Home >Operation and Maintenance >Safety >How to choose a SOAR solution

How to choose a SOAR solution

PHPz
PHPzforward
2023-06-02 20:57:021544browse

SOAR (Security Orchestration, Automation and Response) is regarded as the iconic solution for the next generation of SOC and is also a key mechanism to improve the efficiency of security operations.

As we all know, the focus of next-generation SOC is to improve detection and response capabilities. However, the reality shows that the SOC operation team is facing tremendous pressure, the false alarm rate continues to rise, and the mean response time (MTTR) is always difficult to improve. Therefore, the security industry and enterprise security teams have high hopes for SOAR solutions, expecting to significantly improve SOC efficiency in detecting and responding to threats through the deployment of SOAR.

Party A must understand that if it fails to implement SOAR solutions correctly, it will face new challenges. Without proper planning, businesses adopting security automation tools can fall victim to common missteps that can quickly lead to reduced efficiency and a poor security posture.

In short, enterprises need to consider many factors when choosing a suitable SOAR solution. The following are the insights and suggestions given by several foreign security experts on SOAR selection:

Rishi Bhargava, Vice President of Product Strategy at Palo Alto Networks

Implementation of SOAR solutions It is not a simple process from "lack" to "possession". Enterprises need to evaluate their existing processes and security tool stacks and then choose an appropriate deployment approach.

  • The ecosystem is critical: SOAR solutions need to be able to integrate across the vendor tools you currently use. Options for in-house development or custom integration should be provided. A reliable SOAR solution should be able to keep pace with the development of the enterprise and be continuously improved. Perfectly integrate detection, enrichment, and execution processes and related tools.

  • Powerful ticket and case management capabilities: Incident response rarely begins and ends with automation. Analysts are always involved in incident investigations. Ask the vendor: Does your SOAR platform offer native case management natively, or is it integrated with related tools? Can you restructure event timelines? Can you easily customize scenarios without a lot of coding?

  • Integrated Threat Intelligence Management: Manual threat intelligence workflows are time-consuming and do not scale, so integrated threat intelligence management automation will significantly reduce your average response time.

  • Flexible deployment: The SOAR platform should support local deployment and cloud-hosted deployment. For distributed environments, look for one that scales and supports a fully multi-tenant environment.

No matter where you are in selecting or implementing SOAR, the above considerations will ensure your organization is on the best path.

Micro Focus SecOps Product Manager GamzeBingöl

The fundamental purpose of the SOAR solution is to help security personnel improve their ability to detect and respond to network threats through automation and orchestration technology.

  • By eliminating false positives and automating repetitive activities, Cyber ​​Security Automation’s SOAR automation capabilities automate the handling of most threats. Use SOAR to automate time-consuming and repetitive tasks, giving analysts more time to focus on cases that require human intervention.

  • SOAR’s out-of-the-box functionality should be scenario-driven, ready-to-use automatic plans. Ready-to-use plans help teams reduce response times from hours to minutes and increase analyst productivity.

  • Integrated toolsets are more useful than isolated security tools because they complement each other. An important aspect of SOAR is that it needs to integrate with the existing security solutions, IT infrastructure and technologies in the enterprise, and act as the entire security environment by enhancing collaboration and orchestrating all elements as if they are all part of the same solution. centralized hub.

  • KPIs and Metrics: SOAR’s detailed reports on cases and analysts can help managers understand historical events and better plan future directions.

#Richard Cassidy, Senior Director of Security Strategy, EMEA at Exabeam

SOAR solutions should enable teams to span large and diverse data flows Automate the identification and response process, making prioritization of threats and vulnerabilities nearly seamless and making security operations far more efficient.

If implemented correctly, security operations centers (SOCs) can benefit from using SOAR solutions, helping them respond to threats faster and more effectively.

Integrating SOAR with other security tools, such as security information and event management (SIEM), can transform the business and technical outcomes of SOC teams through automation while also increasing efficiency.

Enterprises can use SOAR to enhance the capabilities of SIEM to provide comprehensive solutions. SIEM collects and stores data in a useful way that SOAR can use to automatically investigate and respond to incidents and reduce the need for manual operations.

And, for SOC teams’ biggest challenge to date—false positives—SOAR solutions can help collect information, prioritize and consolidate duplicate alerts to reduce the number of false positives.

Cody Cornell University Chief Strategy Officer, Swinlane

When considering SOAR solutions, enterprises need to think from two perspectives: What are the problems that security operations automation needs to solve, and what are the needs? How can automation be leveraged in the future?

Typically, you use The tools or strategies against an adversary are dynamic, not static. Therefore, you should choose solutions that can be quickly integrated and scaled quickly—not only to meet today's needs, but also to meet the needs of the future.

Secondly, when you look at the changes in attacker technology, do you think attackers will also embrace automation? In fact attackers are not only using automation to run scans, but they are also using DevOps methods to target each attack Build a unique infrastructure.

If this continues, you will need an automated platform that can trace and investigate indicators of compromise (IOCs) and other intelligence in cases and alerts without human intervention.

Splunk Security Evangelist Matthias Maier

There are several different criteria you should consider when choosing a SOAR platform, and which criteria to use:

(1) Core Capabilities

Users can easily identify these as the basic components and functions of the SOAR platform. Some of the important components, such as the orchestrator, are responsible for directing and overseeing all activities related to a given security solution. It is critical that the orchestrator makes optimal use of available resources. The other is the automation engine. Since automated tasks run independently and largely do not require human intervention, attributes such as platform scalability and extensibility are important criteria to consider. Case and program management should also be considered.

(2) Platform attributes

This is a qualitative standard. These criteria can be assessed more frequently through observation and interaction with the platform. The SOAR platform must support a strong community model and make it easy to share application integrations and playbooks. It's also important to understand how the SOAR platform scales both vertically and horizontally. As use cases are added over time, additional processing load will be added to the platform. A platform that is open, mobile-friendly and easy to use is also a key consideration.

(3) Business Considerations

The value-added services provided by the Company include items designed to enhance its core technologies, such as training and support. No matter how great a company's core technology is, factors beyond the product that are traditionally considered to have a significant impact on a buyer's decision-making process require attention.

SIRP CEO Faiz Ahmad Shuja

A study found that security experts receive an average of 840 security alerts per day. Since most alerts take approximately 15-30 minutes to complete manual investigation, this is an almost impossible task for any security team.

Automating as many workloads as possible will allow security teams to keep pace and ensure important threats are not overlooked, and the SOAR platform is one of the most effective solutions.

The most important step in successfully integrating SOAR is to provide reliable documentation for all security processes. For all major processes, a well-developed response manual is required. For example, if a potential phishing email is detected, the response might include investigating the sender's address and detecting signs of spoofing, reputation scores of all URLs, and detection of malicious scripts. Once all these processes are recorded, the SOAR platform can start executing them automatically.

Additionally, organizations need to ensure that the SOAR platform they choose has strong integration capabilities. This platform will need to seamlessly integrate with their existing SIEM solution and connect with other security solutions and broader IT infrastructure.

Amos Stern, CEO of Siemplify

Security orchestration, automation and response can solve some of the most frustrating challenges security teams have faced for a long time.

The right SOAR platform, coupled with a good implementation, can help reduce alert overload, bring together the many different detection tools used by an organization, and build automated and repeatable processes to reduce response times , while freeing security analysts from tedious and often tedious manual work. Allowing them to focus on high-value work, such as hunting for threats and building a more resilient security infrastructure.

Rewrite this sentence as follows: The core goal is to integrate various third-party detection tools, obtain alerts and automate workflows by using native APIs.

However, the best SOARs serve as centralized workbench. Think like Salesforce, this applies to SOC analysts as well. The SOAR solution you should look for should have the following advanced features:

  • Case management (especially the ability to group alerts relevant to context);

  • Integrated threat intelligence;

  • Collaboration (especially important in the new remote working environment);

  • Dashboards and KPIs (To provide visibility and insight);

  • Crisis Management (Escalation) Conducts a cross-organizational response when a critical incident occurs.

The above is the detailed content of How to choose a SOAR solution. For more information, please follow other related articles on the PHP Chinese website!

Statement:
This article is reproduced at:yisu.com. If there is any infringement, please contact admin@php.cn delete