Understanding the Noise Using Security Orchestration, Automation and Response | DFLabs

Free community edition

Request a demo

Understanding the Noise Using Security Orchestration, Automation and Response

Back to all articles

Using Security Orchestration, Automation and Response (SOAR) 1

“Noise” is a prevalent term in the cyber security industry. Here at DFLabs - Security Orchestration, Automation and Response Platform, we consistently receive feedback from vendor partners and clients that one of the major issues they face on daily basis is the ability to sift through the noise in order to understand and differentiate an actual critical problem from a lost cause.

What is "noise"?

Noise is a vast amount of information passed from security products that can have little or no meaning to the person receiving the information. Typically, lots of products are not tuned or adapted for certain environments and therefore would present more information than needed or required.

Noise is a problem to all of us in the cyber security industry, as there are meanings within these messages that are on many occasions simply ignored or passed over for higher priorities. For example, having policies and procedures that are incorrectly identified or adapted, or a product is not properly aligned within the network topology.

There is not one security product that can deal with every attack vector that organizations experience today. What’s more disturbing about this paradigm is that most of the tools and technologies within the security infrastructure do not talk to each other natively, yet all them have intelligence data that can overlay to enrich security operations and incident response teams.

Understanding the Noise Using Security Orchestration, Automation and Response

Cyber incident investigative teams spend a vast number of hours carrying out simple administrative tasks that could easily be relieved by introducing an effective security orchestration, automation and response (SOAR) solution. Given the sheer volume of alerts, we can see from SIEM products on a day to day basis, a Security Orchestration Automation and Response SOAR tool can be used in conjunction to execute most, if not all of the human to machine actions, following best practice per type of incident and company guidelines, all through automated playbooks.

Re-thinking what information is being presented and how we deal with it is the biggest question. There are several ways to manage this:

  • Fully automating the noise worthy tasks.
    If these are consistently coming into your Security Operations Center (SOC) causing you to spend more time on administration than investigation, it may be prudent to schedule the tasks in this manner.
  • Semi-automation of tasks can give your SOC teams more control over how to deal with huge numbers.
    Automating 95% of these tasks and then having an analyst to provide the last sign off via manual look over, can heavily reduce time if your organization is against fully automating the process.
  • Leverage all of your existing products to provide better insight into the incident.
    For example, leverage an existing Active Directory to lock out or suspend a user account if they log in outside of normal business hours. Additionally, it’s possible to sandbox and snapshot that machine to understand what is happening. A key consideration here is to make sure not to disrupt work at every opportunity. It really is a balancing act, however, depending on their privilege you may want to act faster for some users compared to others depending on their role and responsibilities.

During the second half of 2018, the readiness and capability to respond to a variety of cyber incidents will continue to be at the top of every C-level agenda. By leveraging the security orchestration automation and response capabilities offered by DFLabs’ IncMan SOAR platform, stakeholders can provide 360-degree visibility during each stage of the incident response lifecycle. This provides not only consistency across investigations for personnel but encourages the implementation of Supervised Active Intelligence across the entire incident response spectrum.

At DFLabs we showcase our capacity to reduce the investigative time and incident dwell time, all while increasing incident handling consistency and reducing liability. Arming your SOC teams with information prior to the start of their incident investigation will help to drive focus purely on the incidents that need attention rather than the noise.

Please contact us to discuss how we can work together to grow your incident response capabilities or schedule a demonstration of how we can utilize what you already have and make it more effective and efficient.

Related Articles

John Moran / 6 Nov 2018

SOAR vs. Orchestration and Automation: What’s the Difference?

If you’re playing buzzword bingo in 2018, Orchestration and Automation (O&A) are two words you want to see on your card. Learn the difference between Orchestration and Automation and Security Orchestration, Automation and Response (SOAR).

Read blog

John Moran / 31 Jul 2018

Five Critical Components of SOAR Technology

Discover what are the five most critical SOAR technology components any Security Orchestration, Automation and Response (SOAR) solution should possess

Read blog

Julie Tillyard / 18 Sep 2018

Companies Are Failing at Incident Response: Here Are The Top Reasons Why

Planning and implementation is the difference between success and failure when it comes to security and incident response. Here are the top four reasons why organizations fail and what they can do to overcome these challenges.

Read blog

John Moran / 24 Jul 2018

3 Core Pillars of a SOAR Solution

Discover the three core pillars which define what a SOAR solution is: Security Orchestration, Automation and Measurement. Learn more

Read blog

John Moran / 21 Aug 2018

5 Common Security Orchestration, Automation and Response (SOAR) Use Cases

Read blog

John Moran / 12 Oct 2018

Automatic Observable Harvesting With IncMan SOAR

Read blog

John Moran / 17 Jul 2018

SOAR Technology – What Problems Are We Trying To Solve?

Read this blog post and discover the key drivers for SOAR adoption and the five key problems the SOAR Technology market space has evolved to address

Read blog

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo