The fight is complex…
The growth of data businesses are generating, collecting and storing is empowering new business models and revenue streams, but this opportunity also exposes a vulnerability as it leaves organizations in a precarious position as they are more susceptible to cyber-attacks and have more data to protect. Organizations are under increasing pressure to implement tighter security controls around their data or risk potentially huge fines by regulatory bodies. The challenge facing organizations isn’t just the increasing volume of data or the regulatory requirements to protect it either - the adoption of connected supply chains, cloud technologies, and borderless network perimeters have increased the attack surface over which threat actors can target an organization.
The positive news is that there are effective technologies available today that can help mitigate these threats and protect data, but there is no single technology that can do everything and so getting full visibility of the threats and vulnerabilities an organization faces still requires human intervention to monitor large volumes of alerts and identify which ones need a response and which ones are false-positives that can be ignored. That fragmented process significantly slows down the speed of detecting a threat, and therefore being able to respond to it – potentially opening the business up to reputational and financial damage as attackers are allowed to roam around systems undetected until an analyst prioritizes and investigates the alert.
Something needs to change around security monitoring to enable faster and more accurate means of detection of cyber-threats especially given that there will be nearly 2 million more cyber security jobs than qualified experts by 2022. The skills shortage not only makes recruitment of these people difficult but retention as well, especially if those experts are being recruited to undertake routine monitoring tasks.
SOAR-ting the problem
Security Orchestration, Automation & Response (SOAR) technologies have been designed to address these challenges. SOAR simplifies the incident response process, bringing together disparate technologies and incident handling processes into a coordinated set of security actions and operational processes.
Having the ability to orchestrate multiple technologies, consolidating, enriching and providing context to high numbers of incidents has to be a priority for Security Operations Centres. It is estimated by Andre (2017) that orchestration of technologies and business processes could save up to 83% manpower versus manually collecting data for triaging incidents. SOAR doesn’t just serve to automate mundane monitoring and SOC tasks, it draws on developments in machine learning algorithms to provide wider and faster analysis to correctly prioritize the most important threats for an analyst to deal with. SOAR serves two primary purposes; through the reduction of alert fatigue by automating incident handling, SOC staff are afforded more time to work on more rewarding analytical work. A natural consequence of automated incident handling or enrichment is a faster response for our customers and subsequently a reduction in our Mean Time to Respond (MTTR).
For a Security Operations Centre, typical incidents for analysts to triage are derived from some sort of malware or an Indicator of Compromise (IOC). Through orchestration, we can combine security technologies and third-party threat intelligence sources to automatically enrich incident ticket information which can prove invaluable context for a SOC analyst. It also paves the way for playbook driven response whereby a ‘known bad’ threat identified can be tackled using a pre-defined response that frees up the analysts to deal with more complex threats.
For any business, there is clearly a cost efficiency achieved from implementing SOAR but it also reduces the mean-time to resolve priority incidents and therefore reduces the risk of businesses being damaged in an age where the number, sophistication and potential impact of attacks is growing.
Proof in the SOAR pudding
As a Managed Security Service Provider we are amongst the first in the industry to be introducing SOAR-based services to the market. We can already testify that SOAR this is not just another hype cycle but is something that brings tangible gains for us and our customers. From our pilot programme, we have seen real improvements in the time required to deal with email security incidents, with a 40% reduction in the time required. We have also seen a significant increase in the visibility of threats thanks to an increased frequency of routine checks, and we are seeing the benefit of enhanced log analysis capability to provide faster and richer information to help us prioritize and respond to incidents.
Fujitsu has implemented SOAR as we see the benefit of applying this innovation to our own security services and we will be able to further improve how we serve our customers. Through co-creation exercises, we will evaluate where SOAR can add value to security managed services, thanks to faster and more efficient incident response resulting in a more robust security posture for our managed service customers.