you will realize that every one has gone through an evolution – from being entirely dependent on humans to being now run majorly by machines and automated processes. There comes a point, for every industry, where in order to function efficiently and effectively operate, automation becomes a necessity. In the case of cyber security, this necessity is driven by exponentially increasing complexity of threats, volume of data being recorded, financial limitations, personnel requirements, and other resource constraints. Supply chain, human resources, finances & accounting, manufacturing, IT, etc. are some of the industries that have already been influenced by the wave of automation.
With the number of alerts and the amount of log data being generated, reducing the time taken to detect and respond to a security incident is the need of the hour. Cyber security is now considered as an operational and business risk, not simply an IT risk. Like other industries, the maturing threat landscape in cyber space now requires automated processes, as it will be almost impossible for an internal security expert to go through thousands of alerts without getting exhausted or missing something really important in the context of organizational security.
The phrase security automation may have different meanings for different people. With a plethora of tools and vendors available, a decision-maker might invest in a service which does not fit into the workflow properly. So, to say, automation has quickly become an essential element in organizational security operations to increase the effectiveness of detecting and responding to threats and undertake scalable monitoring efforts.
In an organization having a dedicated SOC, it is wholly and solely responsible for round-the-clock threat monitoring, detection, investigation, response, and mitigation. At the core of a SOC, there is a SIEM (Security Information & Event Management System) which acts as an aggregator for collecting system logs and other relevant logs from various security controls implemented by an organization.
The key responsibilities of a SOC are monitoring, analysing, and responding to cyber threats. With the ever-evolving cyber space, a SOC also needs to evolve constantly and dynamically to need the quest for increased visibility into threats, their rapid analysis, and following a holistic approach for threat response. Accordingly, for a SOC, automation can be in the workflow, incident analysis, and threat response.
Coordinating various tools and technologies being utilized for maintaining the security posture has created a new set of problems for the businesses - compatibility & version issues to start with. Switching between these multiple technologies, or as called as context switching, can invariably result in decreasing the efficiency of any security program.
From the technical perspective, various methods are used to integrate tools in SOAR solutions and they can be as simple as email communications and as complex as API calls. Though technical integration remains the primary focus in Orchestration, people and processes play an equally vital role in a security program. To maximize the efficiency of a business in dealing with cyber attacks and enhancing its capabilities, orchestration must also be carried out for people and processes.
Gartner defined a new class of security operations in 2015 – Security Orchestration, Automation, and Response (SOAR). SOAR is defined as a platform which is capable of utilizing machine-readable meaningful security data in order to provide reporting, analysis, and management functions to support the operational security teams in an organization. SOAR platforms provide intelligence which is non-existent in previously employed security controls. They equip a business with formalized workflows and simultaneously enable it with informed remediation of detected threats on the basis of decision-making logic and context algorithms.
According to Gartner, ideal use cases for SOAR include –
(An insider tip: We are due to launch our SOAR solution which cohesively aligns with our SIEM solution).
SOAR functional components incorporate Orchestration, Automation, Incident Management and collaboration, and dashboards and reporting.
What’s it about the recent Facebook hack that affected 30 million people?