SOAR is a security orchestration, automation, and response framework that is quickly becoming adopted by security operations centers (SOCs) around the world.
This framework for IT security management was developed as a result of 5 key issues SOC administrative teams face when attempting to manage, triage, and resolve the influx of alerts received as a part of their security management protocols. The five major concerns presented by security teams were as follows:
- Problem 1: Organizations are forced to do more work with less manpower due to increased workload and limited staffing budgets.
- Problem 2: High-level security analysts need to cull through an ever-increasing amount of alerts when they should be focusing their efforts on higher-priority issues. Triaging alerts that could be developed into an automated workflow takes time, opening up the opportunity for real security threats to become overlooked and remain sitting in the queue.
- Problem 3: Security issues are becoming more costly. Because these high-level analysts can’t focus their efforts on the alerts that matter, the mean time to resolution is getting longer.
- Problem 4: It’s becoming more difficult to measure security management metrics. These objectives are more abstract than other departments, and there is no clear way to define Key Performance Indicators (KPIs).
- Problem 5: Employee turnover is typically high due to the SOC’s lack of documentation for the complex processes for triaging issues and incident response. Security analysts who stay with the organization long enough will pick up a “tribal knowledge” of how to manage their infrastructure.
These problems are common across many SOCs, and the drive to find a better way of managing them paved the way for SOAR.
The Benefits of the SOAR Framework
The SOAR framework offers two key benefits to SOCs and the incident management process. First, it provides the ability to create uniform and repeatable business processes to handle incidents of any type. Second, it uses machine language (a sub-field of artificial intelligence) to offload work and automate actions at various points in a well-defined business process.
The SOAR framework addresses the five common problems by aligning all alerts from disparate sources into a single platform, automating key workflows, and housing runbooks with clear, concise, actionable steps for triage and remediation.
It leverages next-generation artificial intelligence tools to supplement human interaction throughout the incident response handling process enabling SOCs to focus their energy towards critical security alarms.
SOAR solutions offer automated reporting. Executives can finally tap into the metrics and gain visibility to the ROI of their security initiatives.
Integrated security solutions that utilize the SOAR framework shorten the time needed to bring new employees up to speed. According to a study done by Demisto, the onboarding period for training a new security analyst has gone from nine months in 2017 to eight months in 2018.
A SOAR solution provides a standardized method for incident response and handling across an organization. It offers a way of tracking all correspondence within a single database, and it stores the information for review should a similar issue appear in the future.
How Cisco SecureX Fits into the SOAR Framework
Cisco SecureX is an open-source platform that integrates your entire security infrastructure into a single management platform for easy access. The solution comes built into every Cisco security product, spanning across your network, endpoints, cloud, and applications.
It strengthens your security infrastructure through increased collaboration between teams, unifies all products into a single dashboard, and can automate critical security workflows, saving your team precious time.
SecureX offers a comprehensive platform-based solution for security management that not only works for Cisco shops but those utilizing a hybrid of Cisco and third-party applications as well. It successfully addresses each of the five issues SOCs face without the use of a SOAR solution.
With Cisco SecureX, analysts can do more with less time thanks to a host of intuitive automated workflows. The drag-and-drop model SecureX utilizes offers a way to automate the response and triage of the more common, mundane alerts security technicians face daily. These workflows extend across much of an existing network thanks to Cisco’s 50+ adaptors, allowing analysts to connect everything from your network, cloud, data centers, and more.
The SecureX solution offers numerous canned runbooks developed by the experts at Cisco aimed at addressing many common security concerns right out of the box. These pre-designed runbooks can be enhanced by your security team and customized to fit your specific business needs. Responses to security threats can be automated to follow the runbook for a specific event. These runbooks also aid in shortening the training time needed for new employees.
Enhanced Collaboration Capabilities
Thanks to the unified platform, all your security teams can collaborate as one with SecureX. The cloud-based platform allows visibility into your network, applications, and endpoints, creating a single location for your ITOps, SecOps, and NetOps team to work from. The SecureX ribbon allows cross-functional teams to view incidents, create tickets, and keep updated notes that are visible across the organization.
Utilizing numerous disparate solutions to manage a network causes delays in incident resolution, lengthens onboarding schedules for new employees, and produces inconsistent reporting metrics across the board. An integrated security solution can help combat the pain points security analysts and SOC administrators come across through the use of automation, detailed runbooks, and enhanced collaboration functions.
For more information on how Cisco SecureX can help you increase productivity and reduce confusion across your SOC, download our comprehensive guide: Get Off the Security Treadmill with Cisco SecureX.
If you’re skeptical about how Cisco can leverage all of your existing security investments with their platform-driven approach, download our guide: From Complex to Cohesive: How a Platform Approach Can Solve Today’s Security Conundrum.
Acadia Technology Group is a client-centered organization focused on delivering solid results to some of the largest corporations in America.
Interested in learning more about SOAR? Contact us to learn how we can help you.