The SANS SOC Survey for 2019 results are in and as per the survey the top three most frequently cited obstacles to SOC excellence were
As cyber threat behavior, business processes, and IT technologies evolve constantly, SOC operations are one of the most challenging environments to manage and measure today.
Phishing threats are one of the most common cases a SOC team must grapple with, but they also are among the most frustrating and least desired. However, automation and machine learning tools are seemingly effective in enhancing skilled analysts further or even enabling lesser-skilled analysts to focus on the most likely true positives. It’s a fact today that amidst all the chaos and data that a SOC team may have to deal with; orchestrating and automating their existing tools and technologies enables them to significantly benefit from augmenting their analysts to mitigate threat swiftly and efficiently.
That’s where a true SOAR (Security Orchestration, Automation and Response) solution becomes indispensable. SOAR takes the best of automation and orchestration technologies and combines it with the ability to extend those capabilities across all tools and technologies into a seamless response effort. If we begin to correctly utilize automation and orchestration technologies, we can begin to experience the trickle-down effect of successes that automation and orchestration can provide. The three tenets of an effective SOAR Strategy as the name itself suggests are
According to Gartner, 70% of enterprises with a dedicated SOC will adopt SOAR tools by 2021, up from less than 5% in 2018.
By 2019, 30% of mid to large-sized enterprises will leverage a SOAR technology, up from an estimated 5% in 2015.
This increase is triggered by an enhanced requirement to report on and analyze security operations. In fact since the past few years, SOAR is no longer considered as a niche product instead it’s has growing traction across all industries and verticals. Such an uptick is also because many organization have reportedly seen that with the help of a security orchestration automation and response platform, they can continue to move their security program in a positive direction by providing the assistance their staff needs to stay ahead of their adversaries.
Over the past decade, the frequency and sophistication of threats has grown which has led to an explosion of security applications being used in the enterprise. Security analysts are being forced to work within multiple platforms, manually gathering desperate data from each source, then manually enriching and correlating that data.Increased workload combined with budget constraints and competition for skilled analysts means that organizations are being forced to do more with less.
Treating an unending stream of alerts can limit SOC from reacting quickly and effectively.Even when alerts are centrally managed and correlated through a SIEM, the number of alerts is often overwhelming for security teams. At a time like this when the SOC is full of untrained analysts, automation comes as a boon. You can use the power and agility of a machine to evaluate an unbelievable volume of alerts in moments. Thus enabling your SOC analysts and incident handlers to use important and contextual data proactively, allowing faster decision-making for investigation cases.
With a SOAR solution in SOC, any event can be handled much faster to prevent it from expanding further. As soon as any suspicious activity occurs, a SOAR can automatically isolate the infected device from the network. This radically reduces the SOC’s response time and also reduces the stress on the SOC team to react manually and contain incidents.