3 questions to answer before implementing SOAR
- By James Schweitzer
- Aug 03, 2020
Like any large organization, federal agencies are suffering from security alert fatigue: The majority of security operations centers (SOCs) receive more than 10,000 alerts per day, and the average analyst spends nearly 20 minutes on each case. As a result of the sheer volume of alerts, over 60% of security tickets generated are left unaddressed, and of those addressed alerts, nearly one-half of teams are seeing false positive rates of 50% or higher.
To reduce alert (and false alert) overload, organizations are increasingly turning to security orchestration, automation and response (SOAR). Gartner, which originated the term, defines SOAR as technologies that enable teams to collect incident/threat data from multiple sources, so “a combination of human and machine power” can perform incident analysis and triage. This process allows teams to effectively define, prioritize and drive standardized analysis and response activities that identify and reject false positives, or collect relevant data to close alerts -- reducing alert fatigue.
Organizations that are already investing in SOAR are seeing impactful, positive results: On average, they’re benefiting from an amazing 48% improvement in the efficiency of their security operations and a nearly 50% improvement in the accuracy of their problem diagnosis. Ninety-seven percent of IT and security professionals say that a SOAR tool allows for increased workloads while maintaining the same staff. Within the federal government, SOAR has decreased the time required for cloud service providers to achieve authority to operate from the Federal Risk and Authorization Management Program from 12 to 18 months to as little as six months.
Given the benefits, adoption and investment into SOAR technologies is surging: Gartner indicates that, by the end of 2022, three of 10 organizations with a security team larger than five people will leverage SOAR tools. By 2024, the global SOAR market is projected to reach nearly $1.8 billion, up from $868 million in 2019, according to a forecast from ResearchAndMarkets.
As with any major IT investment/commitment, SOAR requires upfront planning to achieve success -- especially when it comes to maximizing the value of data. With this in mind, here are three data-driven questions agencies should consider before implementing SOAR:
1. Do we have the data we need?
Why it matters: Logs in the cybersecurity ecosystem might tell indicate that monitoring tools are functioning properly, but they may not necessarily contain the data required to answer SOAR-framed questions about an investigation. For example, an email gateway’s log may show how many messages were sent from a particular account, without indicating whether an adversary controls the account.
For SOAR to deliver upon its promise, agencies must have visibility into detailed, threat-focused network and/or host data. Network detection and response tools deliver this intelligence. IT teams also need insights into encrypted traffic traversing the network. One interesting statistic from Sophos shows that nearly one-third of malware and unwanted applications, in fact, enter networks through transport layer security encryption. Additionally, adversaries are using DNS over HTTPS (DoH), which is now supported by multiple browsers to obfuscate activity. The upshot: IT teams must monitor the presence of TLS, HTTPS and DoH in the environment and then extract data from this traffic for incident response and threat hunting.
2. Can we pivot between data sets?
Why it matters: SOAR is all about flexibility -- leveraging orchestration and automation to empower teams to work more effectively and efficiently, making it essential to switch from one data set to another. For example, an SOC may discover abnormal behavior on the network. By quickly pivoting to the host data to investigate the event, the IT team could determine if the person behind the activity was a member of the security team who was merely conducting a penetration test (i.e., a false positive) or if the incident merits further investigation. Having a community-developed key allows security analysts to track a specific item when conducting an investigation, making the transition between datasets quick and effective.
3. Is our data extendable?
Why it matters: Again, SOAR is all about flexibility. Agencies will want to keep extending their datasets as the SOC accumulates more intelligence. One day, they may find a new threat indicator that is not present in the existing data and want to add this to the data portfolio without needing to hire a team of data scientists. To maximize SOAR, SOCs must continuously improve their dataset knowledge and capabilities. Having extendable data allows teams to quickly and effectively adapt, identify, investigate and mitigate threats.
To be clear, SOAR doesn’t reduce the volume of inbound alerts. But it allows man and machine teams to manage them in a smarter, more effective way. This capability begins and ends with the quality of the agency data. While the devil used to be in the details, today we can say that the devil (malicious traffic, threats, etc.) is in the data. When agencies combine SOAR with readily-available, linked, flexible data that is actionable for their investigations, they’ll swiftly find -- and block -- the devils to ensure the protection of the agency’s digital systems and assets.
James Schweitzer is east and federal sales engineer director at Corelight Inc.