Attacks are growing in volume and variety. Security operations centers use diverse tools to handle the work: SIEM, IDS/IPS, or EDR, for instance. However, companies struggle with an overwhelming amount of security event data without enough human resources to deal with them adequately.
The companies are then turning to solutions that can help them take care of tasks like data aggregation, enrichment, correlation, and remediation, such as a Security Orchestration, Automation, and Response (SOAR).
Still, the foundation of any strong defense is good data. A SOAR relying on redundant or irrelevant data won’t be effective. This is where threat intelligence becomes essential.
This is why we’ll see below:
- How the SOAR has TI at heart;
- How Threat Intelligence is essential to security teams;
- Hence, the SOAR is one of the most precious tools to enhance MTTD and MTTR.
Threat intelligence is at the heart of the SOAR technology
Today’s security technologies often feed your incident response team with a massive number of logs and events. However, these logs and events are riddled with false positives, duplicates, or are missing enrichment to enable your analysts to make the best decision.
This work is usually done by a SIEM, which effectively aggregates data from across your internal network. However, SIEM isn’t first made to enrich this data and deliver raw information to your analyst and lacks enrichment features.
Thus, your SOC analysts have the burden to manually work through this data to depart real from false alerts, switch between the different tools they use, and make decisions based upon the processed data resulting. They end up with a massive amount of work to process each incident, leading to phenomenons known as alert fatigue and multiple panes of glass.
The SOAR came around to answer this precarious state by combining three existing tools:
- Security Incident Response Platform (SIRP) gathers alerts and events from different sources such as your SIEM or IDS. The analyst can add related data like logs or IOCs and then can compare the results to threat intelligence feeds;
- Security Orchestration and Automation integrating tools and allowing to build workflows;
- Threat Intelligence platforms (TIP) aggregate various TI feeds to enrich incoming alerts.
As a result, the SOAR (first coined by Gartner) is an Orchestrator and an Automator. It means that it works on playbooks (or workflows), integrating multiple security technologies in repeatable and automated security workflows designed to describe threats and how to handle them. This way frees up time for your humans to tackle more complex goals and is a natural complement to your SIEM.
However, you need a full, integrated view of external threat information to make this work. This way, your SOAR can have the full picture of what is happening and take the right steps to remediate threats.
We’ve described how a SOAR combines a SIRP and an SOA. Now, this is where things get interesting for our demonstration. The third tool a SOAR combines with the first two described supra is the TIP, which is crucial.
As we said above, SOAR solutions work via playbooks. The problem is, these playbooks run on data fed into them. Thus, their efficacy will only be as good as the data used. This is why SOAR naturally ingested TIP with SIRP and SOA to make a truly unique tool.
Because Threat intelligence is paramount to sharpen your whole security stack
The SOAR has the capacity to ingest Threat intelligence to take on two challenges encountered by more and more SOC around the world: information overload and prioritization.
SOC is facing increasing attacks daily. We’ve found that, on average, security teams have to face more than 100,000 attacks every day. Operating in strategic fields, such as healthcare, some companies can face millions of attacks per day. Because they rely on manual work to deal with the plethora of information, security teams can’t keep up with the threats. As a result, they end up investigating only a fraction of these incidents, around 10,000 on average.
This leaves room for attackers to sneak in and wander in your systems unnoticed for months. On average, a breach takes 212 days to be detected and 75 days to be remediated. That’s precisely 287 days of unnoticed damage.
Of course, there are tools to ingest all of this information coming in. SIEMs have been around for decades, and it indeed does it well. Still, dealing with this amount of information is nearly impossible if you have to work through each incident independently. This is why people came up with threat intelligence. Known attacks, their patterns (Tactics, Techniques, and procedures), or pieces of evidence left behind (Indicators of compromise) are listed in feeds that help analysts deal with the incidents they’re facing.
This way, Threat intelligence can reduce the time Security teams need to research and triage alerts. However, Threat intelligence feeds are various. Being able to ingest all of the information they gather tends to be as challenging as the information ingested by your SIEM itself.
This is where the SOAR comes in. Via automated playbooks, a SOAR allows you to update threat intelligence into your system continuously. More, a SOAR like Mindflow, no-code and drag-n-drop, takes one more step in easing the work by allowing you to create steps by just dragging one of the services you want to call (a TI feed, for instance), dropping it on your workflow (to, let’s say, enrich a phishing alert), and connecting it with other steps (to create an automated phishing investigation workflow).
In supplying automated threat intelligence in real-time, the SOAR allows you to be comprehensive and fast in triaging the alerts and to have an exhaustive view of the threats coming in, not leaving some of them unnoticed.
Besides enabling you to depart real threats from false positives, Threat intelligence also provides the basis for prioritizing the threats. Even after dealing with the initial triage, analysts still have to deal with thousands of daily threats. Among them, some are minor, and some are major. Even though all the threats should be handled in an ideal world, you need to consider and prioritize the most dangerous ones first. Again, this is where Threat intelligence is crucial. You can have a more comprehensive view of the threat and treat critical ones first.
This is why a SOAR equals Lower MTTD and MTTR
In cybersecurity, we use several metrics, called Key Performance Indicators (KPI), to benchmark our stacks and determine whether or not they’re efficient in handling the threats.
Threat intelligence and the SOAR impact these KPIs by working on two key metrics: Mean-time-to-detect (MTTD) and Mean-time-to-response (MTTR). We said above that, on average, companies need 212 days to detect and 75 to remediate threats. You can imagine that related MTTD and MTTR aren’t really good in this context.
So, first, by keeping your security stack as up-to-date as possible by automating the Threat intelligence, the SOAR helps you lower the MTTD. To be honest, most of the basic threats (which compose the vast majority of the threat landscape) are known and listed on such TI feeds. Having the capacity to ingest all the data makes your security stack undoubtedly more efficient in keeping you unbreached because the “unknown unknowns,” which are the last things you want when you’re in defense mode (you want to have the most comprehensive knowledge of the potential threats you’re dealing with to be able to defend against), are decreasing fast with accurate and up-to-date intelligence.
Even though your TI is top-notch, you have to be able to remediate quickly. Cyberspace is characterized by fast as light connections, minutes or even seconds equals Mo or Gos downloaded or corrupted, which can differentiate between a successful breach or a failed one.
This is where the ability to handle incidents from detection to response makes the SOAR a unique and much-needed tool in a security stack. Automated playbooks can not only help you detect the threats but also remediate them, thus lowering the MTTR.