SECURITY

SOAR In Your Pocket

Andreas Buis By Andreas Buis January 31, 2020

Hi, 

 

Let's take a look behind the scenes and find out how Security Orchestration Automation and Response (SOAR) solutions can have a positive impact on your security investigation and response efficiency. In this article, I'll also highlight how Phantom-mobile makes your life as the “officer on duty” a lot easier.

Outcome

Improve your efficiency and productivity by 49% on average by using a security orchestration and automation platform like Splunk Phantom.

Average Problem Diagnosis Accuracy Improvements SOAR

Credit: Confession of security professionals – EMA Research report, by David Monahan – October 2019

The Current Situation

Nearly every SOC team is suffering from alert overload. A significant percentage of all recurring and repeatable tasks are still manually processed, which is due to a combination of disparate tools and a shortage of people in the SOC. The cause for the latter is either because of a lack of budget for headcounts or talent shortage in the region.

The Impact

The SOC team is not able to execute its actual work. Instead, it is analyzing security incidents and wasting time and resources on activities that can also be performed automatically.

As a result, security incidents are not always detected right away or incident responses not conducted immediately. According to this article by Cybersecurity Watch blog – Crowe “limiting dwell time can reduce a breach’s impact on a business by up to 96%. For example, an attack persisting for more than 100 days can cost upwards of $3.86 million dollars. If that same attack were detected within a day of its entry into the system, it might cost $144,000 – only a fraction of the amount had the attack persisted.“ This has a negative impact on the company's value chain and results in revenue loss. 

When we break these challenges down into three aspects, the KPIs could be defined as:

Negative impact on a company's value chain

A SOC’s worst enemy is waiting on other teams to deliver additional information. Especially since a SOC needs to act on facts in order to be successful.

The Resolution

Security Orchestration Automation and Response (SOAR) platforms like Splunk Phantom enable digitization and automation of manual processes.

Application of SOAR increases the speed of security incident treatment by up to 3 to 10 times. 

SOAR Sandbox

Scenario:

A simple phishing email use case typically takes up to 45 minutes if investigated manually. This includes several repeatable steps:

  • Has the email been sent to other users?
  • Checking of the user profile
  • Hunting of the file
  • Checking File reputation

All of these tasks can be completed within 40 seconds by conducting an automated malware investigation.

When we get back to our initial assumption that waiting is a SOC’s worst enemy, we realize that it is actually a game-changer that helps to accelerate the process.

Thinking about more complex investigations with a couple of more IOCs that need to be checked. The pre-analytical part which is the collection of information is a time consuming and error-prone task. From an audit perspective, there is a lack of traceability due to missing auditing of the investigation process.

Orchestrating and automating the security investigation process ensures that every step during an investigation is comprehensible. And that it includes all mandatory tasks – no matter how many indicators of compromise need to be checked.

SOAR in the pocket

In the report “Confessions of Security Professionals” you can find a section with the topic “SOAR and Staffing” and talks about doing more with the same staff.

SOAR Impacts on Staffing levels

Credit: Confession of security professionals – EMA Research report, by David Monahan – October 2019

 SOAR in your pocketDue to the heavy workload, access to a SOAR via a mobile device is a minimum requirement. A mobile analysis, assessment of the situation, triggering automated processing or assigning the incident to a specific person should be possible from any location.

Experience it for yourself and visit one of our Phantom 4 Rookies Hands-On Workshops. It provides you with a “touch & feel” for a SOAR system. At the workshops, you will learn how to investigate using orchestration and automation, and you will find inspiration on how to adapt and apply the SOAR philosophy to your company.

Thanks for reading, 

Andreas

Andreas Buis
Posted by

Andreas Buis

Andreas Buis is a member of the DACH Sales Engineering team, focused on IT Security with an emphasis on orchestration, automation and response. Starting his career as a developer for internet portals, Andreas has gone through various stations as support (Tier- 2/3), administrator (Windows & Linux) and project manager. He has worked as a systems engineer for various companies since 2012, successfully supporting projects in Germany and abroad. His unconventional handling of the demands in life as in IT is one of his secrets to success. In doing so, he always succeeds in balancing customer requirements with technical conditions. Andreas makes it his highest priority to convey things so that they are understood by all. If he is not busy with processes and python, you can find him in the evenings and at night with his camera as a street photographer — one of his many side hobbies.