Cyber Solutions Fest: Level SOC/SOAR

Security Orchestration, Automation and Response (SOAR) tooling is intended to increase efficiency and consistency. These tools also promise to diminish the cost of operating a Security Operations Center (SOC) for most organizations. If used properly, these tools can do all of these things. The challenge is that the tools are frequently bought to avoid the one thing that most organizations don\'t seem to be able to do on their own: figuring out the sequence of actions that need to be automated and bringing together the mass of data from disparate tools.

Modern SOCs are comprised of four components monitoring and detection, incident response and threat hunting, threat intelligence, and detection engineering. With this construct, teams aim to constantly stay one-step ahead of attackers. In recent years, this has becoming increasingly more difficult due to a shortage of cybersecurity skills, too many alerts, and operational overhead.

Another problem is the lack of consistency among the data for use in SIEM/SOAR. SOC teams that do not process or enrich their data before putting it into their security tools are often disappointed to find they experience additional integration costs and challenges when they had expected clear sailing with their new SIEM/SOAR. At best, the task of data processing gets off-loaded on threat hunting teams, creating unexpected costs and strain because it lacks context and relevant details.

Investing in a SOAR platform is strategic and oftentimes a financially beneficial decision. SOAR systems can help define, prioritize, and standardize responses to cyber incidents. This process occurs when an organizations security team uses the platform to gain insight on an attackers tactics, techniques, and procedures (TTPs) and known indicators of compromise (IOC).