Turning security threats into proactive protection for the long haul requires an engaged security operations center staff.
When companies modernize their applications – utilizing cloud-native technology, implementing event-driven architectures, or deploying – there’s a give-and-take of productivity and security. Modern cloud architecture tends to have specific security and reliability benefits thanks to isolation and fault tolerance, but they also increase the number of potential attack surfaces.
And these companies are being bombarded with potential cybersecurity attacks. According to a survey from Dimensional Research and Sumo Logic, 70 percent of companies studied say the volume of alerts their security operations center (SOC) deals with daily have at least doubled over the last five years, with 24% reporting a 10X increase. And a report from Fastly and Enterprise Strategy Group claims that 75% of companies spend more time chasing false positives than dealing with real incidents.
Security analysts just don’t have time to improve how they respond to cyber attackers’ tactics, techniques, and procedures (TTPs). They’re mindlessly discarding false positives and following standard-issue playbooks, not solving complex problems.
Providers of SOAR solutions tend to focus on the features of their products, from algorithms to beautiful dashboards, but every now and then, it’s important to re-frame the conversation to focus on the analysts themselves: Can SOAR prevent them from becoming security automatons?
Coined by Gartner only in 2017, SOAR stands for Security Orchestration, Automation, and Response. SOAR solutions help SOCs collect security-related data from multiple sources, correlate that data, and respond accordingly through automated or more informed manual actions. These tools implement machine learning (ML) to identify the types and severity of potential security incidents and help analysts create standard incident response activities through three primary actions:
Orchestration: SOAR solutions bring together data from multiple cloud-based tools – vulnerability scanners, endpoint protection software, firewalls, intrusion detection systems, and security information and event management (SIEM) software – through extensive use of APIs.
Automation: Using SOAR products, security analysts can standardize the actions they regularly take on common tasks, like vulnerability scanning and log analysis. Even better, they can define which steps in the standardized process can be automated into playbooks, only sending notifications about manual follow-up actions after the SOAR platform has taken several mitigation steps. Over time, ML-based tooling also makes recommendations on further automation.
Response: With SOAR, there’s a single view for planning, managing, monitoring, and reporting actions that happen once a threat is detected. Analysts deal with far less context switching between tools or confusion over which dashboard has the “real” truth.
There is a clear advantage in implementing SOAR: holistic visibility into every corner of a company’s broad architecture without dictating all of the tools or trying to force a single platform on the entire company.
It’s a sea change from the technology-driven SOC of the past, which wanted to tightly control and maintain every piece of the security puzzle, which meant they ended up spending more time maintaining the SOC than solving cybersecurity problems. And with SOAR on the horizon, that risk is more solvable than ever – but only if companies focus their technological investment on making SOC activities feel more human-oriented.
See Also: Continuous Intelligence Insights
Why re-humanize the security operations center?
One of the biggest problems for legacy SOCs has been slow training cycles and an inability to retain talented security analysts, which removes their ability to adapt at the speed their company – and the security landscape at large – demands. SOAR offers avenues for not just implementing a new-fangled solution with all the requisite AI/ML buzzwords but genuinely changing the way analysts work.
- Build a positive work environment. The legacy SOC is a generally negative environment, with alerts firing all the time, the constant feeling as though every piece of the infrastructure is one fire and a reactive-only workflow. Companies can reshape how security analysts perceive their jobs by offloading some of that once-manual work to automated playbooks and moving to proactive or defensive strategies.
- Put sophisticated analyst brainpower to better use. Most people get into security because it’s a fast-moving, complex problem that has no simple solutions. Each threat is a new puzzle to be solved. Automating incident response means analysts have many more spare cycles to shape new approaches to hunting threats or innovating on the new tactics, techniques, and procedures (TTP) they see in real-life cybersecurity incidents. They can work on harder, more interesting problems, which generally improves their job satisfaction and keeps them around longer.
- Tackle tough issues around skills availability and training. Turnover is inevitable, so any SOC needs to be ready to onboard new security analysts regularly. SOAR solutions let new recruits train on real-world examples through simulation, which helps them get caught up on the latest best practices and strategies in a fraction of the time.
Despite how far they’ve come on cloud-native technologies, real-time analytics, or event-driven architectures, many technology-driven companies get caught in a trap of thinking that security operations is a battle between technologies, where the player with the most sophisticated tools wins out at the end of the day. The reality is that there are people on both sides of any cyberattack. And they’re both most likely engineers who like to build and solve complex problems using the tools available to them.
Meaning that providing the right platform, whether it’s SOAR, SIEM, a complex mash-up of security products, or the stereotypical SOC full of monitors, dashboards, and headset-wearing analysts sweating over thousands of alerts on a daily basis, is a given. Even more important is keeping their human edge sharp so that they’ll want to keep coming back and turning security threats into proactive protection for the long haul.