Businesses lost more than $3.5 billion in 2019 due to cybercrime, fraud, and ransomware, according to the Federal Bureau of Investigation (FBI) Internet Crime Complaint Center. And while the volume and sophistication of cyber threats show no signs of letting up, many Chief Information Security Officers (CISOs) and SOC leaders continue to struggle with enabling their teams to scale better by avoiding triaging redundant alerts and executing repetitive responses, while responding with speed and accuracy, and showing a clear return on investments.
One way to alleviate this burden is by adopting the use of a Security Orchestration, Automation and Response (SOAR) platform. Gartner defines SOAR as the fusion of three technologies — security orchestration and automation, security incident response platforms, and threat intelligence platforms — allowing organizations to define and manage incident analysis and response procedures in a digital workflow.
Having a central location to integrate your security tools and processes to allow your people to collaborate and work together across teams is absolutely critical in today’s threat landscape. But there are five more important reasons why CISOs are prioritizing the adoption of a SOAR platform.
The impact and frequency of cyber incidents are increasing. It is essential that the tools CISOs and SOC leaders procure for their teams are specifically designed to evolve to keep up with both the volume and sophistication of these attacks. Without a platform to separate the signal from the noise, security teams will waste millions of dollars in man hours, weed through the false positives in order to find and prioritize the threats that matter. A SOAR platform acts as a collection and analysis hub for threat intelligence, security operations and incident response data and processes that make triage and response activity a tractable problem.
Threat intelligence has a critical role to play here by informing and prioritizing actions. In an ideal security organization, threat intelligence and security operations are empowered to create a mutually beneficial, cyclical relationship. As intelligence dynamically changes, it should inform the decision-making processes for future actions and drive prioritization when it comes to response. SOARs help security teams identify the most critical threats, standardize processes and gain instant access to relevant threat intelligence to improve the speed and accuracy of their detection and response.
In late 2019, the International Information System Security Certification Consortium (ISC2) reported that 2.8 million professionals work in cybersecurity jobs globally, but the industry needs another 4 million trained workers in order to properly defend organizations and close the skills gap. This means that security teams are facing more alerts, cases, and event data than ever. SOAR platforms create and memorialize playbooks, automated processes and structured workflows encompassing those day-to-day tasks facing an overworked security team. When mundane tasks are automated, team members can spend time on items that require the cognitive processing that a human mind can provide. Additionally, relieving staff from a lot of those mundane tasks can reduce the cause of job dissatisfaction for security staff and curb burnout.
Due to a shortage of staff and time, SOC leaders must ensure their companies have strong triage, response, and hunt processes in place. Not only do SOARs optimize workflow and time by automating and prioritizing tasks, they also assist with succession planning by acting as a process and knowledge management system.
A SOAR platform can help incident response teams coordinate multiple streams of activity handled by different people, all with differing roles and expertise, to support a comprehensive response to a security incident. Processes run much smoother when the friction caused by unnecessary human intervention is removed.
Good CISOs and SOC leaders already know that good intelligence drives better decisions and outcomes. But intel is only valuable if it enables the right action, and action is only meaningful if it is timely and effective. SOAR platforms increase efficiency by running machine automation seamlessly alongside human ingenuity. Together, this reduces the time it takes to uncover relevant threat intelligence and related case data or patterns, by exposing it directly to analysts in real time. The combination of intelligence-led context and the human element lowers the risk wasting time on rabbit-trail investigations of false positives and increases the accuracy of the response.
Historically, it’s been extremely difficult for CISOs to attach a dollar value to cyberattacks or incidents that were avoided or stopped. When a cybersecurity team is successful in achieving zero downtime, nobody notices. For those looking in from the outside, it is difficult to perceive the business value of cybersecurity. SOAR platforms can help the CISO by providing quantifiable metrics of team impact and efficiency. Instead of pointing to the avoidance of a negative outcome like a breach, SOC teams can point to positive and measurable outcomes. For example, a team can set up a metric around targeted blocks to a firewall, mean time to respond, mean time to detection, stage of attacks when contained, analyst hours saved through automations, and metrics on controls implemented. After setting it up, the team can reference a dashboard at any point and see the relevant metrics.
The challenges facing CISOs and their teams are not going away anytime soon, but a SOAR can offer powerful capabilities and rapid improvements to security operations teams. By choosing an intelligence-driven SOAR, CISOs can enable their security operations teams to operate smarter and faster with measured results, as well as more clearly communicate their insight on the threats to the organization's business priorities to stakeholders.