As data and our digital lives continue to grow and connect, there is an expanded internet and extended multi-cloud environments, all with increasingly blurred lines for network perimeters. The consequence of this is that businesses have more data to manage and there is an increased potential for cyber-attacks, which need to be detected and analysed.
A fundamental pre-requisite for any competent business is effective security monitoring. However, in order to address this and keep pace with the continued rise in cyber-attacks, organisations must continue to be innovative. One approach to this is using Security Orchestration, Automation, and Response (SOAR) to improve security monitoring and incident response.
SOAR helps Security teams reduce the ‘noise’ of low priority alerts and false positives, reducing the response time to untoward incidents and do that with the necessary context. This allows security teams to deliver a faster, more effective and enriched response to incidents.
Maturity levels, tooling, business processes, experience and retention of staff are all factors in determining how well an organisation’s security is managed. One primary benefit of implementing SOAR is the automation of the first and second line of tasks to divert the technical resources to enhanced analytical works. Besides, SOAR offers supplementary benefits in terms of staff retention as staffs are less focused on mundane, onerous tasks. For Enterprise start-ups, this is critical as building a team and retaining them in the first couple of years is a key objective toward growing the business.
What is SOAR?
SOAR, in its simplest form, automates business processes to reduce the number of daily checks and incidents to be handled during first and second line security monitoring, whilst orchestration utilises APIs and scripts to chain technologies in a streamlined, collaborative fashion, enriching information for an analyst or allow for automated responses such as blocking of attacks.
Both concepts use playbook driven approaches tailored to an organisation’s digital environment and its underpinning security technologies. The term playbook is derived from a sporting term meaning various strategies for a team that, when employed, would hopefully result in a win. Common playbooks can be tailored to an organisation’s network via orchestration of business processes and technologies. One example of this is the ability to use tooling to monitor phishing attacks, extract headers and potential indicators of compromise without having analysts do that same work manually for mundane tasks.
Addressing the skills shortage
All organisations face a challenge identifying and recruiting good staff, however, in addition to the evolving threat landscape and the highly publicised security breaches, another challenge for organisations is the retention of those staff due to a competitive cyber security market. Research by Burning Glass concluded a cyber-security worker could demand $6,500 more a year on average compared to a traditional IT worker and the global cyber-skills gap currently sits at a reported 2.9 million jobs left unfilled.
By automating low-level first and second line monitoring processes, businesses can keep their staff more engaged by allowing them to work on more business relevant analysis and threat hunting. This not only aids retention but also enhances the security monitoring capabilities provided to the business. This greater engagement would enhance staff motivation due to the nature of the work; improve morale and retention of staff within a very competitive cyber-security employment market.
It’s clear that SOAR is more than just an industry buzzword, it’s an important development for cybersecurity, it helps customers address some of the biggest challenges for cybersecurity teams and that’s why we are starting to use the technology ourselves to further enhance how we protect our customers.