As the digital landscape continues to evolve and businesses become increasingly reliant on technology, the importance of having a robust security system in place cannot be overstated. One of the key pieces of any security system is the security orchestration, automation, and response system (SOAR) that you deploy.
First, let's define what a SOAR solution is: Security orchestration, automation, and response (SOAR) refers to a set of services and tools that automate cyberattack prevention and response. So, do you need to enhance your current security with new tools? Here are 3 things to consider:
Consideration 1. The SIEM/IDS System
When you purchase and setup a SIEM or IDS system, or inherit one, expect a flood of security alerts. The Intrusion Detection System (IDS) is a software program that monitors network traffic for suspicious activity and alerts security teams if any is detected. A Security Information and Event Management (SIEM) solution, on the other hand, collects and analyzes security data from multiple sources, including network devices, servers, and applications. They’ll generate a lot of alerts, but can’t automate the analysis and follow-up steps.
Consideration 2. Security Event Response Protocols
Each event that occurs needs to be researched to determine if it is an actual threat actor or a false positive.
If 20 alerts come in, and each one takes ~30 minutes to respond to because you have to follow a playbook that has 17 steps, and you have to use 8 different tools to determine that they are all false positives, that’s 10 hours of work that is performed just to say “everything is still safe”.
With a typical SIEM/IDS system, the event responder will determine that most are “false positives”. The event was not actually a bad actor on the network, but something innocent like an auditor in the finance department who is doing a VPN back to their company.
Consideration 3. Event Response Fatigue
If the team does not perform full research on all of the alerts and check them all, due to event alert fatigue, someone could miss one and the bad actors can "get in". For example, one alert could be showing you that an employee laptop is madly synchronizing data with a cloud service. That could be a really bad data exfiltration day for you, and you’d want to know about it—fast.
These considerations are no fun, and that’s why SOAR exists: automating as much of the risk assessment process as you can. With advanced automated tools, the response can be quick, and dwell times reduced.
PathSolutions TotalView’s SecOps module is the SOAR tool we offer and can be useful from the first day of deployment. This tool will tell you all of the details about what’s actually going on in the network so that within minutes you can see and respond to security events, and determine with confidence that it was either a false alarm, or an actual threat actor. Take a look at the SecOps Features Page for details.
Now, for a random fact related to this topic: Did you know that the first IDS was developed in the 1980s by James Anderson, who was trying to protect his university's network from unauthorized access?