Business & Technology

Accelerate Security Operations with SOAR Across the Security Fabric

By Satish Veerapuneni | May 12, 2020

In 2019 alone, over $124 billion was spent on cybersecurity. In spite of this, however, many security teams are still struggling to keep up. Their challenges include having too many consoles to monitor, alert fatigue, a reliance on manual processes, and a shortage of cybersecurity personnel.

Fortunately, there are a number of technologies designed specifically to address these issues. One in particular, however, stands out: Security operations center (SOC) automation.

What is SOC Automation?

The SOC Automation framework is designed to help security teams simply identify their current maturity level based upon their existing investment in people, processes, and products. From there, an organization can identify the tools appropriate for their organization, as well as define the steps required to advance to the next level.

The Question is, Which SOC Tools are Right for Your Organization? 

Fortinet solutions, such as FortiAnalyzer (Security Fabric analytics and automation), FortiSIEM (security incident and event management), and FortiSOAR (security orchestration, automation and response), provide solutions for organizations along with every phase of the SOC Automation framework. Each solution leverages security automation to address the key challenges faced by security analysts and architects at their level of SOC Automation. And the Security Fabric links all of these solutions together, enabling lean security teams to maximize their ability to protect their enterprise.

Figure 1: SOC Automation Framework Illustration

Introducing the SOC Automation Framework

Operational complexity is a challenge for security teams of any size. The SOC Automation framework is designed to help an organization’s security team identify their current maturity level and then choose those security solutions that are the most appropriate for their environment.

The SOC Automation Model is broken up into three key areas: people, process, and product. Within each area, an organization can be classified at a maturity level of 1-3, based upon their security posture in that area. For example, an organization that is level 1 in all categories has a small IT team with no security staff (people) and best effort incident response playbooks (process). At the other extreme, an organization may have a large security team with experienced SOC analysts, well-defined playbooks, and have not only deployed but also measure the effectiveness of their SIEM and SOAR solutions.

With a cybersecurity skills gap of over 4 million and growing, improving the people component of an organization’s SOC Automation may not be possible. However, by implementing the correct processes and selecting the right products, an organization can compensate for an understaffed security team to meet the demands of their organization.

Using Security Fabric Analytics & Automation as a foundation, organizations are able to leverage the AI built into the Fortinet Security Platform to correlate threat intelligence from each security component built into the platform – NGFWIPS/IDS and others. This intelligence can then be processed with FortiAnalyzer to discover threats in real-time. Those same integrated security solutions can then be intelligently leveraged to deliver a coordinated response to detected threats at network speeds.

In addition to FortiAnalyzer, FortiSIEM can be leveraged when multiple platforms and third-party solutions are in place. FortSIEM can collect and intelligently alert on data collected and correlated from dozens of security platforms, third-party security tools, and even network devices to provide comprehensive, actionable intelligence across larger, more complex environments.

FortiSOAR is designed for Enterprises with a mature SOC in place that have already deployed multiple security solutions. These environments require a more sophisticated solution like FortiSOAR (security orchestration, automation, and response) that can aggregate actionable events collected from multiple security tools, including SIEM devices, along with additional network or security devices, enabling security teams to not only see and alert on threats but also leverage pre-defined and customizable playbooks for a sophisticated threat response. 

FortiSOAR for MSSPs enables service providers to leverage FortiSOAR’s advanced multi-tenancy capabilities to extend its capabilities into their managed services. This enables the delivery of critical security orchestration and response services to their customers while maintaining a low engineer-to-customer ratio to maximize profitability.

Leveraging the Power of FortiSOAR in Your Security Operations Center

SOAR represents a new level of integrated incident response management designed for today’s larger, distributed, and highly dynamic and scalable networks. FortiSOAR is an ideal solution for enterprises and service providers seeking to simplify their operations while maximizing the efficiency of their security operations centers.

It does this by consolidating and triaging alerts from a wide range of security products, automating threat analysis and repetitive tasks to save valuable resources. This includes interoperating with a wide array of solutions and technologies, and then leveraging well-defined automation playbooks to provide a real-time response to security events without human intervention to streamline SOC operations. 

With over 300 connectors, FortiSOAR easily integrates with all major security vendors and technologies for a single, centralized point of visibility and control, and granular, role-based access control to secure user-related data. And its more than 200 out-of-the-box, easy-to-configure playbooks, including the most advanced case management modules in the industry enhanced with incident timelines and asset correlation views, enable the automation of incident response action sequences as well as routine tasks. 

FortiSOAR is able to address all three of the most important SOAR capabilities identified by Gartner:

  1. Security incident response that spans the entire response process, from planning and management to the tracking and coordinating of responses to a security incident.
  2. Threat and vulnerability management to enable the remediation of vulnerabilities through formalized workflow, reporting, and collaboration capabilities.
  3. Security operations automation to enable the orchestration of workflows, processes, policy execution, and reporting.

Digital Innovation Requires Automated Security Solutions

Moving aggressively into today’s digital marketplace is essential for organizations looking to compete in the new digital economy. But new business models and digital resources expand the attack surface and can quickly overwhelm security teams struggling to see and manage the expanded network through the lenses of multiple security consoles. 

Digital innovation should not come at the expense of security. Simplifying security deployment requires a Security Fabric – supported by the use of SIEM technologies to aggregate security threat intelligence, and the deployment of a SOAR solution to provide deep analysis, broad visibility, and automated response to persistent threats. And the addition of advanced AI analysis across the distributed Security Fabric further ensures visibility, detection, orchestration, and automated response to cyber events that occur anywhere across the expanding enterprise.

Find out how FortiSOAR enables SOC teams to accelerate incident response, unify operations,  and eliminate alert fatigue.

Discover how this managed care provider and this consumer financial pioneer leveraged FortiSOAR to streamline SOC operations.

Engage in the Fortinet Security Orchestration, Automation and Response (SOAR) user community (Fuse). Share ideas and feedback, learn more about our products and technology, or connect with peers