Security operations center (SOC) teams face a challenging task. With the constant emergence of new cyber threats, such as ransomware, distributed denial-of-service (DDoS) attacks, and phishing schemes, there is never a dull moment for these analysts. To help them manage the wide range of incident response alerts they receive, many SOC analysts are turning to security orchestration, automation, and response (SOAR) tools.
In his book “Security Orchestration, Automation, and Response for Security Analysts”, Microsoft Senior Product Manager Benjamin Kovacevic explores how organizations can leverage SOAR tools to improve their security posture. While the book primarily focuses on using Microsoft Sentinel as a SOAR tool, it also provides an introduction to Splunk and Google Chronicle SOAR. According to Kovacevic, while the tools may vary in terminology, they all function in a similar manner.
When asked about the adoption of SOAR by organizations of any size, Kovacevic believes that every organization, regardless of its size, can benefit from incident response automation. Large enterprise organizations, with their high volume of incidents and alerts, can leverage automation to focus on those that are worth investigating. Smaller organizations, with limited resources, can also benefit from automation, as it helps them perform their security functions more effectively and efficiently.
One of the main advantages of SOAR tools is their ability to alleviate alert fatigue for SOC teams. By automating certain incident response workflows, organizations no longer have to wait for a SOC analyst to detect an incident before taking action. Automation can kickstart the incident investigation process by gathering initial information, such as the IP address involved, thereby reducing the time it takes for a SOC analyst to respond. This automation saves time and allows analysts to focus on specific incidents rather than getting overwhelmed by a flood of alerts.
Kovacevic emphasizes that mean time to detect (MTTD) and mean time to respond (MTTR) are crucial metrics for evaluating the performance of SOC teams. These metrics provide organizations with tangible measurements of how long it takes for the SOC to acknowledge and respond to a true positive alert. For example, in the case of a ransomware attack, a low MTTD indicates how quickly the security team can begin remediation efforts. On the other hand, MTTR measures how long it took to resolve an incident and move on to the next one. These metrics provide insights into the severity and complexity of the incidents faced by the SOC.
SOAR tools play a significant role in reducing MTTD and MTTR metrics. Incident enrichment, provided by SOAR automation, equips SOC analysts with initial information, allowing them to quickly investigate and respond to the incident. Tools like Microsoft Sentinel’s SOAR enable analysts to access historical incident data, facilitating rapid replication of successful response strategies. Additionally, SOAR playbooks automate certain incident response steps, such as blocking malicious IP addresses or isolating infected machines. By leveraging SOAR, SOC teams can streamline their incident response workflows, ultimately reducing both MTTD and MTTR.
While SOAR tools offer numerous benefits, there is a concern about overreliance on automation. Kovacevic acknowledges that organizations may have varying comfort levels with automation. Some may fully embrace automation, leveraging AI and machine learning capabilities to expedite investigations. Others may be more hesitant due to concerns about the reliability and trustworthiness of AI. He emphasizes the importance of responsible automation usage and periodic evaluation of automation features to ensure their efficacy.
The combination of a security information and event management (SIEM) system with a SOAR tool is highly beneficial for SOC teams, particularly in terms of MTTD and MTTR metrics. The sheer volume of incidents and events occurring on a regular basis makes it difficult for human analysts to keep up without some form of automation. SIEM tools collect and analyze vast amounts of data generated by various machines and tools, while SOAR tools help SOC analysts better analyze and respond to incidents. The integration of SIEM and SOAR enhances the effectiveness and efficiency of SOC investigations and responses, and industry players are increasingly recognizing the importance of this integration.
In conclusion, SOAR tools offer valuable automation capabilities that help SOC teams manage the multitude of incident response alerts they receive. These tools reduce alert fatigue, improve MTTD and MTTR metrics, and enhance overall incident response efficiency. However, responsible usage of automation and the integration of SIEM and SOAR tools are essential for maximizing the effectiveness of SOC operations. As cyber threats continue to evolve, organizations of all sizes can benefit from adopting and deploying SOAR tools to strengthen their security posture.