SOAR: the smart response to rising security threats

Security teams operate in the face of growing threats. Research suggests that 79% of organisations suffered a cyber attack last year, with cybercrime and nation state attacks on the rise.

To counter this, CISOs depend on a wealth of security tools and techniques. A typical large enterprise might use 15, or more, separate and unconnected security tools. But the range and diversity of tools in use creates a challenge in its own right.

Each tool needs managing and maintenance. Although the latest security systems provide vital operational intelligence, security teams, and security operations centres (SOCs) risk being overwhelmed by too much data, and too many tasks. And all this is happening as the number of security threats continues to rise.

We are reaching the point where SOC workloads risk exceeding the capacity of human analysts. As a result, the organization’s security response is slower, and less effective. And the disconnected, siloed nature of security applications, creates its own problems. At worst, threats can be missed.

The SOAR option

One solution – and one that is increasingly favoured by enterprises – is to invest in an integrated security platform such as SOAR.

SOAR, or Security Orchestration, Automation and Response, brings together intelligence monitoring and incident response, alongside real-time collaboration tools, and playbooks that capture best practices.

SOAR adds a single interface to control multiple vendors’ tools, and combines real-time alerts and incident data with external threat intelligence feeds.

The current generation of SOAR technologies support built-in real time collaboration, and integrate with customer services management platforms. And SOAR can standardize and document actions during an incident.

A further, and increasingly important feature, is support for automation. The latest-generation SOAR tools use machine learning to improve incident response. Each time an organization faces a threat, the SOC becomes more effective as machine learning builds up knowledge of the most effective commands to run, and even the best analysts to handle cases.

Quicker responses, reduced threats

Taken together, the key features of SOAR – collaboration, integrated threat intelligence, automation, case management and incident response playbooks – can lead to 90% faster incident response times. They also reduce the number of alerts that need human intervention by as much as 95%.

This greatly improves the SOC’s MTTR (Mean Time To Respond), a key measure of SOC effectiveness.

Reducing MTTR reduces the dwell time of an attack, or how long an adversary or hacker remains in the system, before they are detected and their activities are shut down.

Consolidating security tools into a SOAR platform brings other benefits too. It improves visibility across the organization by tying threat intelligence into real-time incident reports. Linking internal data feeds and external threat intelligence gives more context around security events, and helps SOCs prioritize the most critical threats.

And automation allows SOC specialists to be more proactive. Teams can see, at a glance, if systems need patching, or if end-point protection is up to date. It frees up human analysts to handle the more complex incidents, and makes time for other tasks, such as working with stakeholders in the organization and improving security awareness.

XSOAR advantages

Palo Alto’s Cortex XSOAR is one example of how SOAR tools are developing into platforms that help SOCs respond more quickly and effectively, and help IT security teams work across on-premises, hybrid and cloud environments.

XSOAR takes an open approach, with integrating and aggregating threat intelligence, including the customer’s existing feeds, data from Palo Alto Networks’ own monitoring and strategic intelligence form Unit42. It then automatically maps threat information to incidents.

This open approach continues by the way vendors can connect to the platform. Currently, XSOAR supports over 700 products, includes tried and tested incident response playbooks, and supports third party content packs that users can deploy directly from the dashboard.

This is supported by a machine learning engine that uses past incidents to improve its guidance to the SOC, as well as automated reporting and post investigation audit trails.

Taken together, Cortex XSOAR is one of the most effective ways to improve SOC performance, allowing security teams to scale up their operations in an environment where analysts face dealing with too many, perhaps thousands, of 10,000 or more incidents every week. And XSOAR works with existing SIEM installations, so CISOs can build on their existing investments.

SOC teams can try the Cortex XSOAR Community Edition, indefinitely, at no cost*: see https://start.paloaltonetworks.com/sign-up-for-community-edition.html

* After 30 days, you can continue using Cortex XSOAR Community Edition at no cost with limitations on the number of platform requests