- SOAR 101
A new article by Stan Engelbrecht, Director of D3’s Cyber Security Practice, is currently featured on SecurityWeek. It’s often discussed how automation benefits analysts , making them faster and better informed in their work. What gets talked about less is that security managers also get significant value out of having automated tools in their SOCs. In his new article, Stan covers three ways that automation and orchestration makes the lives of security managers easier.
In this excerpt, Stan describes how replacing manual steps with automated workflows helps security managers ensure consistent processes, and even improve morale in the SOC.
As a manager, you want a SOC that runs smoothly, requires little oversight, but also doesn’t let any dangerous alerts slip through. For this to happen, you need consistent workflows in place for handling alerts and incidents. With manual processes, there is a great deal of room for human error and inconsistency, which can result in threats going unnoticed.
Automation can codify your best practices and the accumulated knowledge of your best analysts into a consistent, organization-owned process. Automated tools can assess the threat posed by every alert and take the appropriate action, such as assigning it to the appropriate analyst’s queue, or even taking automatic security actions. These automated workflows create efficiency by reducing duplicated work, enabling better tracking, and keeping the SOC running smoothly, even in the chaos of a major security incident.
There is also a secondary way that automating workflows can help your SOC run smoothly. The cybersecurity skills gap makes it hard for companies to hire and retain cybersecurity talent, and frustration with the unrelenting volume of security alerts is usually near the top of the list of reasons for high turnover. Training new employees, having to work short-staffed, and the loss of institutional memory all reduce the effectiveness of your SOC. Automating workflows helps solve this problem by keeping analysts focused on what they want to work on—resolving real threats, not chasing false positives.
This article can be found in its entirety on SecurityWeek. To continue reading, please click here.