How FortiSOAR Benefits Partner SOC Operations

By Stephan Tallent | September 16, 2020

This is a summary of an article written for MSSP Alert by Fortinet’s Sr. Director, MSSP & Service Enablement, Stephan Tallent. The entire article can be accessed here.

The expanding digital attack surface is making it increasingly difficult for organizations to proactively manage their network security. This has led many enterprises to deploy additional security tools to bolster capabilities to secure new environments and devices. While these solutions may address security concerns, they also create new challenges for security teams to manage, creating additional complexity while reducing visibility and control and the ability to respond to detected threats. Using solutions from different vendors decentralizes network operations, while using static security devices to secure dynamic network environments can create critical gaps in security. And with a growing shortage of skilled cybersecurity professionals, IT teams struggle to build and maintain security systems that can keep pace with today’s sophisticated threats. These challenges are driving the use of SOAR tools to streamline security operations and improve incident response times. According to Gartner, by year-end 2022, 30% of organizations with a security team of more than 5 people will leverage SOAR tools in their security operations.

How SOAR Can Help SOC Teams Enable Threat Management

Working to identify alerts from different sources is no easy task for the security operations center (SOC) teams. The volume of false alerts, combined with the manual effort required to verify their legitimacy, slows down incident response times – meaning it takes longer to identify and contain a breach. It is these factors, coupled with the current cybersecurity skills gap, that leave many SOC teams feeling overburdened and unable to effectively identify and remediate threats on their networks.

With a SOAR (security orchestration, automation, and response) solution in place, however, SOC teams can effectively streamline their security response while unifying their operations. The integration of solutions further enables SOC teams to create a centralized security platform that allows for coordinated cybersecurity efforts based on actionable threat intelligence. Further, this model can optimize internal processes by prioritizing strategic alerts, reducing team member workloads, and enhancing threat visibility.  

Challenges Facing Security Operations Center Teams

Several challenges can arise as a result of alert overload across security operations centers, including:

Finding and Retaining Security Talent

A majority (64%) of daily tasks taken on by SOC operations personnel are manual, repetitive, and center on the use of disintegrated tools. These factors, combined with a seemingly constant influx of information, often at irregular hours, can make it difficult to retain SOC personnel. Additionally, considering the zero percent unemployment rate among security operations talent, it is no surprise that staffing a SOC team is an ongoing challenge.

Incident Response 

Today’s cyberattack technologies can successfully penetrate a network in a matter of seconds, often exploiting newly deployed attack vectors. And as cybercriminals begin to leverage advanced evasion techniques and experiment with using automation and artificial intelligence to carry out attacks, manual response is no a longer viable option to keeping networks secure. When you factor in alert fatigue, the volume of data being generated by growing numbers of devices, and the lack of available security talent, it becomes clear that many SOC teams are not equipped to manage advanced cyberthreats. Implementing a machine-based response with human authority, is now a necessity for those responsible for network security.

Lack of a Centralized Security Infrastructure 

More often than not, the tools that Network Operations Center (NOC) and SOC personnel use to do their job are not designed to work with one another. This lack of cohesion increases the likelihood of oversights in threat detection and management, which can create additional gaps in security.

Unified Case Management

Threat response often involves multiple teams who work across different shifts, and even different time zones, making collaboration difficult. Without a uniform integration point for case management, and digitally based correlation and coordinated response, the chance of threats being mismanaged or going undetected altogether increases. 

How FortiSOAR Optimizes Partner SOC Operations

FortiSOAR, is a vendor agnostic solution that allows security operations teams to enhance their network operations by creating a custom automated framework that centralizes their organization’s security capabilities. As a result, SOC teams can unify and standardize their processes, thereby improving response times and eliminating alert fatigue. Furthermore, t­he visibility gained from FortiSOAR translates to more strategic cybersecurity alerts, enabling SOC teams to adapt and optimize their security practices as needed.

The following are three ways partners can leverage FortiSOAR to optimize their SOC operations and add value for customers.

Maximize Security Investments

With FortiSOAR, partner SOC teams can seamlessly integrate existing solutions from other vendors into their own security orchestration systems. By integrating point solutions together, partners can better utilize their capabilities, thereby maximizing their return on investment for those purchases. Additionally, partners can monetize their SOAR investment through professional and incident response services that expand on traditional security asset management and monitoring.

Increased Response Accuracy and Consistency 

Manually managing a variety of point solutions inhibits alert investigation and introduces opportunities for human oversight and error. Larger advanced SOC team’s benefit most from FortiSOAR, as it also leverages the features offered by FortiAnalyzer and FortiSIEM to enhance visibility and can automate simple SOC tasks such as alert ingestion and task assignments. With FortiSOAR’s level of advanced automation, SOC teams can accelerate their threat response while cutting back on manual errors and responding in machine speed with automated playbooks. This frees up time, allowing security personnel to focus their efforts on higher priority items. 

Collaborative Threat Management

By eliminating manual tasks, SOC teams can better manage their resources, including staff time and labor. FortiSOAR streamlines the process of detection and automated response by allowing partners to create custom security protocols based on the specific needs of their customers. 

FortiSOAR also enables partners to collaborate on case management across shifts. Every team member’s workflow is documented and can be accessed at any time so that employees who work different shifts can coordinate their efforts. This feature also ensures that critical insights are not lost when an employee changes teams or leaves an organization.

Figure 1: The SOC Automation Framework

Final Thoughts on FortiSOAR

FortiSOAR ensures that partners are equipped to manage the challenges that come with the expanding attack surface and the ability to orient their service offering towards high margin threat detection and response services. With SOAR integration, partners can provide their SOC teams with integrated security solutions that allow them to better protect both internal and customer networks while improving operational maturity and profit margins.

Find out how FortiSOAR enables SOC teams to accelerate incident response, unify operations, and eliminate alert fatigue.

Current partners can visit the Partner Portal to find important updates from Fortinet and our partner program.