5 Strategies for Extending SOAR Beyond the SOC —SecurityWeek

By Walker Banerd June 11, 2018 incident-response, security-orchestration-automation-response

A new article by Stan Engelbrecht, Director of D3’s Cyber Security Practice, is currently featured on SecurityWeek. Automation and orchestration are top of mind for much of the security industry these days, and the past few years have seen great advances in how they can be applied to the rapid analysis and triage of security incidents. At D3, we offer these capabilities, but we are also thinking about how we can apply automation and orchestration beyond the SOC. For instance, what does it look like to apply the same principles to investigation management, reporting, or multi-departmental collaboration? In his new piece for SecurityWeek, Stan lays out five areas outside of the SOC that can benefit from automation and orchestration technology. In this excerpt, Stan describes how automated reporting can save valuable time for security teams.

Reporting is one of the many tasks that take skilled security personnel away from what they do best. SOAR platforms can reduce the time that is commonly wasted on manually gathering and entering data into forms by streamlining and automating reporting.

Reports can include SOC metrics, such as:

  • Time from detection to containment to eradication
  • Percentage of incidents escalated to Tier-2 analysts
  • Number of false positives trending

As well as threat metrics, such as:

  • Most common or emerging exploits
  • Top attackers by source
  • Most frequently attacked destinations

For the greatest possible benefit, reports should not only be generated automatically, but shared with necessary parties automatically. Some SOAR platforms can distribute reports to predetermined stakeholders as part of a weekly report, or based on a threshold, such as when the percentage of recurring incidents is deemed too high.

Good metrics tell a story, and they are best received when that story is about something that the stakeholders care about and adds value. Many SMB cybersecurity programs are built without proper planning on how progress will be communicated to stakeholders. Value added key metrics like mean time to detect (MTTD) and mean time to respond (MTTR) speak directly to security operations process efficiency and facilitate cybersecurity program maturity.

This article originally appeared on SecurityWeek. To continue reading, please click here to access the article on SecurityWeek.

 

Walker Banerd

Walker Banerd

Walker is the Communications Manager at D3. He leads the writing of D3's blog, as well as white papers, industry briefings, and other thought leadership. Walker's expertise is translating technical concepts into easily understandable content, with a focus on software, cybersecurity, and compliance solutions.


Comments

comments for this post are closed