SOAR: The Answer to the Cybersecurity Skills Gap and a Future in the Cloud

IT Pro Portal Logo

Cloud is exacerbating the cybersecurity skills gap, but the solution lies in SOAR.

As organisations look to protect their data from sophisticated threat actors, there are two intertwining trends that need to be addressed: sweeping organisational migration to the cloud and the current gap in cybersecurity skills.

Cybersecurity is a game of one-upmanship. In the world of data security, this means meeting the evolving nature of cybersecurity threats – criminal groups and even state-sponsored advanced persistent threat (APT) groups are continually developing sophisticated strategies to breach corporate networks.

Adding to the headaches of cybersecurity professionals, threats can take a variety of forms. Towards the lower end of the scale, comparatively amateurish cybercriminals have a range of choices to get them started with limited know how. DDoS-for-hire and ransomware-as-a-service models continue to spread and are easily available to a wide audience. These methods can easily victimise organisations, particularly those that are lapsing in their cybersecurity.

One example of highly proliferated malicious software is when the designers of the infamous IoT-based botnet Mirai released the original code several weeks after it originally appeared in the summer of 2016, deliberately including build scripts for different processor architectures. There are now estimated to be around 20,000 Mirai variants in the wild, which can be used for a variety of purposes, from subtle click-fraud to sweeping denial of service attacks and data theft.

In the face of script kiddies and nation-state backed threat actors alike, a security professional’s role is to remain vigilant and maintain stackable levels of organisational defence, as new strains of malware are developed and fresh attack vectors into company networks are explored.

Traditionally, this was a high stakes game, challenging to even fully-staffed security teams, but whereas well-organised, criminal threats are an expanding issue, their opposition is struggling to find qualified personnel. Indeed, in the wake of the 2019 Covid-19 epidemic, as the world grows accustomed to going online with highly distributed workforces, cybercrime is rampant.

The issue of the cybersecurity gap is well documented. A recent Enterprise Strategy Group (ESG) survey of 267 cybersecurity professionals and Information Systems Security Association (ISSA) members found that 74 per cent of respondents said that the gap had impacted their organisations. The issue was thought to be so severe that US President Donald Trump issued a 2019 executive order in a bid to remediate the situation.

To try and shift the balance back in their favour, organisation’s security operations centres (SOCs) are increasingly looking to create greater efficiencies within their threat detection and neutralisation processes to meet the wave of attacks.

SOAR as a backup to security teams

Given the sweeping nature of the problem, organisations are continuously looking for solutions to automate the network security process and lessen the burden on their security teams. This has required a rethink of the manual detection process with cybersecurity solutions being put in place to implement automatic network monitoring and threat detection.

The problem is that these tools create a range of challenges in and of themselves. The relentless nature of today’s threat landscape results in monitoring tools alerting security teams to a flurry of daily alarms that can reach the tens of thousands, all of which must be investigated.

Security teams must have a comprehensive familiarity with the range of products their organisation might use, all of which can need any number of complicated steps. Data must be carefully sifted through if teams are to understand whether a signal is a false positive or an actual threat. In many ways, the workload has actually expanded rather than decreased.

This is where organisations are turning to deploying more advanced security orchestration, automation and response (SOAR) tools, alongside cloud-hosted security information and event management (SIEM) solutions.

Functionally, SOAR is often not a single solution to any problem, but carries a range of functionality, including incident response, security automation, case management and other security tools. Its mission brief is to help SOCs maintain the efficiency required to effectively monitor besieged organisational networks. Increasingly, advanced SIEM solutions now include SOAR capability – with industry analysts predicting a future merging of the two markets.

SOAR helps SOCs improve efficiency in two vital ways. First, it automates tasks usually manually handled by SOCs, and then aggregates intelligence from varied sources, which it then displays on a centralised dashboard. This allows security teams to effectively visualise and identify the most pressing threats.

SOAR utilises customisable workflow and controls functionality, which enables teams to investigate potential threats with far greater ease within their organisational networks, saving time in the process. Instead of having to jump between the various solution platforms that their organisation might employ, analysts can respond to issues immediately with the additional help of their case playbooks.

This streamlined process saves time and allows for analysts to focus their attention where it is needed most.

SOARING to the cloud

Given the huge benefit SOAR brings to security teams trying to navigate the cybersecurity skills crisis, the natural next step is to bring it to the cloud.

As organisations have embraced digital transformation, migrating applications and their networks to the cloud, SIEM and SOAR solutions have trailed behind. The reasons for this lie in a reluctance for sensitive data to be migrated off-premises and a lack of sophistication in the solutions vendors have on offer. Simply put, available cloud solutions lack the holistic nature of what is offered on-premises.

Advancements are being made, especially as businesses are increasingly operating towards cloud-first strategies in which a cloud-first security approach will also be sorely needed. In addition to this, new capabilities, such as the scanning of unstructured data, promote SOAR as a more appealing investment case for companies. A key attribute that may prove winning in the case for cloud-based SOAR is its capability for rapid deployment compared to on-premises solutions.

As security budgets tighten and the cyber-skills shortage looks to persist for the near future at least, SOAR will become a vital ally for SOCs to keep their networks safe from threat actors. This is especially true as the world moves to cloud, where sensitive data will inevitably have to be protected.

Andrew Hollister, EMEA director, LogRhythm Labs