- SOAR 101
Enterprises need a centralized security solution: a system that connects the infrastructure to allow seamless bidirectional data flow between each system and the enterprise security control center.
Despite digital applications permeating nearly every aspect of our lives, many enterprises’ daily processes are still largely manual, siloed, and rigid.
As needs arise and new tools are introduced, businesses tend to react by tacking on new products to their existing IT ecosystems, but often without learning how to deploy them properly for effective use. As a result, many businesses eventually find themselves with a patchwork of “specialized” tools for various niche functionalities, data of different types and formats locked in each, some talking and some not, and ultimately ineffective operations.
This pattern is reflected in virtually every business function, from marketing to information security. To meet the sudden surge in cybersecurity needs and increasing pressure for data protection, hordes of cybersecurity technologies have hit the market, frequently with overlapping functions. In fact, a recent Cisco cybersecurity report found that 10% of surveyed enterprises use products from more than 20 vendors in their security environment alone.
Automation should be a Given, not a Novelty.
More than ever, organizations need clear, high-level oversight of the cyber and physical security threats they face:
After remediation, how can we prevent the same types of attacks from happening again?
Automation is commonly touted as the solution to overcoming the cybersecurity skills gap, reducing false positives, and combatting analyst fatigue to focus on investigating the real threats.
While these benefits are real, automation should be considered as a baseline tool for any effective SOC, not as the final step in the evolution of security.
By now, all enterprises should be automating at least some of the most repetitive manual tasks. No analyst in 2018 should need to manually reference multiple data sources or review logs in static spreadsheets. Nor should analysts need to manually filter through thousands of SIEM alerts a day, only to be exhausted by virtual piles of false positives. Existing automation solutions are already expediting these processes.
Companies must move quickly to catch up with, and move beyond, automation. Companies must centralize.
As businesses grow, silos form. Centralization is essential.
Disconnected IT systems and information silos impose costs on businesses, including lost revenue, lost opportunities, and inefficient and ineffective processes, to name a few.
While there are costs associated with both centralized and decentralized security operations, our work with Fortune 500 enterprises shows that centralization yields significant cost-savings, greater control, and more agile operations.
We have seen examples where the costs of building a new security operations center (SOC), hiring and training new analysts, and bringing all information security operations in-house results in cost-savings of many factors compared to outsourcing.
Response to safety and security incidents is extremely time-sensitive, creating high stress levels and anxiety for analysts who see hundreds or even thousands of incident alerts every day. Under these pressure-cooker situations, it is likely for anyone to miss an important detail.
Centralization is necessary for intelligent automation, and for first responders to react instantly to an emergency or critical incident. In the absence of a centralized system, there is still much work that needs to be done manually, creating dangerous opportunities for delays and human error.
For example, in the event of an active shooting, the time required for a human being to analyze a system’s output, decide on the best course of action, and relay the message to enact a command in a different system—even if mere seconds—could be the difference between life and death.
Elon Musk characterizes this problem in his recent e-mail to Tesla staff:
“A major source of issues is poor communication between depts. The way to solve this is allow free flow of information between all levels. If, in order to get something done between depts, an individual contributor has to talk to their manager, who talks to a director, who talks to a VP, who talks to another VP, who talks to a director, who talks to a manager, who talks to someone doing the actual work, then super dumb things will happen. It must be ok for people to talk directly and just make the right thing happen.”
In much the same way, IT systems should not need a communication chain with risks of broken links. Centralization allows all systems to talk directly to one another and make the right things happen, automatically.
In Part 2, we will take a closer look at why we need to think beyond Incident Response, and how.
Do you want to see D3 in action? Join us for a 25-minute deep-dive demo and see how our award-winning Security Orchestration, Automation, and Response (SOAR) platform helps security teams accelerate incident response, scale processes, and learn from every incident.REGISTER NOW