Cyber attacks rank first among global human-caused risks, according to the World Economic Forum's "Global Risks Report 2020". Given the value of their assets and the expanding topology of digital infrastructure and new technologies such as Big Data and AI, businesses face an urgent question: how should they respond to the growing volume and variety of threats?

Having a fully functioning Security Operations Centre (SOC) team changes the risk landscape for all organisations, large or small. And with the sophistication of threats evolving exponentially, ensuring the SOC uses its full potential is of paramount importance. Technologies such as Security Orchestration, Automation and Response (SOAR) make this possible, greatly strengthening the cybersecurity posture of the monitored enterprise.

First, understand what SOAR is

SOAR (Security Orchestration, Automation and Response) is a stack of compatible software programs that enables an organization to collect security threat data and respond to security events with little or no human assistance. The goal of using a SOAR platform is to improve the efficiency of physical and digital security operations.

SOAR basically encompasses the following functions in a SOC context:

• Security orchestration connects and coordinates heterogeneous toolsets in the SOC for more efficient ingestion, enrichment, monitoring and incident identification.
• Automation helps SOCs take a more proactive security posture by automatically triggering workflows, tasks and triages based on predefined parameters.
• Response accelerates SOC's general and targeted reactions to low-risk incidents and supports analyst response by enabling a single view to access, query and share threat intelligence.

Within these three categories, there are dozens of ways in which automation accelerates manual tasks. The primary value of SOAR tools is to support human analysts to scale and automate repetitive and tedious tasks so that the SOC team can focus on high-level threats.

We have separated 6 examples of how this technology reduces the time to contain threats and, therefore, raises the level of protection of the companies.

1. Coordination of intelligence against threats

Every day, the SOAR platforms process hundreds of thousands of indicators of commitment (IOC).

IOCs are collected from insider and external threat intelligence feeds, malware analysis tools, endpoint detection and response platforms , SIEM systems, network detection and response tools, email inboxes, RSS feeds, regulatory bodies and other databases.

SOAR platforms can coordinate, aggregate and detect alerts from these tools, as well as detect suspicious IOCs arising between them.

2. Incident management

Potential threats can be detected by multiple tools. Therefore, it can consume a considerable amount of time for analysts to analyse disparate data associated with the same threat.

SOAR in SOC brings all data together into a single story. This allows cases to be handled faster and speeds up overall average times to detect and respond, whether through automation or human intervention and analysis.

3. Vulnerability management

In the past, SOC analysts relied on manual management and inventory of security vulnerabilities. But by implementing SOAR, several SOC tasks can be automated to handle volume, monitoring and simple responses.

Specifically, SOAR correlates threat data across multiple security tools to calculate risk and prioritise the threat according to its impact.

4. Continuous improvement in threat control

SOAR platforms increase efficiency in threat control by accelerating the processing of indicators of compromise - IOC, accessing multiple reference databases and querying different intelligence tools for different types of risks and threats.

This enables SOC analysts to more accurately and efficiently analyze, verify, triage, and respond. This SOAR use case saves analysts significant time by quickly enriching large volumes of IPs, URLs and hashes to check for risk - without compromising the depth of investigation required.

5. Threat control

In addition to serving as a knowledge base using IOCs as a reference, SOAR platforms effectively serve as a form of proactive threat control.

Threat hunting" is a crucial task for SOC analysts - but time-consuming, given the ever-increasing scope of risks. SOAR helps with agility and scale by adding data sets for continuous analysis.

In addition, SOAR assists in scoping the search for threats, investigating malware or suspicious domains and incorporating human-in-the-loop decisions at strategic points.

6. Incident response

Automating incident prevention and response processes aims to target actions against current threats to avoid later costs and higher impact losses.

The use of SOAR in SOC handles prevention and response for various security threats such as phishing, malware, denial of service, web defacement, ransomware and others.

Automated responses take numerous forms, depending on the nature of the threat, including the following:

• Automatically add indicators to IOC lists;
• Malicious indicators for auto-blocking;
• Indicators of automatic quarantine or compromised endpoints;
• Automatically generated tickets;
• Automatically block a suspicious email or IP address;
• Automatic deletion of suspicious e-mails from other mailboxes;
• Automatic termination of user accounts;
• Automatically trigger an anti-virus scan or security compliance check; and
• Automatically alert specific analysts, employees, suppliers, partners or customers.

Among the benefits of SOAR is the coordination of threat intelligence across vast security topologies, freeing up technical staff to focus on more relevant threats and supporting the entire threat intelligence lifecycle. From detection, triage, response and containment, SOAR in the SOC is key to achieving greater oversight, context and response.

SOAR is useful not only for automating security processes, but also for optimising them; not only does it improve the analyst experience, but also the SOC team's ability to communicate with the organisation.

With proper implementation, in addition to cultural and industry considerations, implementing SOAR use cases can strengthen the foundation of a company's security posture.