Whenever I talk to a CISO they tell me that cybersecurity automation is all about tightening the corners rather than cutting them, but that doesn't mean that automation with a SOAR can't show you some real gains in your SOC. In this article, I am going to take a closer look at the most common SOAR use cases in order to illustrate how this can be the case.
A lot of forward-thinking CISO’s are leveraging sophisticated cybersecurity automation, which includes well thought out playbooks, human prompts and decision making logic to execute automated actions that help a SOC analyst investigate an event before remediating it.
When it comes to handling complex automation use cases SOAR (Security Automation & Orchestration) platforms are your friend, a good SOAR platform will help you compile your automation playbooks to alleviate some of those important, but time-consuming, manual tasks.
Working With Data
Your average cybersecurity operations center collects extraordinary amounts of data, but none of it has any value if it cannot be converted into actionable next steps. Data is a great source of learning, but if it's not organized, processed and made available in the right format for decision making, it's useless and becomes a burden rather than a benefit.
A good SOAR automation playbook helps you correlate data by pulling in all the threat data from across your infrastructure and validating it against threat intelligence data from outside sources. Sharp analysts leverage the output of this kind of automation by using it to identify known threats that behave similarly. Doing this manually is just not an option for most SOC’s, they have too much data that needs to be sequenced quickly and accurately and too high a threat volume to deal with, but automation helps you quickly convert that data into next steps.
Working With Different Departments
Updating other teams within your organization takes much more time than anyone would think and is an often neglected task because of that. Sometimes it's because the case management GUI’s are clumsy when copying information between them, other times it's because your team is just too busy. Automating the process of intra-organizational communication around threats frees up your team to focus on more important tasks. It can also help you develop better metrics to share with the rest of your organization and increase your audibility across with company executives.
Working With Intrusions On Your Network
Dwell time is the duration of time an unauthorized intruder has undetected access to your network until the threat has been completely removed, it's the metric we use to describe how quickly we can detect and remove threats. The average dwell time for most organizations is somewhere between 50-150 days, which is just crazy when you think about it. To stop an attack before your data has been exfiltrated outside of your network, your team has to be moving faster than the attack is, identifying suspicious behaviors and identifying infected hosts to get ahead of attacks.
In the same way that the analysis of unknown threats attempting to penetrate your network is a laborious and manual task, the manual correlation and analysis of data from across your endpoints, mobile devices, servers, and networks can be much more difficult to scale. By automating this workflow, if something on your network becomes comprised, the subsequent analysis, investigation, and remediation become much faster, driving down dwell time.
Vulnerability Reporting & Alerting
One of the most unpopular tasks in a SOC is vulnerability report review, looking into a systems previous history and working out who the system owner is, or in many cases the business owner. This is some of the lowest hanging fruit in the cybersecurity automation playbook and automating this workflow will make your analysts much more productive as they have time to focus on more important tasks. When vulnerability reporting and alerting is automated and combined in a SOAR platform with dynamic threat analysis, your ability to detect sophisticated threats is dramatically increased.
Generating/Implementing Protections Faster Than Threats Can Spread
Once your team identifies a threat on the network, protections need to be prepared and deployed faster than the threat can propagate, moving laterally through your endpoints and networks. Creating sets of protections from different technologies manually, ones that are capable of mitigating against am attackers' future behavior is a difficult and time-consuming task that is complicated by the number of different security vendors that you have in your SOC’s technology stack.
The use cases that I have outlined above are just a few of the cybersecurity workflows that you can automate in order to make your SOC more effective, but other SOC workflow use cases can equally be as effective in delivering improvements in your efficiency and consistency.
A good SOAR platform can help you automate a wide range of different SOC functions and workflows, such as penetration testing, intelligence sharing, and user management in order to deliver those services in a more effective way.
Want to learn how ATAR helps, request a DEMO and see ATAR in Action.
by Ahmet Ozturk