The security operations center of an organization is essentially it’s eyes and ears, defining what elements should be given pass to entry and which ones must be kept out at all costs. The SOC is all that stands between the security and integrity of corporate data and the attackers looking to get their hands on whatever they can.
The very nature of the SOC is a highly complex and ever-expanding fabric of people, process and technology, trying to “keep it together” against threats, known and unknown. But as we have seen time and again, more tools and more people don’t necessarily equal more security. In the constantly evolving threat environment that organizations find themselves in today, they are going head to head with attackers using an overly complicated mix of tools that simply aren’t built to evolve.
SOAR – the potential bridge to the Intelligent SOC?
To effectively fight the big guns, Gartner lays out principles for building the kind of SOC that can withstand next-gen threats. They call it the ISOC – The Intelligence Driven SOC. Gartner’s adaptive security architecture outlines four critical domains: prevent, detect, respond and predict.*
But without a way to operationalize all this data, the data itself is of little use. Gartner recommends using a group of technologies they call SOAR (security operations, analytics and reporting) Technologies. According to Gartner, “Security intelligence, derived out of threat and operational intelligence, in addition to organizational context, provides the foundation of the “intelligence” in ISOC, but this intelligence is of limited value by itself until it is operationalized. Historically, this has been a manual and labor-intensive process, requiring analytical expertise and real-time data that has not been readily available. This is changing rapidly, however, with security operations, analytics and reporting (SOAR) solutions providing security incident response, security operations automation, and threat and vulnerability management capabilities.SOAR solutions enable the deployment of a SOC strategy that semiautomates many and fully automates some of the day-to-day tasks of security operations.”*
SOAR platforms help support workflow management and streamline all automation, analytics and reports coming in from the many cross-vendor tools that comprise the ISOC and apply decision making logic and context to situations as they unfold. Essentially, SOAR gives order to all the highly complex aspects and moving parts that keep the intelligence-driven SOC going.
SOAR is a key component in making the ISOC an attainable reality. In an environment where many team leaders struggle to see the entire true picture regarding the state of their security, SOAR helps pull it all together and develop a sustainable intelligent security solution.
Gartner estimates that 5% of large and midsize enterprises currently use SOAR technologies, but expects this to grow to 30% by 2019**, as the need to adopt intelligence-driven solutions becomes ever-more critical to corporate survival.
Benefits of SOAR
Incorporating SOAR technologies helps organizations gain a deeper and more accurate picture of the state of their security, while providing the ability to organize workflows by:
- Helping analysts integrate disparate tools. Using multiple tools from multiple vendors creates unnecessary complexity. SOAR helps integrate those tools.
- Index and contextualize huge amounts of data across vast security environments. Previously siloed information can be put into context and viewed as part of an unfolding storyline.
- Providing flexibility to adapt and build a dynamic framework that can index data from various sources and giving analysts the ability to influence processes.
Although the capabilities outlined by SOAR are key elements in creating an integrated and operationalized ISOC, these alone are not enough to cover the full span of its workings. As Oliver Rochford and Paul Proctor of Gartner point out, “Today, very few provider technology offerings span the entire spectrum of SOAR, and those that do are often strong only in certain areas over others.”** The reality is that to address this gap, security teams have historically been forced to look at a patchwork of tools across UEBA, Automation, Ticketing Systems, Traditional SIEMs, etc. further driving disconnected tools, manual processes and analyst frustration.
Ultimately the drive to embrace SOAR and mature towards the Intelligent SOC requires a seamless enterprise-wide security fabric that connects the dots across the security landscape.
This philosophy is the basis on which Siemplify’s Threat Nexus is built. ThreatNexus is the industry’s first complete security operation platform that seamlessly fuses the enterprise-wide security fabric into a single pane of glass, enabling enterprise SOC teams to perform the full spectrum of threat management and incident response; from case management and analytics, to hunting, intelligence, automation and reporting, helping security teams make better, more informed and more precise decisions.
Siemplify’s proprietary ThreatNexus engine applies big data, graph theory, artificial intelligence, and machine learning methodologies to automatically cluster, contextualize, and prioritize threats into a graph storyline, from which all security operations actions can be performed. Delivering the best of both worlds between automation and human intervention. Ultimately tripling responder caseload, reducing alerts by 90%, lowering the analyst learning curve, and reducing incident response times by 60%.
The historic proliferation of disparate detection tools, alerts, manual processes, and lack of context across the threat landscape has long exposed security operations as the weakest cybersecurity link. In order to win the fight for the security and integrity of corporate data tomorrow, teams must start incorporating the proper tools to build their own next gen intelligence-driven ISOC today.
*Gartner, The Five Characteristics of an Intelligence-Driven Security Operations Center, Oliver Rochford, Neil MacDonald, 02 November 2015
**Gartner, Innovation Tech Insight for Security Operations, Analytics and Reporting, Oliver Rochford, Paul E. Proctor, 11 November 2015