After years of investing in best-of-breed detection and SIEM tools, security operations centers are buried in alerts, giving rise to interest in security orchestration, automation, and response (SOAR) technologies.
Not unlike other security solution categories, many of the vendors in the SOAR space tout similar, if not the exact same, benefits.
- Reduced alert fatigue
- Automated processes
- Repeatable investigation and response workflows
Where SOAR vendors differ is how they deliver, or attempt to deliver, their value. While user interfaces differ, and investigation capabilities may vary, at the core a SOAR solution is either alert-centric or threat-centric.
This short video details the difference between these two approaches and their downstream impacts on the SOAR.
In an alert-centric SOAR, all orchestration, automation and response focus on the individual alert. So, for instance, say your company is the target of a phishing attack where 50 emails are detected. In an alert-centric SOAR, each alert will be treated in a vacuum as a discrete case. It’s like an engine: An alert comes in, a playbook runs and an alert comes out with no awareness that other alerts even exist.
The downstream effects of this vacuum approach are many:
- Analysts are still left with completing alert investigations. The alerts may be enriched, but it’s still an alert investigation, so the real issue in the SOC – alert overload – is not really addressed.
- Multiple analysts will inevitably end up working alert investigations that are all related to the same threat, resulting in redundant work.
- No one analyst ever gets holistic threat visibility. So without understanding that a widespread attack is occurring, such as the phishing example mentioned, the appropriate alarms may never go of, enabling the attack to continue longer, increasing the chance that an employee will become a victim.
In the Siemplify threat-centric SOAR, the starting point and the outcome delivered is drastically different. Before initiating any playbook or running in automation, Siemplify first, and continuously, analyzes each alert as it comes into the system, looking for contextual relationships. If a relationship is identified, the alert gets automatically grouped with the related alerts into a case.
For example, say that the same phishing attack hits your company with 50 emails detected. In a threat-centric SOAR, these alerts would be grouped automatically into a single case.
That’s one case, not 50.
So what’s the downstream effect using this method?
- First, this investigation can be assigned to one analyst who gets a holistic view into the threat and, if appropriate, sounds the proper alarms, indicating a wide-scale attack. Now employees could be notified en mass that this attack is occurring, causing them to be wary about opening emails from unknown senders.
- There would be a dramatically decreased number of investigations to complete, in this example by 49, addressing the alert – and case – overload issue head on.
Now it’s important to keep in mind two things when considering these difference approaches to SOAR: scale and complexity.
From a scaling perspective – and still leaning on the phishing example – malicious emailers typically cast a wide net, so analysts may have to manually identify tens, hundreds or even thousands of alerts. That would slow the analysts down. And what if they missed one? Bottom line, manual grouping just does not scale.
As for complexity, take another example: file access management. Here there are two alerts, one from a file integrity monitoring solution and one from a data loss prevention solution. In a multi-vector attack, the relationship between alerts will not be apparent to the naked eye, but when these alerts are fed into a threat-centric SOAR, there is no way for the relationship to go unnoticed.
True SOC optimization comes from moving away from alert-based investigations, toward threat-centric investigations that save time, provide holistic threat visibility, and finally address the alert overload challenge. For more information, visit siemplify.co.