If you are like me, you spend at least a few minutes each day checking social media sites for the latest cybersecurity industry news. Recently an interesting trend has appeared where those in charge of security at various organizations are using these platforms to solicit advice on how to deal with their ever-expanding security tools.
The post will read something like: “Just took over security at [xyz] organization, and the security stack is a mess. Any tips on how to consolidate?” or “Just found out we had a license for [xyz] product, and it has been sitting on the shelf for months. Is it worth implementing?” Or, my personal favorite: “I have overlapping tools, and the complexity is out of control, What’s the best approach to consolidate?”
The growth in security vendors over the past few years has certainly improved organizations’ ability to defend their environments. However, the unintended consequence is a significant increase in alert volume. Considering SOC size has not grown at the same rate as the security stack, you have a situation where security analysts are in constant “catch up” mode, making difficult choices as to which alerts to investigate and which to set aside. It’s not a pleasant scenario.
Security Orchestration, Automation, and Response (SOAR) to the Rescue
Most security managers and CISOs likely have been introduced to SOAR solutions by now, but if you haven’t here is the Cliffs Notes version of what a SOAR is designed to do. These solutions take alerts from a detection/alerting tool, generally a SIEM, and using APIs gathers data from a variety of sources to “enrich” alerts.
The SOAR solution then follows predefined playbooks (aka runbooks) to take automated or semi-automated actions to either fully investigate and respond to an alert or get the alert ready for analyst investigation. SOAR solutions are not intended to replace detection/alerting technologies – or even SIEMs for that matter. Instead, they act as a virtual analyst with the intent to improve analyst, and thus SOC, efficiency.
Make sense? While the objective of SOAR solutions are similar, there are vastly different approaches to helping SOCs deal with this overload of alerts. One of the biggest, and most impactful, differences in approach deals with the type of investigations analysts investigate after deploying a SOAR solution.
Alert-Based vs. Threat-Centric
Two types of investigations generally occur in the SOC: alert-based and threat-centric. Alert-based represents a one-to-one relationship between case and alert. An alert comes into the SOAR solution, enrichment and automation happen for the alert, and the analyst completes the investigation. Analyst efficiency may improve, but the biggest problem in the SOC, the volume of alerts, is left unresolved.
To address alert volume as well as meet the SOCs objectives, a SOAR must do more than simply enrich alerts and automate some tasks. Siemplify addresses this need by delivering a threat-centric approach to investigations that looks for contextual relationships in the alerts and, if identified, groups these alerts into a single case. Check out the video above to see how this works within Siemplify.