In today’s world there is a huge volume of alerts or threat data that needs to be taken care and the solution to handle this problem comes with using machine driven automated activities. In a typical organization there are different number of security solutions used in daily processes. To create a running process using different solutions is always a constraint because some products use the other products’ output as an input. This is obvious that we do not have enough man power to handle all activities in today’s environments. So, what an organization need is the ability to coordinate and formalize the actions and automate responses based on the defined risks of the environments.
Organizations needs orchestration to provide enough information to understand, review and decide if there is any suspicious activity is going on. After the required investigation completed and if results confirm that there is an incident; there is a need for responding to the incident. To use orchestration effectively, the main need is number of integrations with different systems in the environment. So by using orchestration SOAR can shrink the investigation times from hours to minutes and automated actions can be on board for responding faster or at machine speed. SOC teams can create some cases and pass all to the platform so automating the action it will improve the response accuracy.
By considering all above ATAR® helps organization to manage the
automated actions for less response time and accurate approach. By using ATAR®, SOC teams can pass all repetitive
activities to platform and whenever an incident occurs ATAR® will handle it without human
interaction. ATAR® also allows to bring the
incident up to a certain point that human analyst can take over from that point and continue to
work on incident. When a new hire arrives at the SOC, (s)he is given playbooks describing what
to do in the occurency of a particular type of incident.
Playbooks defines a precise list of activities along with preconditions resembling a flowchart. SOCs consolidate detection activities on a SIEM; all alerts from other detection systems are generally consolidated on the SIEM. Additional SIEM works as a detection system itself through analysis of the collected logs and traffic. Incidents do occur on other channels as well, channels such as e-mails, phone calls, etc., but a great majority comes through alerts generated by the SIEM in charge. ATAR® can also receive and manage alerts coming from systems not connected.