Cyber attacks rank first among global risks caused by humans, according to the World Economic Forum's "Global Risks Report 2020". Given the value of their assets and the expansion of digital infrastructure topology and new technologies such as Big Data and AI, companies face an urgent question: how should they respond to the growing volume and variety of threats?

Having a fully functioning Security Operations Center (SOC) team changes the risk landscape for all organizations, large or small. And with the sophistication of threats evolving exponentially, ensuring that the SOC uses its full potential is extremely important. Technologies such as Security Orchestration, Automation and Response (SOAR) make this possible, greatly strengthening the cybersecurity posture of the monitored company.

First, understand what SOAR is

SOAR (Security Orchestration, Automation and Response) is a stack of compatible software programs that allows an organization to collect data on security threats and respond to security events with little or no human assistance. The aim of using a SOAR platform is to improve the efficiency of physical and digital security operations.

SOAR basically encompasses the following functions in a SOC context:

• Security orchestration connects and coordinates heterogeneous toolsets in the SOC for more efficient ingestion, enrichment, monitoring and incident identification.
• Automation helps SOCs take a more proactive security stance by automatically triggering workflows, tasks and triages based on predefined parameters.
• The response speeds up the SOC's general and targeted reactions to low-risk incidents and supports the analyst's response by allowing a single view to access, consult and share threat intelligence.

Within these three categories, there are dozens of ways in which automation speeds up manual tasks. The main value of SOAR tools is to support human analysts in scaling and automating repetitive and tedious tasks so that the SOC team can focus on high-level threats.

We've listed 6 examples of how this technology reduces the time it takes to contain threats and thus raises the level of protection for companies.

1. Threat intelligence coordination

Every day, SOAR platforms process hundreds of thousands of indicators of commitment (IOC).

IOCs are collected from internal and external threat intelligence feeds, malware analysis tools, endpoint detection and response platforms, SIEM systems, network detection and response tools, email inboxes, RSS feeds, regulatory bodies and other databases.

SOAR platforms can coordinate, aggregate and detect alerts from these tools, as well as detect suspicious IOCs that arise between them.

2. Incident management

Potential threats can be detected by various tools. It can therefore consume a considerable amount of time for analysts to analyze disparate data associated with the same threat.

SOAR in the SOC brings all the data together in a single story. This allows cases to be dealt with more quickly and speeds up overall average times to detect and respond, whether through automation or human intervention and analysis.

3. Vulnerability management

In the past, SOC analysts relied on manual management and inventory of security vulnerabilities. But by implementing SOAR, various SOC tasks can be automated to handle volume, monitoring and simple responses.

Specifically, SOAR correlates threat data across various security tools to calculate risk and prioritize the threat according to its impact.

4. Continuous improvement in threat control

SOAR platforms increase efficiency in threat control by speeding up the processing of indicators of compromise (IOCs), accessing various reference databases and consulting different intelligence tools for different types of risk and threats.

This allows SOC analysts to analyze, verify, triage and respond more accurately and efficiently. This SOAR use case saves analysts significant time by quickly enriching large volumes of IPs, URLs and hashes to check for risk - without compromising the depth of investigation required.

5. Threat control

In addition to serving as a knowledge base using IOCs as a reference, SOAR platforms effectively serve as a form of proactive threat control.

"Threat hunting" is a crucial task for SOC analysts - but a time-consuming one, given the ever-increasing scope of the risks. SOAR helps with agility and scale, adding data sets for continuous analysis.

In addition, SOAR helps scope the search for threats, investigating malware or suspicious domains and incorporating human decisions into the loop at strategic points.

6. Incident response

The aim of automating incident prevention and response processes is to target actions against current threats in order to avoid subsequent costs and major damage.

The use of SOAR in the SOC deals with prevention and response to various security threats, such as phishing, malware, denial of service, web defacement, ransomware and others.

Automated responses take many forms, depending on the nature of the threat, including the following:

• Automatically add indicators to IOC lists;
• Malicious indicators for auto-blocking;
• Indicators of automatic quarantine or compromised endpoints;
• Automatically generated tickets;
• Automatically block a suspicious e-mail or IP address;
• Automatic deletion of suspicious emails from other mailboxes;
• Automatic termination of user accounts;
• Automatically trigger an antivirus scan or security compliance check; and
• Automatically alert analysts, employees, suppliers, partners or specific customers.

Among the benefits of SOAR is the coordination of threat intelligence across vast security topologies, freeing up technical staff to focus on more relevant threats and supporting the entire threat intelligence lifecycle. From detection, triage, response and containment, SOAR in the SOC is key to achieving greater oversight, context and response.

SOAR is useful not only for automating security processes, but also for optimizing them; it not only improves the analysts' experience, but also the SOC team's ability to communicate with the organization.

With proper implementation, as well as cultural and industry considerations, the implementation of SOAR use cases can strengthen the foundation of a company's security posture.