The Road to SOC Excellence Using SOAR

Back to all articles

SOC excellence

It’s that time of year again. The SANS SOC Survey for 2019 has just been released and the results are in, showing that the state of our Security Operations Centers (SOCs) is on an upswing. Even if it is not a tremendous spike in progress, the fact that we have improved in almost all categories is, in my opinion, a true sign of SOC-cess. Organizations are still reporting the same weaknesses as last year and the years before, but unlike previously where the numbers appeared stagnant, this year we are starting to see a change in direction and in the confidence of respondents as true improvements occur. However, this does not mean our work is done, or that we can take a well-deserved break. We must stay vigilant and grow from the lessons learned over the previous year in order to become even more successful.

In this multi-part blog post we will be discussing some of the areas that SOCs can engage in for further improvement, and how implementing a Security Orchestration, Automation and Response (SOAR) platform can help security operations centers to continue this positive trajectory, achieving SOC excellence.

Although our problems and shortcomings have not been completely eradicated, the slow but steady progress is a positive take-away that we can use to continue to improve our operations. Staff shortages, inability to effectively utilize automation and orchestration to assist staff, tool integration concerns, and the lack of a management buy-in, are just some of the adversaries we continue to battle within. It is no surprise that these issues continue to be of top concern to our security operations centers, as they are all tightly correlated together in a cascading effect of failures. If one issue is unresolved, all of the other issues will be affected. But, one of these shortcomings can greatly impact them all more so than any other - automation and orchestration.

Automation and Orchestration

Some may argue that management buy-in would be the most vital concern that a security operations center must consider in order to try and turn all the others around. And yes, management buy-in is extremely important, but if we’re not presenting our management team with the correct data they need to make critical business decisions, then our projects and overall needs are dead in the water. Nevertheless, if we begin to correctly utilize automation and orchestration technologies, especially SOAR technologies, we can begin to experience the trickle-down effect of successes that automation and orchestration can provide.

However, buyer beware, not all automation and orchestration technologies are created equal. A growing number of security vendors are now advertising automation and orchestration capabilities as being built into their product lines, and while that is a great functionality and truly the future of cyber security, it may leave you high and dry when it comes to operationalizing it across your full security tool stack. That’s where a true SOAR solution comes into play. SOAR takes the best of automation and orchestration technologies and combines it with the ability to extend those capabilities across all tools and technologies into a seamless response effort. This ability to aid in the response effort is where organizations can begin to see how automation will benefit their current staff, but as with all things security, there is some effort that must be put in before this benefit can be fully realized.

Incident Handling

Think about automation as it pertains to networking. One of the cardinal rules to network automation is “junk in, junk out” and this rule still applies when considering automation in a security setting. A security operations center that is fairly immature might not have strong processes and procedures in place for event handling and would most likely not want an automated process or technology to take containment actions on activity, or close out events that had not been fully identified or categorized. If this were to happen, the probability of expected activity being suppressed and malicious activity being allowed to continue into an environment unchecked is extremely high.

For this reason, some of the more desired features of automation and orchestration technologies may seem just out of reach for certain organizations, but that does not mean it has to stay that way. Regardless of the level of SOC maturity, SOAR can help. Organizations who are in the early stages of building out their security program can utilize a SOAR platform to help in many ways, for example, aiding them in identifying and categorizing security events. With the use of SOAR, organizations can begin to build processes and procedures by systematically working through their event types one by one.

By building SOAR runbooks or playbooks around identifying problematic false positive alerts, organizations can perform tabletop walk through exercises of basic events to help build their processes and procedures for event handling. By perfecting this process, not only can SOC staff successfully tune out any noise and focus on true security events, they can begin to take full advantage of all that SOAR has to offer. Once these events are exposed and incident handling procedures are developed, containment and suppression activities can begin to be built out and SOC staff can begin to focus on more pressing matters to help continue to accelerate their organization’s security practice.

Knowledge Management

Knowledge management is another piece of the operational puzzle that will help drive growth in all other areas that our security operations centers face. Often times as skilled staff is either promoted or move on to other opportunities, the tribal knowledge they have accumulated over their tenure goes with them. This leaves organizations in a constant battle against time to spin up new employees or prepare junior level staff to step into the shoes of their superiors.

To make matters worse, in many cases, incident documentation is spread throughout the organization in numerous areas such as within disperse tools and individual event records, making the training process even more difficult. This common scenario is just one of many which SOAR platforms were developed for. The “R” in SOAR represents the Response capabilities they provide, of which knowledge management is natively built in.

From capturing investigative processes through automated runbooks and playbooks, to gathering incident data and investigative notes and documenting the findings within the platform’s case management functionality, SOAR provides the framework necessary to support the complete knowledge management process. By providing this framework and making it part of the investigative process, security teams no longer need to work from multiple platforms to ensure all aspects of a case have been handled and documented.

With the help of a security orchestration automation and response platform, organizations can continue to move their security program in a positive direction by providing the assistance their staff needs to stay ahead of their adversaries. By aiding in the incident handling process and establishing a knowledge management program, security teams can then begin to focus on the additional challenges which continue to affect day to day operations.

In our next blog we will expand on these topics further by discussing how SOAR can assist organizations with integrating their security and networking tools, as well as how they can gain management buy-in to move their security programs closer to the finish line. In the meantime, if you would like to have a 30 minute discussion with one of our SOAR experts to learn more, reach out to us today. Stay tuned.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo