Industry Trends

Choosing the Right SOAR Solution to Support Your SecOps Team

By David Finger | June 24, 2020

The digital attack surface continues to expand due to a combination of evolving threats and new digital innovations. In an attempt to keep up, many organizations add security capabilities (often as dedicated point solutions) to address each new challenge, inadvertently adding complexity. This increased security complexity exacerbates their current reality: too many vendors to manage, alerts to investigate, consoles to monitor, manual processes to follow, and a lack of skilled staff to manage expanding workloads.

Incorporating security orchestration, automation, and response (SOAR) can alleviate these pressures before teams reach a breaking point.

Security Alert Fatigue as a Threat Factor

The risk is real, and often acute. Security analysts are currently overwhelmed by the number of security alerts they face each day. Increasingly complex and fragmented security infrastructures (too many point products from different vendors) are often the culprit. For example, to try and keep pace with emerging threats and new risk exposures, the average enterprise now deploys an average of 47 different security solutions and technologies.

While the sheer volume of alerts is a big part of the problem, tracking, investigating, and trying to remediate alerts from multiple sources requires a great deal of manual effort on the part of security operations center (SOC) staff. These inefficient processes slow down the incident response process, which currently takes an average of 279 days to identify and contain a single breach.

Simultaneously, organizations are struggling with a worldwide cybersecurity skill shortage when it comes to security operations (SecOps). Nearly two-thirds (65%) of companies report that they currently lack the skilled staff they need to maintain effective security operations.

These intersecting factors further increase the chances of a breach going undetected.

SOAR as a Solution to Security Alert Fatigue

Organizations need to arm their SecOps teams with an easily customizable framework that orchestrates and/or automates recurring functions—across all of the organization’s security tools and teams—eliminating alert fatigue instead of adding to it and reducing context switching. The resulting efficiency enables SecOps teams to optimize their security processes, not just adapt.

Specifically, SOAR allows SecOps teams to automate the tedious and repetitive elements of workflows that do not require human oversight, while maintaining human action and authority when needed. The best SOAR solutions enrich and contextualize threat data to help analysts quickly triage cases according to the severity of the risk, sensitivity of the data or resources under threat, or criticality of the business functions being targeted.

SOAR Supplements Security Teams

Security teams can have different staffing levels and organizational structures, but they typically have the same fundamental challenges.  Even if you are a single small, shared IT and security team with a limited number of vendors and security controls, the breadth of your responsibility limits the time available for a relatively small amount of alerts. Alternatively, larger dedicated security teams have more staff, skill sets, and available time, but also more vendors, controls, and alerts to address. In either case, a broad, integrated, and automated security fabric, combined with centralized alerts, orchestration and automation of SOAR, can help teams of all sizes meet the challenges facing them.

As part of an integrated security fabric architecture, SOAR should unify security tools and functions into a single, federated solution and set of processes. As a bonus, by automating the majority of lower-level, tier-1 alert processes, SOAR can make the SOC team’s workload more efficient by enabling analysts to focus on more critical tasks.

Here are three key capabilities and use cases that can deliver immediate value from an integrated SOAR solution:

  • Unified Security Workbench: Whether you have a diverse, multivendor security infrastructure, a single vendor solution with multiple components, or something in between, a unified workbench simplifies security complexity by integrating multiple security solutions into a centralized orchestration system that can be deployed in virtually any environment. Out-of-the-box connectors enable teams to implement SOAR seamlessly while providing a centralized point of visibility and control across the organization. This integration eliminates ecosystem fragmentation, simplifies security operations processes, and extends the useful life of existing tools to maximize the return on investment (ROI) for those purchases. It enables teams to centralize their entire security process and respond to threats using all their current tools, resulting in faster real-time response.
  • Automated Alert Triage: Due to lengthy incident response processes, it has become increasingly difficult for analysts to keep up with the pace of incoming alerts. An effective SOAR solution aggregates these alerts while enriching them with added context to accelerate time to resolution. It also helps reduce the number of “false-positive” alerts, while providing advanced case management functions that help to define, guide, and speed investigations. Of note, it can streamline simple tasks, such as alert ingestion, prioritization based on severity levels, task assignments, and subroutines. It can also automate more complex exchange-to-exchange (E2E) tasks, such as triage, enrichment, investigation, and remediation, by cohesively centralizing security processes through automatically correlated alerts across a security stack into a single incident. These sophisticated integration and automation capabilities help eliminate of the repetitive heavy lifting that leads to alert fatigue. This, in turn, allows security professionals to focus on more sophisticated security functions like threat hunting, while reducing their workloads as well as the window of exposure to an active breach threat.
  • Orchestrating to Accelerate Incident Response: Numerous manual workflows across products, teams and functions impede alert investigations and increase time to resolution. They also increase the risk of human oversight and error. Organizations in this situation are not merely operationally inefficient, they are also at an increased risk of a breach. The remedy is to leverage SOAR to map recurring and ad hoc processes, guiding and assisting security staff through each critical step in serial and concurrent order. This results in the robust orchestration and automation of all SOC processes, and an improvement in overall security.

What to Look For in a SOAR Solution

With the right SOAR solution in place, security teams can increase efficiency by automating every task, change, or update according to the organization’s needs. Instead of just automating a single workflow, the right SOAR solution should augment the entire security function to improve overall security. For example, security teams should be able to automate any response and subroutine. And where it makes sense, they should also be able set threshold conditions for the SOAR solution to immediately take an identity offline and leverage its built-in playbooks and connectors to achieve an optimal incident response.

Additionally, an effective SOAR solution should include an inherently scalable architecture that can deliver high availability for growing enterprise organizations. It should seamlessly expand across growing and/or distributed organizations without seriously impacting the resources needed for deployment and management at scale.

And given the diversity of security teams, SOAR solutions should be right-sized for different organizations, from automation across a single vendor solution, set to full orchestration of security processes across multivendor environments.

Solving SecOps Team Challenges With the Right SOAR Solution

SecOps will continue to face the dual pressures of an expanding attack surface and a lack of resources. And unless something changes, they will continue to struggle to keep pace with growing risk exposure. An effective, fully featured SOAR solution that is suitable for their team and processes can help mature security teams address these difficulties while also enhancing, optimizing, and fortifying their organization’s security processes. Teams that leverage the automation and orchestration capabilities of SOAR can advance their entire incident response process with a nimble and customizable solution that helps security operations quickly adapt their response to an ever-evolving threat landscape.

If an organization chooses the right SOAR solution to face the daunting and continuing challenges facing their SecOps teams, the outcome for organizations is a simplified security ecosystem, elimination of alert fatigue, accelerated response times, and a reduced burden on limited SOC team resources, all while maximizing team collaboration and reducing risk.

Find out how FortiSOAR enables SOC teams to accelerate incident response, unify operations, and eliminate alert fatigue.

Discover how this managed care provider and this consumer financial pioneer leveraged FortiSOAR to streamline SOC operations.