A surge in cyber-threats and the administrative burden involved in staying on top of data security management is putting pressure on enterprise IT departments that cannot afford to risk a serious data breach, reputational damage and operational disruption.
Faced with an ongoing cybersecurity skills shortage, organizations need a different approach to security provision unrestricted by manual processes – one that reduces their dependence on hard-pressed humans by harnessing automation, machine learning, artificial intelligence, predictive analytics and other innovative technologies to help identify, filter, neutralize and remediate cyber-threats before they have a chance to do significant harm.
By integrating orchestration processes, automation, incident management and collaboration, visualization and reporting under a single interface, SOAR can give security operations center (SoC) staff a faster, more accurate way to process large volumes of data produced by cybersecurity systems and help identify and remediate attacks which may be imminent or underway.
Mixed state of SOAR readiness
In its Innovation Insight for Security Orchestration, Automation and Response report published in November last year, Gartner forecasts that by the end of 2020, 15% of organizations with a security team larger than five people will use SOAR tools, up from an estimated 1% in 2017.
The scale and rate of that adoption suggests two things: firstly that many businesses may be unprepared for the security management challenges they face, and secondly that awareness of SOAR and the benefits it can bring is still limited.
Any gap in education can lead to expensive mistakes when it comes to product procurement decisions which are invariably difficult and costly to rectify. So, it’s important that IT departments don’t rush into any implementation without taking a good look at their existing security architecture and processes and carefully consider where SOAR can work alongside them to help SoC analysts ease their cybersecurity workloads.
In many cases, IT departments remain unclear on what security processes can or should be automated for example, and which of their current security applications and systems lend themselves to the type of orchestration that SOAR enables – if existing tools from different vendors cannot be integrated efficiently using mechanisms like application programming interfaces (APIs), the quality of the data and recommendations being shared can be compromised and the ability to act fast on accurate intelligence diminished.
Steps to SOAR success
- An audit of existing security infrastructure should be a priority, including defences which routinely span on- and off-premise systems hosted in public, private and hybrid clouds, as well as fixed and mobile devices in distributed branch office environments.
- All systems should be properly assessed for SOAR readiness, and any opportunity to consolidate security systems to weed out extraneous security information that does not help with threat identification and remediation should be thoroughly explored.
- Additional filters can also be applied to further reduce the background noise that often distracts analysts from the real danger.
- IT departments should specify key performance metrics that frame what they want to achieve in terms of dwell and detection to containment times to make sure threats are neutralized before they have a chance to spread into other systems.
- Those KPIS should be aligned closely with in-house security analyst resources and skill sets, to give current staff the best tools and training to meet requirements.
- Organizations without in-house security analysts should consider outsourcing cybersecurity monitoring and management functions to managed security service providers (MSSPs) that use suitable SOAR tools able to integrate with on-premise security systems to maximize threat detection and remediation.
With so many different security tools and applications needed to protect large volumes of data, people and devices wherever they may reside, the cascade of logs and alerts analysts have to wade through to identify the priorities for their attention is only set to amplify.
Equally there remains a real danger that the benefits of machine learning and artificial intelligence when applied to cybersecurity automation and orchestration will be overstated unless IT departments are realistic about what can be achieved and where their weaknesses lie.
It is important to remember that while greater orchestration and automation can shoulder some of the burden currently carried by security analysts, it cannot replace them completely. At the end of the day, well-educated competent professionals will still be necessary, but their time can be optimized if machines take on some of the legwork.