Alert overwhelm is nothing new. Maybe that’s why its importance gets overlooked sometimes. Make no mistake, though, a never-ending queue of alerts is a major threat to your security. According to a study by Enterprise Strategy Group, 75% of companies spend as much time on false positives as they do on real incidents. That wasted time is important in a world where, according to the 2023 State of Threat Detection Research Report, 67% of alerts go uninvestigated because security teams don’t have enough time.
Those numbers should scare anyone with a pulse. Security teams clearly need a way to efficiently triage, correlate, and enrich alerts, so they can be confidently escalated or dismissed. One option is SOAR, but most Legacy SOAR tools have proven themselves to not be up to the task. If you are going to solve your alert problem, you need a new approach to security automation.
Legacy SOAR: Single-Level Automation
SOAR was supposed to solve the alert problem by automating triage, so what went wrong? The answer is that Legacy SOAR vendors never tackled the root of the problem, focusing on responding to incidents instead of determining which incidents need a response.
In the typical Legacy SOAR tool, every alert is treated the same: it is ingested and stored as an incident. The alert enters the analysts’ queue and triggers an incident playbook. Because every alert is treated as an incident, no automation—such as triage correlation, and classification—can happen at the alert level before it reaches the queue. One alert = one incident.
Legacy SOAR cannot set an alert’s severity or dismiss it as a false positive before it enters the incident queue, so analysts get overwhelmed by low-quality, unimportant alerts. Legacy SOAR also cannot automatically group related alerts into incidents or cases, which exacerbates the problem. Alerts from different sources that relate to the same incident are treated as distinct, despite their obvious connections. One reason for this is that because Legacy SOAR tools do not normalize alert data on ingestion (at least without extensive custom code), they cannot implement a standard process for processing alerts. Each alert has to be processed separately, because of the inconsistencies in the data.
These shortcomings mean that Legacy SOAR might help you use automation to respond to an incident, but it has no way to solve your alert problem.
Smart SOAR’s Multi-Level Automation
In order to automate your way out of alert fatigue, you need Smart SOAR. Taking inspiration from SIEMs, Smart SOAR has two levels of automation: the event level and the incident level. When alerts are ingested, they are classified as events and trigger event playbooks. These playbooks automate triage and correlation. For example, the event playbook might check a domain and hash against several threat intelligence sources, pull in user and device information, and parse the results to create a risk score for the event.
Smart SOAR also normalizes, deduplicates, and groups incoming alerts, eliminating noise and making it possible to use a standardized, scalable process for processing alerts. For example, an event playbook can search previous incidents in a 48-hour period for instances of a hostname that is related to the new alert. If an open incident is found, the incoming alert is added to that incident instead of being escalated as a new incident.
Event playbooks only take a few seconds to run, so you can use them to process every incoming alert. Instead of hoping your analysts will have time to investigate every alert (and they definitely don’t!), you can determine the importance of every alert before it hits the incident queue. Events with a high risk-score are automatically escalated to incident status and the rest can be safely dismissed. Smart SOAR gives you all the tools you need to auto-dismiss false positives.
If an event is escalated to incident status, only then is an incident playbook used. Incident playbooks add more context, such as by querying an EDR for information on affected endpoints and implicated users. The playbook uses this data to populate the investigation dashboard, where analysts can review the incident and trigger additional steps in the playbook to perform remediation.
Automating at the event level enables Smart SOAR to reduce your alerts by more than 90% before they reach an analyst. Because only real threats are escalated to the incident level, every incident can be thoroughly investigated and remediated.
It’s Time to Make the Switch
Legacy SOAR failed to solve the alert problem and that isn’t likely to change any time soon. It’s time to stop wasting your resources on your underperforming SOAR tool. If your contract is up for renewal, make the switch to Smart SOAR instead. We make it easy to migrate from Legacy SOAR to Smart SOAR because we’ve helped organizations do it many times before. With our Legacy SOAR Migration Program, you won’t lose all the work you’ve put into your existing SOAR tool. We will move all of your playbooks, scripts, and integrations to Smart SOAR, at no expense to you.
Why not go with the vendor that can actually solve your biggest problems?
