- SOAR 101
The idea that many analysts and CISOs are concerned about automating and orchestrating security actions should come as no surprise. After all, human decision-making leverages years of relevant experience and training, plus it can pivot on a dime, bringing valuable agility to the SOC. But the fact is, human decision-making simply can’t keep up to the volume and sophistication of today’s cyber threats.
So what are the options for SOCs that want to implement incident response automation and orchestration, while maintaining the agility needed to react to new threats and contextual information?
At D3, we’ve designed our automation and orchestration features to support “intelligent automation”, which allows analysts to maintain control of major decisions, while still fully leveraging the speed of automation. Here are some of the concepts and features we utilize, which will help you avoid overly rigid automation in your incident response program.
This blog published by Dark Reading makes the interesting case that overreliance on strict playbooks opens up security vulnerabilities. At D3, we believe there’s a lot of value to be gained from playbooks, but we avoid the vulnerabilities by maintaining human involvement at all key points.
One way we do this is with our Playbook Editor, which keeps workflows dynamic by allowing analysts to make changes to processes with no coding required, even on the fly. With the Playbook Editor, you can visualize your entire workflow, identifying where customization might be useful. Edits can be made to implement automation—such as adding Python scripts or callouts to third-party apps—or to complement automation with manual tasks. The result is a tailored workflow that keeps the speed and consistency of playbooks while avoiding the downsides.
Automating incident response processes based on conventional wisdom is a good place to start, but this approach can quickly fail to keep up with the dynamic requirements of your real-world security operations. We make sure that our solutions are based on actual outcomes by using machine learning techniques to leverage your continually growing dataset of past incidents.
Automated processes that can “learn” will become increasingly precise over time and require less manual intervention. This allows your analysts to prioritize, investigate, and act on incidents informed by data from past incidents, instead of being stuck in processes that might not be optimal for your needs.
As part of our intelligent automation solution, D3 assigns a CISSP to each new customer. The dedicated CISSP directly oversees the implementation and evolution of the system, ensuring that it is optimally configured, and remains available on an ongoing basis to provide support.
This unique program can help you avoid the risks of overly rigid automation in two ways. First, before implementation, the CISSP will study your environment in order to fine-tune automation parameters precisely to your needs. This will allow for flexibility where needed, and will avoid the pitfall of “making the wrong process happen faster”, which can result from poor planning during setup. Second, having a CISSP available for regular consultations will give a level of expert oversight that your team might not have the time or resources to do internally, which will help catch any automated processes that need to be updated or reconfigured.
Finally, let’s consider something a bit more high-level. The more functionality you have within your incident response solution, the less rigid your processes will be, because you will simply have more control, more options for configuration, and waste less time trying to implement changes across multiple systems. This definitely applies to platforms that are focused on automation and orchestration. If a vendor is offering a limited approach to incident response that has little to offer outside of automated tasks, then you will be stuck in a very narrow lane when responding to threats.
That’s why D3 is designed to be the most comprehensive incident response platform on the market, taking you all the way from detection, through orchestration, automated actions, remediation, and even deeper investigations via features like case management, cross-department collaboration, and root cause resolution. This wealth of capabilities keeps your incident response program flexible, because you can fully leverage the most advanced automation and orchestration features, while still empowering your analysts to make critical decisions and approvals.
To learn more about what we think every incident response platform should offer, check out our Incident Response Buyer’s Guide, or book a demo today to see our technology in action.