“Information is a source of learning. But unless it is organized, processed, and available to the right people in a format for decision making, it is a burden, not a benefit.”
It’s a little crazy that a quote by a 19th-century author and minister so accurately articulates what plagues today’s modern security operations centers. As the cyber world rapidly evolves, there is a greater need for SOC teams to make effective decisions faster than ever before. On the surface, it would seem that the additional amount of data available to security professionals would enhance this decision-making process all on its own. But, that’s not really how it plays out in practice.
SOC Managers know that their security analysts spend a massive amount of time sifting through alerts and information across a variety of technologies that aren’t integrated with one another to find the pieces they need to investigate potential threats. Sure, the information is there, but in its raw form, it isn’t organized and presented in a way that supports quick decision making.
That’s where security orchestration comes in. Security orchestration, automation and response (SOAR) empowers analysts to work smarter and drastically improves mean time to respond (MTTR) precisely because it brings together disparate technologies and automates workflows to create the order needed for analysts to make decisions.
Still, getting the most out of a SOAR solution is highly contingent on having the right data sources feeding into it.
“You have to think a little smarter, be proactive, not reactive.”
Security operations by its nature is highly reactive and inwardly focused. Alert comes in – it gets investigated, triaged and remediated. And with good processes in place, the learning (let’s say, a bad IP address) is applied to the environment (in this case, the IP is blacklisted) to prevent this now known-bad issue from causing problems for the organization in the future.
What’s challenging about this construct is the context a security analyst has to make decisions is limited to the activity seen within the company’s environment. This can lead to a myopic view of the potential threats an organization faces and means new malicious activity can only be contextualized and verified against events the team has seen previously.
Enter threat intelligence.
“If you don’t know what you want, you end up with a lot you don’t.”
– Chuck Palahniuk
Threat intelligence is a vital component of any security operation, as it can be used to verify potential threats and prevent known bad activity from impacting an organization’s environment. Adoption of threat intelligence solutions continues to grow rapidly, with the category expected to see a CAGR of 18.4% through 2022. Integrating threat intelligence with a SOAR solution can automate the application of this additional context security teams require, helping to weed out false positives and keep analysts focused on the cases that truly require their attention.
The result? Fewer missed alerts
44% of SOC Managers already see more than 5,000 alerts daily and their teams can only respond to fewer than 50% of these. With this much noise, it can be difficult to remove the noise and focus on the alerts that truly need attention. Orchestrating threat intelligence along with a SIEM and other security tools lends a significant amount of context, ensuring the most important alerts rise to the top and are addressed by analysts immediately.
Without threat intelligence, SOC team members have to rely on known threats they’ve actually seen before. However, when threat intelligence is integrated into SOAR, all relevant threat intelligence is automatically consolidated and fused with data from the organization’s SIEM and other tools. This allows security analysts to apply a broader data set to the alerts at hand and enhance assessment and triage for faster incident response. Additionally, SOAR enables you and your team to easily automate repetitive queries and data gathering tasks, improving efficiencies and saving time spent by your SOC analysts in the early stages of an investigation.
Smarter SOC processes
The process is notoriously challenging and often is a point of frustration for SOC Managers. When threat intelligence is integrated with security orchestration and automation, teams can benefit from threat intel-driven workflows and automation of processes related to applying data from, and feeding information back into, a threat intel solution. This in turn leads to more efficiencies not just with your SOC team but also with your overall threat detection and prevention systems.
Improved – and demonstrable – ROI
SOAR helps make the most of your existing security tools, increasing your ROI. Security orchestration enables SOCs to use threat intelligence solutions to their fullest capabilities, applies them using best practices and does so consistently, following articulated incident response and and security operations procedures. And, SOAR solutions enable turnkey case reporting that includes threat intel information, which streamlines the process for SOC Managers to provide insight into the performance of their team and the tools they’re using.
“Moving fast is not the same as going somewhere.”
Clearly, one of the most compelling benefits of integrating threat intelligence and SOAR is its ability to speed up investigation and incident response. However, this gain in efficiency is ultimately due to the quality improvements brought about by this marriage of technologies. SOC Managers know that the more detail and context their analysts have, the better equipped they are to make accurate, rational decisions more quickly.