Understanding the Noise Using Security Orchestration, Automation and Response

Posted byJit Mistry - 10th Jul 2018
Using Security Orchestration, Automation and Response (SOAR)

“Noise” is a prevalent term in the cyber security industry. Here at DFLabs – Security Orchestration, Automation and Response Platform, we consistently receive feedback from vendor partners and clients that one of the major issues they face on daily basis is the ability to sift through the noise in order to understand and differentiate an actual critical problem from a lost cause.

What is “noise”?

Noise is a vast amount of information passed from security products that can have little or no meaning to the person receiving the information. Typically, lots of products are not tuned or adapted for certain environments and therefore would present more information than needed or required.

Noise is a problem to all of us in the cyber security industry, as there are meanings within these messages that are on many occasions simply ignored or passed over for higher priorities. For example, having policies and procedures that are incorrectly identified or adapted, or a product is not properly aligned within the network topology.

There is not one security product that can deal with every attack vector that organizations experience today. What’s more disturbing about this paradigm is that most of the tools and technologies within the security infrastructure do not talk to each other natively, yet all them have intelligence data that can overlay to enrich security operations and incident response teams.

Understanding the Noise Using Security Orchestration, Automation and Response

Cyber incident investigative teams spend a vast number of hours carrying out simple administrative tasks that could easily be relieved by introducing an effective security orchestration, automation and response  (SOAR) solution. Given the sheer volume of alerts, we can see from SIEM products on a day to day basis, a Security Orchestration Automation and Response SOAR tool can be used in conjunction to execute most, if not all of the human to machine actions, following best practice per type of incident and company guidelines, all through automated playbooks.

Re-thinking what information is being presented and how we deal with it is the biggest question. There are several ways to manage this:

  • Fully automating the noise worthy tasks.
    If these are consistently coming into your Security Operations Center (SOC) causing you to spend more time on administration than investigation, it may be prudent to schedule the tasks in this manner.
  • Semi-automation of tasks can give your SOC teams more control over how to deal with huge numbers.
    Automating 95% of these tasks and then having an analyst to provide the last sign off via manual look over, can heavily reduce time if your organization is against fully automating the process.
  • Leverage all of your existing products to provide better insight into the incident.
    For example, leverage an existing Active Directory to lock out or suspend a user account if they log in outside of normal business hours. Additionally, it’s possible to sandbox and snapshot that machine to understand what is happening. A key consideration here is to make sure not to disrupt work at every opportunity. It really is a balancing act, however, depending on their privilege you may want to act faster for some users compared to others depending on their role and responsibilities.

During the second half of 2018, the readiness and capability to respond to a variety of cyber incidents will continue to be at the top of every C-level agenda. By leveraging the security orchestration automation and response capabilities offered by DFLabs’ IncMan SOAR platform, stakeholders can provide 360-degree visibility during each stage of the incident response lifecycle. This provides not only consistency across investigations for personnel but encourages the implementation of Supervised Active Intelligence across the entire incident response spectrum.

At DFLabs we showcase our capacity to reduce the investigative time and incident dwell time, all while increasing incident handling consistency and reducing liability. Arming your SOC teams with information prior to the start of their incident investigation will help to drive focus purely on the incidents that need attention rather than the noise.

Please contact us to discuss how we can work together to grow your incident response capabilities or schedule a demonstration of how we can utilize what you already have and make it more effective and efficient.