March 25, 2019 / by J Burks / In soar /

Threat intelligence and SOAR for SOC managers

As an SOC manager, you’re responsible for keeping your security operations center in tip-top shape — and in modern IT environments, that’s a tall order. Luckily for you, there are some cutting-edge tools available that can help you slash false positive rates, shorten response times, and give your analysts the information they need to make the right decisions. Security orchestration, automation, and response (SOAR) may be just what you need.

The dangers of missed alerts

Today’s SOCs tend to deal with very high volumes of alerts. Given a finite number of analysts and a finite amount of time to investigate all these alerts, it’s easy for an important alert to go unnoticed for some time. If and when someone finally notices the alert, it may be too late, and your network may have already been compromised. Additionally, in high-volume SOCs, analysts may spend a non-negligible amount of time investigating false positives. The need to manually investigate these alerts distracts them from genuinely important alerts and other SOC tasks that demand their attention.

If these issues sound familiar, a SOAR solution would likely do wonders for your SOC and your team of analysts. By retrieving contextual information from threat intelligence providers in real time, your analysts can easily see which alerts require immediate attention. This makes prioritizing and triaging alerts much simpler. With a SOAR solution in place, you can even configure sets of rules called playbooks to automatically begin investigating some of the most common alert types. Automating these investigative actions lets your analysts spend less time clearing up false positives and more time responding to real threats.

Measure response times in seconds, not hours

SOAR isn’t limited to automating investigations — automated security response features let your team take action against threats without even lifting a finger. Analysts can write response playbooks, which work just like the investigative playbooks mentioned above. When a suspicious event triggers a rule in one of these playbooks, the SOAR platform will automatically perform the actions indicated in the playbook. This approach can render many common threats harmless in seconds, lowering your SOC’s mean time to respond (MTTR) to levels you might have previously considered impossible.

To better understand how this works, suppose a user on your network has unknowingly downloaded a malicious file from a domain you don’t recognize. If you’re working in a traditional environment and your endpoint antivirus software doesn’t see anything wrong with the file, you might not ever find out that the file was downloaded in the first place. However, with a properly configured SOAR solution up and running, the software can verify the file’s source against a list of domains known to be hosting malware. Having determined that the file’s source is, in fact, malicious, the software automatically quarantines the machine that downloaded it until an analyst can investigate manually. All this happens in just a few seconds, but it greatly reduces the pressure on your security team. It also saves your organization the trouble of a time-consuming, costly cleanup operation.

Work smarter, not harder

The benefits of implementing SOAR extend far beyond investigation and response activities. You can also use a SOAR platform to leverage external threat intelligence in other ways, such as when updating firewall rules or conducting incident investigations. This not only saves time that might otherwise be spent retrieving and inputting this information manually, but also ensures that everyone on your SOC team has the information they need to make informed decisions.

Further Reading