Getting the Most Out of Automation, and Response (SOAR)
As highlighted in the SANS 2021 Cyber Threat Intelligence (CTI) Survey, CTI tools and processes are becoming more automated to give analysts the necessary time to fend off the increasing number of threats. The survey highlights that less than 49% of organizations are satisfied with their automation and integration of CTI information with detection and response systems. Over 37% are not satisfied with their current machine learning capabilities. Security Orchestration, Automation, and Response (SOAR) tools have started to enable organizations to mitigate information security risks proactively but they depend on quality data for accurate detection and response. Like many tools, the effectiveness of SOAR is directly proportional to the quality of the data it ingests.
Please excuse me while I preach to the choir for a few moments. The three pillars of security (people, process, and technology) are the foundation of a successful security operations program. Let’s take a moment to dive into these challenges.
A well-studied and painfully obvious challenge in security is the abundance of open positions. ESG and ISSA claim over 70% of cybersecurity professionals claim their organization is impacted by the cybersecurity skills shortage. Additionally, CSO Online reports that up to 40% of IT leaders say cybersecurity jobs are the most difficult to fill, and finally Netsparker noted that by 2021, there will be up to 4 million unfilled cybersecurity jobs globally. A vital asterisk here: there is a myriad of job descriptions for entry level positions requiring over eight years of experience. I’m no recruiter, but this seems awfully unrealistic. Regardless, teams are struggling to operate at full capacity.
A cornerstone of an effective security strategy is a well-documented process. These processes should be built around people and include data and technology, not the other way around. When crafting your data requirements by identifying gaps in questions your team is answering, it will come as no surprise that acquiring quality data that doesn’t completely overwhelm analysts is no small feat. According to the 2020 State of SecOps and Automation, 93% of security operation centers cannot address all security threats the same day, 70% have more than doubled the volume of security alerts in the past five years, and 83% say their security staff experience “alert fatigue”.
The average enterprise has 75 security tools. Let that sink in for a moment. Just as having too much data can be overwhelming, so can an abundance of tools. It is with a deep sense of irony that SOAR (a tool), helps consolidate security tools and data as well as provides automation. It also allows security operations to gather context for issues that arise and maximize human capital. In fact, when you’re shorthanded, the right data sources coupled with a successful SOAR implementation can help you get the most from your staff. Finally, SOAR helps analyze threats in context. Essentially, SOAR, when executed effectively, can make the most efficient use of your people and process.
The Complexity of Cyber Attacks
Rudimentary detection mechanisms and analytics systems tend to evolve from rules based and event based style processing which are essential, but as the complexity of attacks increase so does the methodology required to identify them. However, the more complex the detection system and automation system the more it relies on high-quality data. Cyber attacks can no longer be observed as discrete, isolated events; instead, they should be analyzed in the context of multiple other correlated events and how they relate to or enable one another. This type of analysis translates to the need to combine various sources of data. Once this is done, data quality becomes even more critical. Erroneous data can lead to a faulty detection model and noisy alerts or, worse, a workflow that mistakenly closes a valid alert via automation. Data quality is an important aspect of cybersecurity in general, but when organizations strive for automation, what powers that automation needs to be consistent and dependable data sources.
Join me to hash out these challenges in my upcoming Lunch and Learn at the SANS SOAR Solutions Forum on June 18th, Data quality makes your security operations SOAR. In this presentation, I’ll cover the advantages of having high-data quality in your SOAR implementation. You can expect to learn:
- How SOAR intends to deliver value to organizations
- The data challenges for implementing it effectively
- How to measure and improve data quality in your organization
- The benefits of SOAR when powered by quality data
I hope to see you there!