How to Maximize SOAR Performance with Accurate Threat Data

 

In this era of exponential digital connectivity, every company’s operations, revenue, reputation and brand is at risk. The most optimal way for companies to treat cybersecurity with focus, investment, people and technologies, is to prioritize cybersecurity inside the organization with an internal SOC team.

However, the dilemma for the SOC, as explained above, is the amount of time it takes from infection to detection – 200 days, plus an additional 80 days to resolve. So why is it taking longer to detect, respond and remediate breaches –  this is due to the amount of data swapping within the organization and multitude of systems used, as well as human resourcing implications.

The main challenge for SOCs is getting to systems before damage is caused, which in turn has a knock-on effect on systems, revenue, data and brand. SOC analysts require incident alerts from a diverse infrastructure & in depth detail to evaluate the criticality. According to research- SOCs are struggling to do what they are supposed to do.

The faster a data breach is identified and contained, the lower the costs. The time elapsed between the first detection of the breach and its containment is referred to as the ‘data breach lifecycle’.

Alert fatigue also makes it difficult to tell the difference from a real alert and a false alarm. False positives drive a tremendous duplication of effort. The alert is investigated, determined to be a false positive, and dismissed. The analyst moves on. Furthermore, existing infrastructures may not detect sophisticated malware. And then on top of this- lack of human resources to tackle tasks.

Alert fatigue can create a negative mindset leading to rushing a task, frustration and complacency. This contributes to an environment where threats are more likely to either creep through or be overlooked.

In the webcast we detail a typical workflow of a SOC analyst where one single analysis takes on average 2 to 3 hours. Each task requires a similar timeframe and therefore, this becomes an immediate concern if at any point, the company has a lack of resource to carry out analysis requirements.

Enter Security Automation and Response (SOAR). The purpose of SOAR is to alleviate the strenuous pain of repeated manual investigations on not yet validated event data. The above diagram shows an average 12,000 alerts per day that the SOAR needs to read through which is achieved by Security Information and Event Management (SIEM) technology. SIEM technology largely improves the SOCs ability at collecting multiple types of event and activity data from within the organization. This data is then taken through orchestrated analysis and detection of threats which could take place through multiple analysis systems with repeatable workflows. This allows the SOC to automate event analysis tasks as well as decision making and remediation.

What is clear from the above is that the effectiveness of a SOC team is directly dependent on its technology solutions. One of these solutions that improves almost every area of a SOC is SOAR – extending the limits of what a SOC team previously thought was possible – filling the skill shortage gap, automation and a fast response time.

However, the SOAR is only a step in the right direction and does not solve everything, in particular, the many false alarms that require manual investigation by the analyst. This leads to a lack of trust for actually automating the remediation tasks which defeats the purpose of the SOAR in the first place. In addition, most threat intel sources only detect new malware. Unknown and targeted threats are not detected and therefore, a SOAR is only as good as the data you feed it.

Ideally, a SOAR is meant to provide a single pane of glass for correlation, triage, remediation and documentation of events within the organization.

Many security products are devoted to ‘preventing’ rather than ‘making the day to day more efficient’. Time is paramount. Alert enrichment is key.

VMRay enables accelerated detection by enriching the quality of the security alerts the analyst receives by validating them with a trusted source of behavioral malware analysis. Utilizing the automated analysis platform will enable the SOC to work on the real alerts while muting the noise of the false alarms.

VMRay provides best of breed behavior based detection of unknown malware. No signature based or machine learning technology can beat the accuracy of detecting actual malicious behavior.

VMRay provides accurate verdicts for validating existing alerts, particularly when it comes to unknown threats, providing accurate data and details needed for in depth investigation of an event.

This helps the SOC to filter out the false alarms and reduce alert fatigue by prioritizing verdicts of such a trusted source of intelligence. In addition to building trust through detection accuracy, VMRay can also enhance the general threat intelligence infrastructure of any SOC by doing the heavy lifting of evaluating which artifacts are actually relevant to the event in question.

The following 2 examples (timestamp 6:04) of VMRay detail how, for detecting the actual threat;

  • Out of 183 artifacts, only 7 were relevant
    Out of 538, only 90 were relevant

Therefore the accuracy of a company’s entire security infrastructure can be improved, not only their SOAR. With this type of data, the SOC is empowered to create highly effective playbooks for automating detection and remediation tasks.

VMRay is an open platform that can not only integrate with a large selection of SOAR solutions but also with email, EDR, threat intel platform and more.

Clear filter
Sorry, there are no results found