On any given day, the typical Security Operations Center (SOC) team investigating incidents faces a multitude of questions such as:
- Is this file or URL malicious?
- Is this newly discovered piece of malware impacting us? If so, how do we identify, contain and remediate it?
- Which of these new vulnerabilities are relevant to us, and how should they be prioritized?
Being able to quickly answer these questions is becoming more pressing as attackers deploy increasingly sophisticated and potent cyber weapons in ever larger numbers. Enterprises, which now must defend new domains such as IoT, mobile, and cloud, have responded by adding new security technologies to keep up, creating what Gartner rightly describes as “multiple console complexity.”
Needless to say, more technology means more alerts, and unfortunately, resource-strapped managers and their teams face a quandary about how to cope with the growing volume and variety of alerts flowing across their screens every day. Although incidents vary in complexity, a routine investigation can be quite time-consuming. SOC analysts now spend countless hours bogged down separating out real threat alerts from the false alarms. Consider this: 44% of SOC managers see more than 5,000 alerts each day, but their teams can only respond to fewer than half of them.
SOAR solutions remove a lot of the burden on security analysts, who now can devote more time to high priority incidents than they were previously able to.
Unfortunately, there’s no rest for the weary. Most organizations aren’t in any position to hire more people - assuming that they could even find qualified candidates nowadays - to relieve the work imbalance. Their dilemma is further compounded by the fact that many security operations remain tied to manually created and maintained document-based investigative procedures, which can be brittle and inflexible, and lead to more inefficiency.
Here’s where security orchestration, automation and response (SOAR) technologies provide a welcome assist to over-burdened SOC teams.
The idea behind SOAR is to help companies become more efficient and less error-prone. It’s cumbersome to operate in isolation with limited context and to use manual processes to perform required tasks. But with a SOAR solution collecting security threat data and alerts from different sources, organizations can achieve better time to resolution as they automate their investigative processes and orchestrate their tools to work together to solve issues quickly.
At the same time, SOAR solutions remove a lot of the burden on security analysts, who now can devote more time to high priority incidents than they were previously able to. The upshot: More productivity as analysts can handle more incidents more thoroughly, without needing to add staff.
The appeal of SOAR solutions is spreading quickly. Gartner estimates that 15% of organizations with security teams bigger than five people will leverage SOAR tools for orchestration and automation reasons by the end of the decade, up from less than 1% currently.
As a category, SOAR products are relatively new. To reap the maximum benefit from the technology, enterprises should tap Symantec’s DeepSight Intelligence, a high-quality intelligence service, that is designed to serve up intelligence to SOAR tools.
DeepSight Intelligence provides dynamic access to vital threat data including file reputation, vulnerability, network reputation and adversary intelligence. This intelligence has been directly integrated into the most popular SOAR platforms, enabling informed and context-rich threat identification, validation, and response leveraging automation.
One of DeepSight’s notable attributes is the depth of the context it provides. For example, when the system weighs in on the reputation of an IP, customers receive various summary ratings, such as reputation and confidence. They also get a detailed description of the attack - or attacks - launched by that entity. This is of course highly useful for investigative purposes.
DeepSight Intelligence is able to deliver rich context because it consolidates and analyzes threat data from a wide variety of sources via Symantec’s Global Intelligence Network (GIN), the world’s largest civilian threat intelligence collection network. With Symantec security software running on millions of customer computers and devices, as well as on numerous gateways and proxies in over 150 countries around the world, a massive amount of threat data is available to be analyzed to produce the high quality, context-rich intelligence delivered by DeepSight.
Obviously, there are a variety of uses for DeepSight when combined with a SOAR tool, ranging from incident investigation to threat hunting to vulnerability management .
With the DeepSight Intelligence API, customers can look up the reputation of a range of common indicators, including files, URLs, and IPs. They also can draw investigative associations, such as which URLs are associated with an IP of interest or what malware is associated with a particular hash.
Queries like these can be executed instantaneously by a SOAR solution, providing the data needed to automate important parts of the investigative process.
In the ongoing battle with malicious attackers, the integration of threat intelligence with SOAR tools promises to be a boon for defenders. As we know, information is power, and this is the sort of information defenders can put to use to work smarter, work faster, and make the right decisions to protect their organizations.