Shulou(Shulou.com)05/31 Report--

This article is about how to choose a SOAR solution, the editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

SOAR (Security orchestration, Automation and response) is regarded as the signature solution of the next generation SOC, and also the key mechanism to improve the efficiency of security operation.

As we all know, the focus of the next generation of SOC is to improve detection and response capabilities. But today's situation is that the SOC operations team is overwhelmed, the false positive rate is high, and the MTTR (average response time) performance is difficult to improve. As a result, the security industry and enterprise security teams have high hopes for SOAR solutions and expect to significantly improve SOC efficiency in detecting and responding to threats through the deployment of SOAR.

However, the enterprise of Party An also needs to realize that if it is not implemented correctly, the SOAR solution will also bring new challenges. Without proper planning, companies that adopt security automation tools can become victims of common mistakes that can quickly lead to reduced efficiency and poor security.

In short, enterprises need to consider a variety of factors when choosing the right SOAR solution. The following are the opinions and suggestions given by several foreign security experts on SOAR selection:

Rishi Bhargava, Vice President of Product Strategy, Palo Alto Networks

Implementing SOAR solutions is not as simple as "I don't have" to "well, now I have". Enterprises need to evaluate their security tool stack and existing processes, and then choose their deployment methods accordingly.

Ecosystems are critical: SOAR solutions need to be able to integrate and cover the vendor tools you are currently using. Options for internal development or custom integration should be provided. A SOAR solution worth investing in should be able to mature as the enterprise grows. Testing, enrichment, execution and other processes and related tools are well integrated.

Powerful work order and case management capabilities: event responses rarely start and end with automation. Analysts are always involved in the investigation of events. May I ask the supplier: does your SOAR platform natively provide local case management, or is it integrated with related tools? Can you reconstruct the event schedule? Can you easily customize the profile without a lot of coding?

Integrated threat intelligence management: manual threat intelligence workflows are time-consuming and cannot be expanded, so integrated threat intelligence management automation will greatly reduce your average response time.

Flexible deployment: the SOAR platform should support on-premises and cloud-managed deployments. For a distributed environment, look for a solution that is scalable and supports a full multi-tenant environment.

No matter which stage you choose or implement SOAR, the above considerations will ensure that your business is on the best path.

GamzeBing ö l, Product Manager, Micro Focus SecOps

The fundamental purpose of the SOAR solution is to help security personnel improve their ability to detect and respond to network threats through automation and orchestration technology.

Network security automation: the automation features of SOAR should automate most threats by eliminating false positives and automating repetitive activities. Use SOAR to automate time-consuming and repetitive tasks, giving analysts more time to focus on cases that require human intervention.

Out-of-the-box preplans: scene-driven, ready-to-use automatic preplans should be SOAR out-of-the-box functions. Readily available scenarios can help the team reduce response time from hours to minutes and improve the productivity of analysts.

Integration with existing tools: stand-alone security tools are not as useful as complementary integrated tool kits. It is important for SOAR to integrate with existing security solutions, IT infrastructure, and technologies in the enterprise and act as a centralized hub for the entire security environment by strengthening collaboration and orchestrating all elements as if they were all part of the same solution.

KPI and indicators: SOAR's detailed reports on cases and analysts can help managers understand historical events and better plan for future directions.

Richard Cassidy, Senior Director of Security Strategy for Europe, Middle East and Africa, Exabeam

The SOAR solution should enable the team to automate the identification and response process across a large number of different data streams, making the prioritization of threats and vulnerabilities almost seamless and much more efficient in terms of security operations.

If implemented correctly, the Security Operations Center (SOC) can benefit from using SOAR solutions to help them respond to threats faster and more effectively.

Integrating SOAR with other security tools, such as Security Information and event Management (SIEM), can change the business and technical outcomes of SOC teams through automation, while improving efficiency.

Enterprises can use SOAR to enhance the functionality of SIEM to provide a comprehensive solution. SIEM collects and stores data in a useful way that SOAR can use to automatically investigate and respond to events and reduce the need for human operations.

Moreover, for the biggest challenge to date for the SOC team-false positives, the SOAR solution can help gather information, prioritize and merge repeated alerts to reduce the number of false positives.

Cody Cornell University Chief Strategy Officer, Swinlane

When considering SOAR solutions, enterprises need to think from two perspectives: what are the problems that need to be solved in the automation of secure operations and what are the requirements? How to make use of automation in the future?

First of all, is the tool you use or is it static or dynamic for your opponent? Of course, the answer is the latter in the vast majority of cases. Therefore, you should choose a solution that can quickly integrate and scale rapidly-- sufficient not only to meet today's needs, but also to meet future needs.

Second, when you look at the changes in the attacker's technology, do you think the attacker will also embrace automation? In fact, attackers not only use automation to run scans, but also use DevOps methods to build a unique infrastructure for each target.

If this continues, you will need an automated platform that can trace and investigate hazard indicators (IOC) and other intelligence in cases and alerts without human intervention.

Splunk security evangelist Matthias Maier

Several different standards should be considered when choosing the SOAR platform, and which standards should be used:

(1) Core competence

These can be considered as the basic components and functions of the SOAR platform, which can be easily identified by users. Some of these important components, such as the choreographer, are responsible for guiding and supervising all activities related to a given security scenario. It is critical that the choreographer needs to optimize the use of available resources. The other is an automated engine. Because automation tasks run independently and do not require human intervention to a large extent, attributes such as platform scalability and scalability are important criteria to consider. Case and plan management should also be taken into account.

(2) platform attributes

This belongs to the qualitative standard. By observing and interacting with the platform, these standards can be evaluated more frequently. The SOAR platform must support a strong community model and make it easy to share application integration and scripts. It is also important to understand how the SOAR platform extends vertically and horizontally. Over time, additional processing load will be added to the platform by adding use cases. Open, mobile-friendly and easy-to-use platforms are also key considerations.

(3) Commercial considerations

These include the value-added services provided by the company to enhance its core technologies, such as training and support. No matter how good the company's core technology is, attention needs to be paid to factors other than products that have traditionally had a significant impact on the buyer's decision-making process.

Faiz Ahmad Shuja, CEO of SIRP

One study found that security experts receive an average of 840 security alerts a day. Since most alerts take about 15-30 minutes to complete a manual investigation, this is an almost impossible task for any security team.

Automating as many workloads as possible will enable security teams to keep pace and ensure that important threats are not ignored, and the SOAR platform is one of the most effective solutions.

The most important step in successfully integrating SOAR is to provide reliable documentation for all security processes. A complete response manual is required for all major processes. For example, if a potential phishing email is detected, the response may include investigating the sender's address and detecting signs of spoofing, detecting all URL reputation scores and malicious scripts. Once all these processes are documented, the SOAR platform can begin to execute them automatically.

In addition, organizations need to ensure that the SOAR platform they choose has strong integration capabilities. The platform will need to work smoothly with their existing SIEM solutions and connect with other security solutions and the broader IT infrastructure.

Amos Stern, CEO of Siemplify

Security coordination, automation, and response address some of the most frustrating challenges that security teams have faced for a long time.

The right SOAR platform, coupled with good implementation, can help reduce alarm overload, combine the many different detection tools used by organizations, and build automated and repeatable processes to reduce response time, while freeing security analysts from tedious and often tedious manual work. Allows them to focus on high-value work, such as searching for threats and building a more resilient security infrastructure.

The core of the SOAR solution should be obtaining alerts, integrating (through native API) with a variety of third-party detection tools, and automating workflows.

However, the best SOAR can act as a centralized workbench. Think like Salesforce, and the same applies to SOC analysts. The SOAR solution you should be looking for should have the following advanced features:

Case management (especially the ability to group context-sensitive alerts)

Integrated threat intelligence

Collaboration (especially important in new telecommuting environments)

Dashboards and KPI (to provide visibility and insight)

Crisis management (escalation) provides cross-organizational response when major events occur.

The above is how to choose the SOAR solution, the editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.