As hackers become savvier, it’s not enough for security systems to recognize a threat after networks and devices are compromised. Today, security systems must anticipate threats by taking a holistic view of the technology ecosystem — from the cloud to a freelancer’s company phone — and make predictions for how to best protect itself.
SOAR systems, by providing Security Orchestration, Automation and Response, do just that, allowing financial institutions to achieve security at a level beyond mere threat remediation.
What Is SOAR?
SOAR is a method of connecting security tools and integrating disparate security systems so that they are aware of security threats and information collected across the security ecosystem via an interconnected layer. This interconnected layer comingles threat alerts, streamlines the remediation process and enables security automation, or the ability for systems to predict and protect against threats using artificial intelligence and machine learning.
In action, SOAR systems allow an organization to collect data about security threats from multiple sources and respond to select security events without human assistance. This automation is critical to banks and credit unions’ ability to respond to the increased frequency of security or operational incidents that hinder them from providing safe, secure and stable service.
How SOAR Protects Weak Spots
As the number of smart devices on a network expands, says Vishak Raman, Cisco’s director of security business for India and the South Asia region, those devices create additional entry points for hackers looking to exploit systems.
“You need better visibility of what [smart devices] are doing and what damage they can cause,” Raman told the Information Security Media Group. “It starts with reviewing very basic segmentation policy and implementing 'first line of defense' tools that can scale, including for cloud security platforms."
SOAR systems’ unified threat dashboard assimilates data from these segmented entities — smart devices operating on their own networks as a kind of first responder to security threats — to boost visibility across the network and allow banks to better manage security threats created by BYOD, cloud and remote workspaces.
According to Gartner, this increased visibility also improves:
- Threat and vulnerability management. SOAR helps formalize workflow, reporting and collaboration capabilities that support the remediation of vulnerabilities.
- Security incident response. Increased threat awareness helps an organization plan, manage, track and coordinate the response to a security incident.
- Security operations automation. With a better understanding of the threat atmosphere, systems can begin to automate and orchestrate workflows around detection and remediation.
SOAR software integrates with a range of existing applications, and today it can be used to augment, if not replace, existing security systems.
How to Make a Smooth SOAR Transition
Raman recommends deploying next-generation network packet brokers to improve network speed and help provide the visibility foundation needed for threat detection. This improves device communication with the unified dashboard and streamlines the system. For technologies that are not compatible, Raman recommends placing them on an upgrade schedule.
Start with “getting visibility of the network using net flows and a protocol like DNS,” Raman advised. “Visibility is a far more important challenge, and all systems need to connect for better visibility.”
Visibility is critical in all contexts: network, endpoint, DNS, email, web and, most importantly, the hybrid cloud, where monitoring workloads and accessibility presents a big challenge.
Once a company is aware of what’s happening across its systems, it can begin evaluating the ecosystem for automation and global threat detection potential. With non-SOAR systems, false positive alerts make automation difficult and global threat detection near impossible. But with the SOAR systems’ unified threat dashboard, organizations can see alerts throughout the system in one place and recognize what’s being compromised and how.
“The product needs to be intelligent enough to give you that hunting capability,” Raman said.
“That hunting capability” relies upon SOAR systems’ ability to learn how to identify threats — a labor-intensive task usually given to security analysts. But with SOAR, the unified threat dashboard can aggregate data to serve as inputs for what a security threat might look like. Once a system learns these characteristics, it can automate its response to eliminate or recover from an incident without human assistance. This streamlined process increases the rate at which threats are neutralized and better protects sensitive data.
Before optimizing for automation, however, Gartner suggests “focusing on improving metrics that deliver immediate ROI, such as reducing mean times to detection and resolution.”
What Does SOAR Look Like in Action?
While SOAR systems can assume several iterations, they usually have a few key characteristics, including: a visual playbook to aggregate system data; a graphical interface with system- and human-readable outputs; filters to help playbooks autonomously identify threats; and a series of interactable, collaborative and extendable platforms to help data carry across various machines and interfaces.
Palo Alto Networks’ SOAR system, Demisto, promises not only an integrated system, but also a method for reviewing ROI.
Cisco Threat Grid’s malware analysis and threat intelligence capabilities also work with Demisto’s security orchestration and automation features to standardize response processes, increase analyst productivity and reduce time to detection and remediation.
As companies become aware of the value of SOAR in today’s complex security landscape. Gartner expects adoption among organizations with at least five security professionals to reach 15 percent in 2020.