Do More with Security Orchestration, Automation, and Response (SOAR)

Do more computer image

Today, security operations center (SOC) teams face dual challenges of acquiring both the right caliber and quantity of staff. Many organizations are in the early stages of transitioning from a focus primarily on prevention to a greater emphasis on detection and response. This shift involves reallocating resources and budgets toward different technologies and specialized staffing, which requires time. As a result, organizations must reevaluate their security approach — a process that can span several years.

As big as this obstacle is, this is just one of several. Even if companies manage to reconfigure their staffing composition and create opportunities to bolster their internal security operations with analysts and incident responders, they still face the hurdle of sourcing and retaining qualified professionals in a market where there is a significant scarcity of talent. 

According to the most recent jobs report, gaps in this area will continue to grow. From September 2022 through August 2023, there were only 72 cybersecurity workers available for every 100 cybersecurity jobs demanded by employers. There were 572,392 openings this year requesting cybersecurity-related skills, and employers are struggling to find workers who possess them. On average, cybersecurity roles take 21% longer to fill than other IT jobs. This lack of qualified team members makes it feel impossible to detect and respond in time to threats. With this gap, it’s important for SOC teams to consider security, orchestration, automation and response (SOAR) solutions to automate repetitive tasks and optimize incident response processes.

Obstacles in Detecting and Responding to Cyberthreats Quickly

Beyond the staffing shortage, security operations teams are also dealing with serious resource constraints.t the same time, they are under increasing fire from threat actors. Cyber attackers are becoming more sophisticated. The attack surface is expanding. And the cybercrime supply chain is becoming more organized and better funded. But these elements are just part of the big hairy problem.

Companies have invested in a plethora of security technologies, and those technologies raise a lot of alarms — thousands, if not tens of thousands, daily. Security teams must determine which alarms are real and which are false positives. This deluge leaves teams unsure about what to investigate and with what urgency – creating alarm fatigue.

Adding to this fatigue is the fact that analysts must often triage these alarms across five or six products. It’s a lot to ask of any team to learn and master multiple products, correlate the information living within each, and to arrive at a decision of whether the alarm requires action. Getting the complete picture requires the analyst to manually pull together different data silos — grinding productivity to a halt.

Given security operations resource constraints combined with the increasing threat volume, organizations have not invested enough in automation and response — a missed opportunity to profoundly reduce triage, threat investigation, and incident response times. Automating common triage and investigatory tasks, such as looking up directory information on a user or asset, can provide critical decision context fast. Automating even a basic set of responses (e.g., disable user account or quarantining a host) can eliminate hours or days a threat is left active in an environment. Security orchestration, automation and response capabilities are critical in collapsing the time to investigate and respond to a threat.

Using Security Orchestration, Automation, and Response (SOAR) for Threat Detection

Rather than struggle to hire more and good-enough team members, take a more practical approach to what your current staff can do from an end-to-end threat management perspective. 

The first step is to determine what data and operational capabilities should be most protected that aligns with your overall organizational risk management plan. You can then proceed with determining how best to detect threats against this data/infrastructure through analytics and a security orchestration, automation, and response (SOAR) solution. Ideally, you would take a holistic threat analytics approach that would allow your team to detect threats across the full Cyber Attack Lifecycle – from Reconnaissance through Exfiltration.

When deploying analytics-driven threat detection, it is advisable to focus on a small handful of analytics use cases, and review them from a monitoring, investigation, and response capability. By taking this approach, you will realize more immediate advanced threat-detection capabilities with the ability to fully investigate and respond. This helps ensure you don’t end up in a situation with an overwhelming amount of alarms and a staff that is immediately underwater. 

Actions for the Systems & Capabilities You’ve Identified to Protect

Step #1 Collect security event data from the systems monitoring and protecting the data infrastructure.

Step #2 Centralize forensic log data across the relevant systems, applications, and databases housing data or delivering the operational capability.

Step #3 Deploy a handful of analytics use cases to detect threats. For instance, you might start with realizing analytics-qualified events from endpoints and perimeter protection technologies, combined with some behavioral anomaly detection to identify compromised credentials and abnormal internal traffic patterns.

Step #4 Develop procedures and playbooks (predefined sequences of automated actions and responses designed to guide and streamline the response to security incidents) for monitoring and qualifying alarms.

Step #5 For each unique type of threat you can detect, you will want to develop procedures and playbooks for:

  • Fully investigating that threat to determine if a security incident has or is occurring
  • Determining standard response and mitigation procedures
  • Developing post-incident recovery practices

Once you’ve implemented a thorough threat management process and realized success across a collection of threat detection use cases, you’ll be comfortable that your team is better protecting what is most important to the business. You’ll also better understand the capacity of your security team.

If you find capacity remains, you can move on to protecting additional data/infrastructure, or implementing deeper analytics in the area already protected. Regardless, you are realizing return on investment (ROI), and you are in a much better position to go back to the organization with proven results to acquire more budget and support.

Gain Efficiency With a Security Orchestration, Automation, and Response (SOAR) Solution

A security orchestration, automation, and response (SOAR) solution helps a security operations team realize a quick ROI by providing technology and automated response workflows that accelerate threat qualification and investigation capabilities.

Case management provides a place where analysts and incident responders can quickly and efficiently collaborate with each other. Integrated playbooks offer standard procedures and access to automation within the natural workflow of the security operations team. These capabilities can dramatically increase productivity while also ensuring threats don’t slip through the cracks or what was likely a previously disjointed workflow.

The automation piece of SOAR can also realize quick returns, but it requires more upfront investment. Automation requires buy-in, collaboration, and cooperation with the broader IT organization, because SOAR automates responses across the IT infrastructure. A key responsibility of IT teams is to effectively manage change. If the security operations team is going to impact change via automated responses, the team must ensure it is done safely and under appropriate governance. Making sure not only your team, but also your IT organization, has confidence in your SOAR platform to automate these actions in a responsible way is critical.

Choosing a SOAR Solution 

At the very foundation, SOAR security tools help you standardize and scale your incident response. Yet, not every SOAR tool will deliver the results your team needs. As such, there are a few things you should consider when you are evaluating a SOAR solution. 

First, look for a product with a test harness. You want to make sure you can test automated actions and scripts before they are implemented in production. LogRhythm SmartResponse™ automates tasks for streamlined efficiency across the security response workflow, automating response workflows help empower your SOC team to accomplish more and reduce the time it takes to protect against evolving security threats. In fact, with LogRhythm SmartResponse™, you have the power to decide what actions you want to automate so your team can focus on more complex incident response that requires skill and creativity. Choose from fully automated playbook actions or semi-automated, approval-based response actions that allow users to review before countermeasures are executed. The result is a seamless execution of actions right at the source of your SIEM data and alarms, resulting in maximum productivity with minimum wasted effort or expense.

You will also want to look for capabilities such as multi-party approval where the action can only be initiated by multiple people, interdepartmentally. If your team lacks a centralized place to collaborate and search through previous investigations, incidents may slip through the cracks. 

Consider that a huge part of IT is change control. In production IT environments, every change should be managed with a change request and change reviews. Because automation affects changes in the IT environment, buy-in from IT stakeholders is critical because the security team is now mandating IT-level changes. Not achieving buy-in from your IT organization will be your biggest SOAR adoption risk. You can’t do it alone — you must  do it with IT to be effective. Having a solution that includes multi-party approvals can provide your IT organization with a degree of comfort. Even if a change is automatically pre-staged, the IT team can look at it first and approve or deny it.

The cost of integration is another important element to consider when selecting a SOAR platform. Ultimately, the value that SOAR is going to enable and automate will be delivered with data from and through other systems. If you’re looking at a stand-alone SOAR solution, the events are likely going to come from a security intelligence and event management (SIEM) platform.

It’s important to determine the cost of integration, as well as what the user experience will be to effectively realize workflows across both a SIEM and a SOAR solution. Ask yourself:

  • Will the workflows realized still be efficient? 
  • What will your team’s ability be to build their own automated playbooks? 
  • Will your team integrate the SOAR solution into your other systems (e.g., ticketing, enterprise systems, etc.) via APIs? 
  • How long will it take your team to stand up those integrations? 
  • What will the cost of maintaining integrations be? 

These are all important questions to consider during the evaluation phase.

Get a Personalized Demo of Our SOAR Solution

The right SOAR solution will help streamline your security operations’ team’s ability to detect and respond to threats faster, and quantify key performance indicators like mean time to detect (MTTD) and mean time to respond (MTTR). It will also save your team some sanity in its  day-to-day life through streamlined workflows and playbooks for automated response actions. SOAR can be a valuable tool that empowers your team  to focus on the more important work, without getting bogged down in the manual and menial.

Are you ready to overcome the endless manual task list plus become more productive by automating workflows and accelerating threat qualification, investigation, and response? Let’s connect! Request a demo to see how LogRhythm can help your team remediate security incidents faster.