Security analysts today are spending the majority of their time dealing with the mundane, repetitive and administrative based tasks associated with incident response, as opposed to using their valued time proactively investigating and hunting threats in order to remain one step ahead of the increasing number of cyber threats they are facing. On a daily basis, security teams are being bombarded with a plethora of security alerts, most commonly from their security information and event management (SIEM) solution, combined with log and event data from a number of other platforms and sources with their infrastructure.
A SIEM tool pulls event and logs data from a wide range of internal sources, sometimes up to 15 different third-party tools or more, to provide a complete all-around picture of an organization’s current security posture ongoing threats. The SIEM mainly acts as a security monitoring system by correlating relevant data from multiple sources and generating alerts when the events appear to be worthy of further investigation. At a basic level, SIEM implementations can be rule-based or can employ a statistical correlation engine to establish relationships between event log entries, while advanced SIEMs can be used for user and entity behavior analytics (UEBA) and some orchestration and automation processes.
Is there such a thing as too much information?
The main advantage of implementing a formal and automated SIEM process is to increase the overall visibility of the IT network and security infrastructure. However, this process and enhanced visibility often leads to large volumes of alerts being generated which then manually need investigating by security analysts. Quite often a number also turn out to be false positives after further investigation, wasting a considerable amount of time. In other cases, far too many alerts are being generated for the workforce to even begin to consider investigating them all. As a consequence, only the higher levels of alerts are prioritized, increasing the risk to the organization by disregarding some of the lower-level alerts.
A more effective and efficient solution
Rather than leaving the organization vulnerable to the risks of ignored alerts, a better solution is to complement the SIEM with security orchestration, automation, and response (SOAR) technology. Gartner created the term SOAR to describe an approach to security operations and incident response that aims to improve security operations’ efficiency, efficacy, and consistency. SOAR allows organizations to collect security data and alert information from a number of different sources, including a SIEM, and to then perform incident analysis and triage using a combination of human and machine power. This helps to formalize the response handling procedure, determining and deploying effective and repetitive incident response processes and workflows.
Acting as a force multiplier, SOAR allows security teams to do more with less resources. It provides capabilities to automate, orchestrate and measure the full incident response lifecycle, including detection, security incident qualification, triage and escalation, enrichment, containment, and remediation. The overall goal of an organization utilizing a SOAR solution is to reduce the mean time to detection (MTTD) as well as the mean time to respond (MTTR) to an incident. This, in turn, minimizes the risk resulting from the growing number of cyber threats and security incidents, while also enabling the organization to achieve legal and regulatory compliance, while ultimately increasing the return on investment for existing security infrastructure technologies.
Action alerts immediately automatically
A SIEM solution ingests and processes large volumes of security events from various sources, then collates and analyzes the information to identify the issues, which subsequently triggers the creation of the initial security alert. This functionality is often limited to unidirectional communication with the data collection sources and in most cases, SIEM implementations do not carry out actions beyond the initial alert generation. This is where the power of SOAR can add significant value, taking the SIEM generated alert and orchestrating and automating responses, utilizing multiple security and IT tools from different vendors to remediate the threat.
Once a SIEM alert is generated, an incident is triggered within the connecting SOAR solution. Combined with machine automation and some level of human interaction where needed, a number of enrichment and response actions are carried out following a specific set of playbooks and runbooks for each individual incident type. A set of activities based on previously defined incident workflows and results, combined with machine learning are used to automate and guide the entire response process from start to finish.
Get more from the people you have
Integrating SIEM and SOAR combines the power of each to create a more robust, efficient and responsive security program, ensuring no alerts go untouched. It accelerates incident detection and response actions from minutes to seconds, ultimately enabling security teams to maximize analyst efficiency, minimize incident resolution time and avoid alert fatigue that negatively impacts so many of today’s security teams. It also enables organizations to automate most of the low-level work often performed by security analysts, allowing them to do what they do best, which is challenging and rewarding, while SOAR technology does the rest.
Last week, Anton Chuvakin from Gartner announced that Augusto Barros and himself are planning to conduct research in Q4 2017 on the topic of Security Orchestration, Automation and Response (SOAR), or Security Automation and Orchestration, depending on which analyst firms’ market designation you follow. At DFLabs we are very excited that Gartner is finally showing our market space some love and will be helping end users to better assess and differentiate SAO offerings.
Anton provided many questions that he wanted SAO vendors to prepare for. The questions immediately piqued our interest, with one question, in particular, standing out to us.
1.When is SOAR a MUST have technology? What has to be true about the organization to truly require SOAR? Why your best customer acquired the tools?
Anton also said that he had one main problem with Security Automation and Orchestration. In his own words, “For now, my main problem with SOAR (however you call those security orchestration and automation tools…if you say SOAPA or SAO we won’t hate you much) is that I have never (NEVER!) met anybody who thought “my SOAR is a MUST HAVE.”
The question is not entirely unwarranted. During my own time at Gartner covering the SOAR space, I spoke to many clients who were seeking an SAO solution without knowing that they were. Typical comments were, “I have too many alerts and false positives to be able to deal with them all”, or “We are struggling to hire enough skilled people to be able to respond to all of the incidents that we have to manage”. Another common comment was, “I am struggling to report operational performance to my executives?”. Often, these comments were followed by the question, “Do you know of any technology that can help?”.
Typically, these organizations had a mature security monitoring program, usually built around a SIEM. They often had critical drivers, such as regulatory requirements, or held sensitive customer data. We hear the same buying drivers from our own customer base.
To sum up the most common drivers for someone asking about Security Automation and Orchestration:
- A high volume of alerts and incidents and the challenge in managing them
- A large portfolio of diverse 3rd party security detection products resulting in a large volume of alerts
- Regulatory mandates for incident response and breach notification
- An overstretched security operations team
- Reporting risk and the operational performance of the CSIRT and SOC to an executive audience
One interesting thing is that when there is no external driver like regulatory compliance, deploying a Security Automation and Orchestration solution is often determined by maturity. Most organizations don’t realize that they will be unable to cope with the volume of alerts and the resulting alert fatigue until they have deployed a SIEM and a full advanced threat detection architecture.
The common misconception is that the SIEM can help to reduce the number of incoming alerts by applying correlation rules. This not entirely untrue, but correlation rules will only reduce a small percentage. They are essentially signature based. You need to know in advance what you want to correlate, and adding a correlation rule to cover all and every incoming alert is not a trivial task. Even with correlation rules, additional work will be required to qualify an incident. Gathering additional IoC’s, incident observables and context is still a very manual process. Lastly, detection is only one part of the entire incident response process – notifying stakeholders, gathering forensic evidence and threat containment will also have to be done manually. These are the areas where SAO solutions provide the greatest ROI – as a force multiplier.
Alert fatigue is the desensitization when overwhelmed with too much information. The constant repetition and sheer volume of redundant information are painful and arduous but sadly often constitutes the daily reality for many people working in cyber security. Mike Fowler (DFLabs’ VP of Professional Services) discusses several best practices to help with some of the challenges involved in this in his recent whitepaper “DFLabs as a Force Multiplier in Incident Response”. I am going to discuss another one, but looking at it from a slightly different angle.
Imagine the scenario where we have tens of thousands of alerts. Visualize these as Jigsaw pieces with a multitude of different shapes, sizes and colors and the additional dimension of different states. We have alerts from a firewall, anomalies from behavioral analytics, authentication attempts, data source retrieval attempts or policy violations. Now, there are a lot of ways to shift through this information, for example by using a SIEM’s to correlate the data and reduce the some of the alerts. The SIEM could identify and cross-reference the colors and shapes of the jigsaw pieces so to speak.
The next question once that I’ve got the all the pieces I need for the puzzle is how do I put this together? How do I complete the puzzle and unlock the picture?
The “what does the jigsaw picture?” question is something that will often puzzle the responders, pun intended. How do you prioritise and escalate incidents to the correct stakeholders? How do you apply the correct playbook for a specific scenario? How do you know which pieces of information to analyse to fit the jigsaw pieces together and make sure the puzzle looks correct?
Automation process can speed up putting that puzzle together, but making sure you automate the right things is just as critical. If skilled staff are running search queries that are menial, repetitive and require little cognitive skill to execute, you should ask yourself why they are performing these and not instead focused on analyzing the puzzle pieces to figure out how they fit together?
Remove the menial tasks. Allow automation to do the heavy lifting so your teams are not only empowered by the right information they need to successfully manage the response to an incident but also to give them more time to figure out the why, how and what of the threat.
We also welcome you to join us for a webinar hosted by Mike Fowler on this topic on the 6th of September.