Integrating SIEM and SOAR is the next step in cybersecurity maturity, writes Faiz Shuja, Co-Founder and CEO of SIRP, a SOAR platform company.
Automation has become one of the most important factors in the cyber security landscape in recent years. Threat actors are now increasingly using automation tools to vastly increase the volume of their attacks. On the defensive side, automation has likewise become a major priority as security teams struggle to keep up with the flood of security alerts coming their way.
Earlier this year, research conducted by SIRP found that security professionals report receiving an average of 840 security alerts every day. With most alerts taking around 15-30 minutes to investigate manually, this is an impossible task for any security team. Automating as much of the workload as possible will enable security teams to keep up with the pace and ensure critical threats don’t go unnoticed in the noise. Well-integrated automation can also deliver powerful benefits beyond short-term threat response activity, enabling CISOs to improve efficiency and make more informed strategic decisions. Security Orchestration, Automation and Response (SOAR) platforms have emerged as one of the most effective solutions for delivering these capabilities. SOAR solutions provide a single platform that can connect all of an organisation’s different security solutions. This establishes a single pane of glass to view all incoming alerts in one place and also makes it possible to develop sophisticated automated response playbooks that can handle many threats with minimal human intervention.
There have been some notable shifts in the security market over the last three or four years as the major players seek to meet the demand for automation. In 2018 Splunk acquired Phantom to access its automated incident response capabilities. More recently FireEye acquired Respond Software to enhance its response capabilities, and Fortinet acquired CyberSponse to add its capabilities to the FortiSOAR platform.
One of the most prominent trends has been the integration of SOAR platforms into existing Security Information and Event Management (SIEM) solutions. SIEM aggregates security logs from across the entire IT infrastructure in a single place, making it much easier for personnel to manage and prioritise their activity. SIEM solutions can also be used to analyse threats to identify trends and connect the dots on sophisticated attacks that employ multiple tactics.
However, while SIEM solutions have been an invaluable tool for Security Operation Centre (SOC) teams, they have traditionally stopped short of carrying out response activity. Security analysts will still need to investigate alerts and undertake any actions needed to close a vulnerability or counter an active threat. With many organisations now experiencing more than a thousand incoming alerts every day, this manual approach is no longer viable even with the visibility and prioritisation provided by SIEM.
SOAR has emerged as an ideal answer to this problem. By integrating SIEM and SOAR capabilities, security teams can not only view and prioritise incoming threats but also set up automated responses to tackle the bulk of the work in investigating and mitigating them. This is particularly valuable for high-volume threats such as phishing emails. Each suspicious email needs to be investigated and verified as a genuine threat or a false positive – a huge task when an organisation might receive several hundred in a single day. Using a SOAR platform, the SOC team can create a response playbook that automatically investigates and resolves all phishing emails. Higher level threats can be flagged to the team for a more thorough investigation by analysts.
The key to successful integration
When implemented correctly, SOAR can massively enhance the capabilities of security teams using SIEM platforms. However, it should be remembered that automation is always a gradual process. One cannot simply purchase a SOAR platform and flip a switch to achieve instant automation on day one. Security teams will need to complete all the necessary groundwork first, as well as ensuring they make the right choice of SOAR platform for their infrastructure and needs.
The most important step in integrating SOAR successfully is to have solid documentation in place for all security processes. There needs to be well-established response play-books for all major processes. For example, if a potential phishing email is detected the response might include investigating the sender’s address and detecting signs of spoofing, probing any URLs for its reputation score and for malicious script. Once all these processes have been documented, the SOAR platform can begin to carry them out automatically. In this way something that might have taken a security professional upwards of half an hour can be completed in a couple of minutes without the need for any human intervention. However, without proper documentation, the SOAR solution will only automate a fraction of this activity.
In addition, CISOs need to ensure their chosen SOAR platform has strong integration capabilities. The platform will need to fit smoothly with their existing SIEM solution, as well as connecting with the rest of their security solutions and wider IT infrastructure.
What next?
Automation solutions have evolved rapidly in the last few years as vendors respond to customer needs and the changing security landscape. SOAR has shifted from pure process automation to incorporate more use cases such as threat intelligence, vulnerability management and risk scoring. Looking ahead, integrating vulnerability intelligence is emerging as a prominent trend. This enables teams to not only automate threat response activity, but also automatically identify and address vulnerabilities such as new exploits. Whichever direction the market goes next, automation will continue to be one of the most important capabilities in keeping up with the growing volume of attacks.
