ITWeb Security Summit 2020: Five ways SOAR improves collaboration within SOC team
By Murray Benadie, MD, Zenith Systems
“SOCs are mission-critical for both private enterprise as well as MSSPs” declares Murray Benadie, MD of Zenith Systems. “Optimising their efficacy in detecting and containing cyber threats is crucial in keeping ahead of the threat landscape.”
One of the first steps towards creating an effective security operations centre (SOC) is to ensure all team members collaborate seamlessly. This means the software used by the SOC team should be easy to understand, user-friendly and easily customisable.
To help improve the way SOC teams communicate, many organisations have adopted automation and orchestration as a true turning point in cyber security. Automation and orchestration are the capabilities provided by the technology known as SOAR, and the reasons why SOAR has become a true game-changer in enhancing the manner in which SOC teams communicate and manage threats are articulated below.
1. SOAR enhances the communication between every SOC team member
SOAR stands for Security Orchestration, Automation and Response. The goal of SOAR is to vastly improve the efficacy of SOC processes, which includes SOC communication. SOAR connects employees, technologies, and processes by using its automation and orchestration capabilities.
SOAR vastly improves the communication between different SOC team members, including:
- Analyst and SOC manager;
- SOC manager and CISO;
- CISO and board; and
- IT and OT manager.
By creating a centralised, intuitive and collaborative platform, SOAR allows all SOC team members to have an easier, more efficient collaboration. SOAR moves the workflow of every team member into one place, bringing disconnected team members closer and allowing them to carry out their security operations in an effective manner.
Not only will SOAR improve the communication within the SOC team, but it’ll also allow team members to work intelligently and broaden their communication with key players from different departments, including IT, HR, PR, legal, etc.
2. SOAR reduces incident response time by up to 10 times
SOAR significantly boosts the efficiency of every resource within the SOC. The goal of this technology is to improve the productivity of every team member, optimally utilise every resource, and make sure the security operations are conducted in the most efficient manner. SOAR applies automation to low-risk, repetitive and mundane tasks, thus allowing analysts to have more free time to focus on more important assignments. SOAR documents the entire life cycle of an incident, from inception to conclusion, leading to a tenfold reduction of analyst time spent on such mundane tasks.
Furthermore, SOAR is able to distinguish between false positives and negatives. SOAR uses a machine learning engine to study live cyber attacks as they arrive in real-time. SOAR analyses their idiosyncrasies, stores them into its system and memorises the pattern in order to use the same information when a similar threat approaches in the future.
When a similar threat does arrive, SOAR will use its accumulated knowledge to prompt proper countermeasures and automatically resolve the threat with little or no human intervention needed, depending on the level of automation you wish to apply to security operations. And if the threat appears to be a false positive, SOAR labels it as such, thus preventing the false positive to grow into an incident that will require more attention, ultimately wasting analysts' time and effort.
3. SOAR effectively manages escalation to the SOC team
SOAR allows teams to work in a more coordinated manner, and upon detecting and analysing a threat, SOAR escalates the incident to the right person. SOAR does this in a timely manner in order to provide critical information that is necessary to contain the threat.
SOAR automatically performs enrichment on a particular alert, documenting the characteristics of the alert and classifying the nature of that alert accordingly. The enriched data regarding the alert is then escalated to the analysts which later use their expertise to assess the situation. Without SOAR, the enrichment phase of all alerts is performed manually by analysts.
4. SOAR creates a centralised dashboard for a better perception of security operations
Security teams are often struggling with too many tools and too much data and having to jump from one tool to another makes it difficult for employees to communicate. SOAR improves the workflow processes by creating a centralised, fully customisable dashboard with various KPIs and metrics that allow SOC teams to have access to the entire order of security operations from one place.
SOAR brings together new and existing tools and allows the analysts to be more productive by working from one place. SOAR provides a centralised hub where a singular system manages and oversees the entire security operations, thus connecting people, technologies and processes. The goal is for every employee to have the right information at the right time, and work in a co-ordinated, effective manner. And that’s what placing SOAR at the heart of your security platform will provide.
5. SOAR relies on an open architecture
IncMan SOAR, supplied by Zenith Systems, adopts an open architecture philosophy. By offering an OIF (Open Integration Framework), IncMan SOAR allows clients to connect with over 200 of the most popular tools in the cyber security industry. On top of that, IncMan SOAR also allows clients to create their own integrations with little coding experience without our supervision.
According to Benadie: “This, combined with integrated, pre-developed playbooks, is a major competitive advantage for IncMan SOAR, as it means that clients are able to deploy IncMan in a substantially reduced timeframe when compared to other tools.”
“DFlabs, the developers of IncMan SOAR, know that the next-gen cyber security platforms must be flexible enough to easily collaborate with different tools from different vendors. This type of open source nature of IncMan SOAR allows different tools to easily interact with one another, and it doesn’t disrupt the conventional workflow of security operations within an organisation. Ultimately, this allows clients to maximise their investments by bringing all tools together in a flexible, all-in-one platform.”
SOAR for the future
Having to deal with the ever-growing complexities in the cyber world, organisations must have an open mind regarding automation and orchestration and realise that SOAR is their ally in the battle against sophisticated cyber threats. To summarise, this is how SOAR improves the collaboration of the SOC team:
- Creating a centralised dashboard for all workflow processes;
- Faster incident response by using automation;
- Escalating incidents to the right person;
- Integrating seamlessly with different tools to provide a better connection; and
- Brings together disconnected teams from different departments.
The reality is, analysts and other security professionals can’t possibly handle the flood of cyber attacks that can be estimated in thousands per day, and jumping from one tool to another will make the workflow processes even worse. This is why it is essential to accept revolutionary technologies like SOAR and hop aboard the automation train. Sooner or later, SOAR is deemed to become a necessity, not a luxury. And given the increasing number of complex threats, that might happen sooner rather than later.